On Monday March 1st, the Experienced Security Professionals Program (ESPP) was held at the RSA conference, gathering 100+ practitioners to discuss and debate a few topics. The morning session was on “The Changing Face of Cyber-crime”, and discussed the challenges facing law enforcement to prosecute electronic crimes, as well as some of the damage companies face when attackers steal data. As could be expected, the issue of breach disclosure came up, and of course several corporate representatives pulled out the tired argument of “protecting their company” as their reason to not disclose breaches. The FBI and US Department of Justice representatives on the panel referenced several examples where public firms have gone so far as to file an injunction against the FBI and other federal entities to stop investigating breaches. Yes, you read that correctly. Companies sued to stop the FBI from investigating.
And we wonder why cyber-attacks continue? It’s hard enough to catch these folks when all relevant data is available, so if you have victims intentionally stopping investigations and burying the evidence needed for prosecution, that seems like a pretty good way to ensure criminals will avoid any penalties, and to encourage attackers to continue their profitable pursuits at shareholder expense. The path of least resistance continues to get easier.
Let’s look past the murky grey area of breach disclosure regarding private information (PII) for a moment, and just focus on the theft of intellectual property. If anything, there is much less disclosure of IP theft, thanks to BS arguments like – “It will hurt the stock price,” or “We have to protect the shareholders.” or “Our responsibility is to preserve shareholder value.” Those were the exact phrases I heard at the ESPP event, and they made my blood boil. All these statements are complete cop-outs, motivated by corporate officers’ wish to avoid embarrassment and potential losses of their bonuses, as opposed to making sure shareholders have full and complete information on which to base investment decisions.
How does this impact stock price? If IP has been stolen and is being used by competitors, it’s reasonable to expect the company’s performance in the market will deteriorate over time. R&D advances come at significant costs and risks, and if that value is compromised, the shareholders eventually lose. Maybe it’s just me, but that seems like material information, and thus needs to be disclosed. In fact, not disclosing this material information to shareholders and providing sufficient information to understand investment risks runs counter to the fiscal responsibility corporate officers accept in exchange for their 7-figure paychecks. Many, like the SEC and members of Congress, argue that this is exactly the kind of information that is covered by the disclosure controls under Section 302 of Sarbanes-Oxley, which require companies to disclose risks to the business.
That said, I understand public companies will not disclose breaches of IP. It’s not going to happen. Despite my strong personal feelings that breach notification is essential to the overall integrity of global financial markets, companies will act in their own best interests over the short term. Looking beyond the embarrassment factor, potential brand impact, and competitive disadvantages, the single question that foils my idealistic goal of full disclosure is: “How does the company benefit from disclosure?”
That’s right – it’s not in the company own interest to disclose, and unless they can realize some benefit greater than the estimated loss of IP (Google’s Chinese PR stunt, anyone?), they will not disclose. Public companies need to act according to their own best interests. It’s not noble – in fact it’s entirely selfish – but it’s a fact. Unless there are potential regulatory losses due to not disclosing, since the company will already suffer the losses due to the lost IP, there is no upside to disclosing and disclosure probably only increases the losses. So we are at an impasse between what is right and what is realistic. So how to do we fix this? More legislation? A parade down Wall Street for those admitting IP theft? Financial incentives? Help a brother out here – how can we get IP breach disclosure, and get it now?
Reader interactions
4 Replies to “FireStarter: IP Breach Disclosure, No-Way, No-How”
LonerVamp,
I don’t think Google acted against their own interests. I believe they have multiple ‘personal’ (self-interested) drivers, including PR and outrage that Chinese people would think they could get away with hacking *GOOGLE* (aggravated by their success), and a slightly broader identification with the US/CA high-tech industry, recognizing that if all breach info is siloed, nobody (including Google) has enough information to protect themselves adequately.
Or support from Congress, which was at least stung into statements of support — whether the USG does any more than have Hillary state our concern is still an open question. I’m pretty sure the FBI and other investigators have been instructed to bump the priority of their investigations, and certainly the NSA wasn’t going to help Google before (whatever you think that help will consist of).
And as human beings, I believe they have always been offended by Chinese (and US) censorship, which aligns nicely with their business objectives, and I believe was *a factor* behind the announcement. Not that moral outrage by itself would have triggered a press release, much less a threat to withdraw from China…
@Chris: While we won’t ever know the conversations that led to Google’s decisions in the China incident(s), there are plenty of us who believe strongly that Google was still acting in it’s own interests. I don’t believe they were being altruistic or noble without gain.
@Adrian: This sounds almost like financial regulations that require exposure of issues. Staying out of an orange jumpsuit is better than being fired for failing to turn investments around.
But I still hate the legislative approach. It puts security in a lose-lose situation.
I think your approach of disclosing IP breaches as a duty to investors to valuate risk is the only approach for IP breaches. And I think you’re correct in saying they won’t do it unless someone forces them to.
We have good guys and we have bad guys. And we have semi-bad guys very close to us that impede the work of the good guys to beat the bad guys. Perhaps we should start bringing back the saying, “If you’re not part of the solution, you’re part of the problem.”
Nicely said.
Is it not possible to share breach information with the authorities in some way without a “public” disclosure?
Perhaps shareholders will start to question management security acumen at shareholder meetings as part of their own due diligence?
Adrian,
“(Google’s Chinese PR stunt, anyone?)” seems to be counterproductive. If companies have powerful disincentives not to disclose — embarrassment and potential stock devaluation — then any countervailing motivation which pushes them over the ledge to announce deserves some appreciation.
I believe Google’s managers are genuinely offended by Chinese censorship, but that obviously wasn’t enough to keep them from censoring before. Now they’re personally embarrassed at being breached, and feeling a little defensive — hopefully also of their fellow breach victims — and doing what many people urged Google to do before: drop censoring and/or get out of that Chinese government controlled market.
Let’s accept that their motivations are more complicated than their press releases, but try not to tease Google too much about it when they’re (hopefully) doing the right thing — even reluctantly.