Not only might companies have ethical, civic and legal obligations to alert authorities to cyberthreats, businesses may find that the authorities can be helpful, law enforcement agents and prosecutors said on Friday.
Aravind Swaminathan, assistant US attorney in the Western District of Washington, took pains to describe the lengths to which his office goes to be sensitive to the needs of companies that report crimes. He spoke during a cybercrime conference at the University of Washington School of Law on Friday.
"Everybody's worried that their trade secret will end up on the front page of the paper," he said. "Trade-secret cases are hard, but work with us. We aren't obtuse. We know that's the stock and trade of your business."
His office is keen to work closely with businesses to ensure that sensitive data doesn't become public, he said. Documents going public isn't an issue until a case goes to trial anyway, and few of his cases make it that far. Most are resolved through plea agreements, he said.
His office can also make protective orders to prevent sensitive documents from being disclosed, or to require that a defendant's lawyer is present when viewing such documents.
In addition, for companies wary of bad publicity surrounding legal cases, his office is eager to promote the cooperation of the company as a way to offer some good publicity, he said.
Companies are less worried about bad publicity than they were five or six years ago, said Randy Gainer, a partner at the legal firm Davis Wright Tremaine. "The time for keeping these events under covers is gone," he said. Even if a company doesn't have a legal obligation to come forward about cybercrime, customers may figure out that an incident occurred, providing fodder for class-action lawsuits, he said.
Law enforcement agents said they are also sensitive to other issues companies might have. When David Dunn of the US Secret Service E-Crimes Task Force responds to a company that calls about a data breach, he's very aware that the organization is in crisis mode, he said.
"We acknowledge that this is a usual event for us but very unusual for you," he said. But he can often help companies prevent further damage. He might recognize the attack from previous attacks and be able to direct the company to another vulnerability that the cybercriminal is likely to hit next. "We can provide information to help the company close a door," he said.
Because he's experienced with major cybercrime, he can direct companies about what types of files to copy and which to protect from being overwritten, in order to preserve data that might help track down the perpetrators. "We can help stop the bleeding," he said.
Boeing reported good experiences working with authorities on a couple of cases, including one where a former employee was threatening employees via email. The victims were given a contact at the attorney's office to talk to about their concerns and were only named by their initials publicly. "That went a long way to help people feel a little more comfortable," said Vanessa Lee, senior counsel at Boeing.
Dunn urged people to call his office even if the losses from a cybercrime might seem small. Sometimes the perpetrators make many smaller hits that add up, and he might be able to connect smaller attacks. He recently presented a case to the district attorney's office over a $2,000 loss, he said. But he and the attorney suspect the losses may turn out to have been in the millions once they investigate further.