An argument is raging about whether companies should be forced to disclose cyber attacks, as cyber security experts warn that retailers, hotels and airports across the US have gaping holes in their online security.
Researchers in Las Vegas for the Black Hat cyber security conference exposed flaws they argue could allow hackers to swipe credit card details from more than 600 retailers, remotely control technology in hotel rooms and trick airport security into believing someone is drugs-free.
Dan Geer, chief information security officer for In-Q-Tel, which invests in technology on behalf of the Central Intelligence Agency, told the conference the threat of cyber attack was so serious that companies should have to declare significant cyber security failures.
“Not only has cyber security reached the highest levels of attention, it has spread into nearly every corner,” he said. “The footprint of cyber security has surpassed the grasp of any one of us.”
Laws about what kind of attacks companies must report vary depending on the country or industry. But many focus on the loss of consumer data such as credit card information, rather than on the rising tide of attacks by nation states, intellectual property theft and online ransoms.
Despite the patchy regulation, the number of companies reporting cyber security concerns to US regulators has more than doubled in the past two years, according to official filings. The increasing number of devices that rely on the internet have provided more opportunities for cyber criminals.
Mr Geer called for “a public health system” for the internet where the security of everyone online is given higher priority than the privacy of attack victims. He also said the US government should pay to make public vulnerabilities that people found in software.
Alex Stamos, Yahoo’s chief information security officer, said companies needed to work together to combat cyber crime. “The bad guys share information,” he said, referring to underground forums, and other industries should learn from banks, which had succeeded at co-operating on security partly because they were highly regulated.
The public’s poor grasp of the relative severity of different attacks meant minor problems could be overblown if companies were forced to announce them, he said.
But Kevin Mandia, chief operating officer of cyber security company FireEye, said companies were right to fear being forced to disclose attacks as some were “crucified” in what he said was a “point and blame atmosphere”.
Doctors were not blamed for not having yet discovering a cure for cancer and the threat from cyber crime was similarly here to stay, he added. “I feel like we are trying to cure cancer just like doctors are.”
The warning said the “Back off” malware allowed hackers to track every character typed into a point of sale system, exposing customer names, mailing addresses, credit card numbers and email addresses.