When word of a large data breach gets out, the victimized company can expect consequences ranging from direct financial costs to reputational damage. Fear of such repercussions may be causing businesses to withhold information that could help the industry as a whole fight back, agreed panelists at the Visa Security Summit in Washington.
Organizations need to be able to share concerns without fear of reprisal, says Gartner analyst Avivah Litan. One example of such information sharing has occurred in the financial industry, she says. Since 1999, the Financial Service Information Sharing and Analysis Center (FS-ISAC) has allowed financial executives to confidentially share concerns and data about physical and cybersecurity threats. The body, created in response to a 1998 Presidential Directive on information sharing and cybersecurity, has helped reduce malware attacks and fraud as well as capture some criminals, says Litan.
Now the industry has formed an FS-ISAC subgroup, focusing on the payment card part of the business. The new group, the Payments Processing Information Sharing Council, represents the first time payment industry executives will be able to share information confidentially, said Robert Carr, president of Princeton, New Jersey-based Heartland Payment Systems, in a press release. Carr helped spearhead the group, which will require participants to sign a nondisclosure agreement.
Heartland has been proactive in taking the lead on new anticrime efforts since it suffered its own major data breach early in 2008. The group’s creation may be about “doing the right thing” as a “competitive move,” says Litan.
The lack of information sharing on cybercrime also makes it difficult for law enforcement to assess the size of the problem. There is a lack of data on crime frequency and methods, said Mark Grantz, a U.S. Secret Service special agent at the event. Other issues that make cybercrime difficult to combat have to do with the global and nonphysical nature of the Internet, which allows criminals to operate from anywhere.
Many criminals operate from protected regions. “If you’re dumb, you rob a few banks and maybe get $7,000,” said James Lewis, director and senior fellow at the Washington-based Center for Strategic and International Studies. “If you’re smarter, you do it [virtually from] the former Soviet Union. You never get caught and make a six figure income.”
Given that threatscape, said Grantz, “You’re just as likely to get ripped off by some kid in Ukraine as someone a mile or two away.”
Many countries don’t have the resources America does to fight the problem, he said. Other countries don’t have the inclination to fight the crime as long as the victims are outside of their borders.
Another advantage for these crime groups is that they’re well funded, said one panelist. Additionally, they don’t have the constraints of the law. “We have to follow the rules, hackers don’t,” said Kevin Mitnick, a well-known former hacker who founded and now runs Mitnick Security Consulting, of Henderson, Nevada.