FBI: Companies Need to Report Cyber Attacks

An assistant director of the FBI's New York City bureau tells IT security professionals that more needs to be done to report hacking and other cyber-crimes.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

NEW YORK—Companies should do more to report cyber-crimes such as hacking and phishing to help federal authorities investigate and ensure that additional data isnt compromised beyond initial attacks, a high-ranking FBI official said.

"A huge issue for us is the underreporting of successful or almost successful hacking," Special Agent Mark Mershin, the assistant director-in-charge of the FBIs New York City Office, told a crowd gathered here at the Infosecurity Conference and Exhibition on Oct. 24.

A 30-year FBI veteran, Mershin was appointed to his current position at the bureaus largest field office in May 2005. The expert spoke for a little more than an hour in a keynote address about the three most important issues facing the agency each day: counterterrorism, counterintelligence and cyber-crimes.

After talking to the audience about the FBIs mission and expanding duties, Mershin turned to the agencys role in preventing and investigating cyber-crimes, especially those that target enterprises and other businesses.

/zimages/2/28571.gifClick here to read more about the Department of Homeland Securitys new cyber-crimes czar.

Each month, the FBIs Internet Crimes Complaint Center receives about 18,000 complaints about some sort of cyber-crime.

Some of the most consistent problems the bureau has seen in the last few years is the number of fraudulent Web sites that have been set up to look like legitimate sites for charities, especially those involving the Asian tsunami and Hurricane Katrina, he said.

The omnipresent Nigerian identity theft scam also remains one of the most successful of all cyber-crimes, much to the frustration of the FBI, Mershin said.

However, the agency is troubled by a pattern of behavior among corporations and businesses who are not consistently reporting when their infrastructure has been hacked, or even when their companies have become the unsuccessful target of hackers and other cyber-crooks.

Most companies, Mershin said, worry about the bottom line and feel any publicity or investigation into a cyber-crime will hurt profits.

"There is a concern that adverse publicity, the loss of good will and income" will have a bigger impact on the company than the actual crime, Mershin said.

/zimages/2/28571.gifClick here to read more about the FBI and how it investigates spyware.

Mershin told the crowd that the FBI will do all it can to minimize publicity while conducting investigations to ensure that a corporations internal and confidential information remains that way.

During his talk, Mershin offered other insights into the FBI and IT security. He said the agency is in need of recruits with advanced IT and cyber-skills.

During the question and answer period, Mershin was asked by one audience member about the FBIs ability to wiretap and eavesdrop in light of the controversy raised by a secret program run by the National Security Agency.

Mershin said that the FBI cannot wiretap or eavesdrop on any person with a warrant either issued by federal judge or one issued by the secret court set up under the Foreign Intelligence Surveillance Act to track spies and terrorists.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.