By LISA HOFFMAN
Scripps Howard News Service
February 23, 2006
Since the Internet revolution began a decade ago, U.S. businesses have been so reluctant to report cyber-victimization that experts believe the toll may be substantially higher than anyone estimates, law-enforcement officials say.
But a sweeping survey recently begun by the Department of Justice may provide the clearest picture yet of the scourge of computer viruses, worms, spyware, network intrusion, fraud, theft of information and other security breaches.
The departments of Justice and Homeland Security have unveiled plans to randomly - and confidentially - query 36,000 firms, which were selected as a sample of 5.3 million U.S. businesses across 37 industry sectors.
The survey data "will provide the first official national statistics on the extent and consequences of cyber crime," Justice spokesman Stu Smith said in a statement.
The department hopes it also will pierce the unwritten code of silence that most companies follow when it comes to cyber-crime.
"Most companies that experience computer intrusions or breaches of security do not report the incidents to law enforcement," FBI Director Robert Mueller said at a Feb. 15 Business Software Alliance town-hall meeting.
That reluctance stems from two beliefs by many firms: that it's a waste of time to report such an incident because there is little the police can do about it; and that revealing an attack could hurt their bottom line through bad publicity and diminished customer confidence in their security procedures.
To reassure businesses that they can be candid, the federal survey will take extra steps to ensure the responses from individual firms remain confidential, spokesman Smith said. Only a select handful of staff from the Rand Corp., which will conduct the survey, will even know the identity of the individual companies involved.
And the firms need not fear that competitors or others will be able to uncover their replies because they will be protected by exemptions to federal freedom-of-information laws.
Until now, the best data on the scope of the problem has come from snapshots of the security landscape. While the Justice Department's bureau of statistics and the FBI have conducted similar surveys in the past, they were of a significantly smaller scale.
For instance, the FBI last year conducted a computer-crime survey of 2,000 businesses in just four states - Iowa, Nebraska, New York and Texas. Only companies with more than five employees and $1 million in annual revenue were included.
Based on that survey, analysts estimated that about 20 percent of U.S. firms had experienced at least one cyber-attack at an average cost of $24,000 per company.
Told of the much larger scale of the new survey, spokeswoman Wendy Rosen of the Business Software Alliance industry group said, "That's huge. That's fantastic."
Rosen said it is critical that business and government work as partners to battle cyber-crime. "Government and industry can't afford not to work together," Rosen said.
Justice officials said companies selected to participate in the survey will receive instructions from now until August. No time frame was given for when results will be released.
Publish A Letter on SitNews Read Letters/Opinions