[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] USA veröffentlichen Guidelines für den Umgang mit Cybercrime
Die Guidelines selber habe ich noch nicht finden können - ich vermute,
sie werden unter http://www.cio.gov veröffentlicht.
U.S. Backing for Guidelines on Fighting Cybercrime
February 12, 2002
By BARNABY J. FEDER
The first guidelines for responding to attacks on computer systems to be
endorsed by both the F.B.I. and the Secret Service, the main Federal
agencies fighting such crimes, were published yesterday.
The guidelines were drafted by government and private security experts
brought together by CIO magazine, a trade publication for information
The guidance comes at a time when the number of both government and
private organizations trying to track and fight electronic crimes has
been expanding, partly in response to Sept. 11. But experts say many
businesses continue to be reluctant to provide law enforcement officials
with enough information to pursue cybercriminals. Companies often fear
that they will lose business if security breaches become public or that
they will become the target of revenge attacks.
"People are very fearful of all the publicity that surrounds going after
someone and convicting them," said Bruce Schneier, chief technology
officer of Counterpane, a computer security company based in Cupertino,
Such fears can be overcome in many cases, said Ronald L. Dick, the
F.B.I. official who heads the government's National Infrastructure
Protection Center. "They'll share information with us every time if they
have an inkling we can prosecute successfully," Mr. Dick said.
Still, he said, the new guidelines should help fight fears that the
government agencies would respond to intrusion reports "by seizing your
server and putting yellow tape around it."
The 12-page CIO guidelines provide complete contact information for
businesses to report intrusions to public authorities and various
information-sharing partnerships like the 65 InfraGard chapters the
F.B.I. has helped set up around the nation. They also outline practices
that the F.B.I. and Secret Service advocate, like developing
relationships with electronic crimes experts at the agencies ahead of
time so that managers have a personal contact to take their call.
The guidelines advise against reporting minor intrusions, like the
efforts of outsiders to scan corporate systems for ways to penetrate
them. Such probes can occur hundreds or even thousand of times a month
at a major company. While such information could be useful in theory,
the guidelines say, it would swamp the current data systems of
clearinghouses like the National Infrastructure Protection Center or the
Internet Storm Center, which is operated by the SANS Institute, an
international research organization for security experts.
Breaches of computer defenses by worms, viruses, hacks and other
intrusions that cause damage are another matter. Law enforcement
officials need all the help they can get in catching up with such
activity, said Bruce A. Townsend, special agent in charge of the Secret
Service's financial crimes division.
"This is constantly evolving, unlike something like drug trafficking,"
Mr. Townsend said.
Most experts say cybercrimes cost billions of dollars annually. Last
year, only 36 percent of those who experienced intrusions reported them
to authorities, according to an annual survey by the Computer Security
Institute and the San Francisco office of the F.B.I.
Mr. Townsend said the major part of the guidelines was not the
standardized form for reporting intrusions but the emphasis on planning
ahead. Some experts argue though that few companies will do an adequate
job in that regard unless forced to by regulatory authorities.
"We need metrics of how prepared people are for cyberattacks and
provisions like the Securities and Exchange Commission required for Y2K
for corporate disclosure," said Harris N. Miller, president of the
Information Technology Association of America, a trade group that has
participated in organizing information-sharing groups on security
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.