An argument is raging about whether companies should be forced to disclose cyber attacks, as security experts warn that US retailers, hotels and airports have gaping holes in their online security.
Researchers in Las Vegas for the Black Hat cyber security conference exposed flaws they argued could allow hackers to swipe credit card details from retailers, run technology in hotel rooms by remote control and trick airport security into believing someone is drugs-free.
Dan Geer, chief information security officer for In-Q-Tel, which invests in technology on behalf of the Central Intelligence Agency, said the threat of cyber attack was so serious that companies should have to declare significant security failures. “Not only has cyber security reached the highest levels of attention, it has spread into nearly every corner,” he said. “The footprint of cyber security has surpassed the grasp of any one of us.”
Laws about what kind of attacks companies must report vary depending on the country or industry. But many focus on the loss of consumer data rather than on the tide of attacks by nation states and intellectual property theft.
Despite patchy regulation, the number of companies reporting cyber security concerns to US regulators has more than doubled in the past two years, according to official filings.
Mr Geer called for “a public health system” for the internet where the security of everyone online is given higher priority than the privacy of attack victims. He also said the US government should pay to make public vulnerabilities that people find in software.
Alex Stamos, Yahoo’s chief information security officer, said companies needed to work together to combat cyber crime. Other industries should learn from banks, which had succeeded at co-operating on security partly because they were highly regulated, he said.
But Kevin Mandia, chief operating officer of cyber security company FireEye, said companies were right to fear being forced to disclose attacks as some were “crucified” in a “point and blame atmosphere”.
Doctors were not blamed for not having yet discovered a cure for cancer and the threat from cyber crime was similarly here to stay, he added. “I feel like we are trying to cure cancer just like doctors are.”