American companies that are victims of a data breach ought to report the crimes and work with law enforcement because doing so could change the unfriendly public narrative that the government will look to start charging companies with crimes, federal officials told business executives this week.
Acting Assistant Attorney General Dana Boente, the current head of the Justice Department’s national security division, pitched industry leaders in Washington on what he called “the business case” for cooperation with law enforcement in the wake of an online intrusion.
“I recognize that your decision to call the FBI, to work with the Justice Department, is often your decision: It’s a choice,” Boente said in a keynote address to the U.S. Chamber of Commerce’s Sixth Annual Cybersecurity Summit. “And what I want to do today is lay out that there are real benefits to making that choice and the risks shouldn’t be overstated.”
He argued that — for companies victimized by skilled hackers, including those acting on behalf of a nation-state — the benefits of reporting crime and cooperating with investigators far outweighed the downside.
“[Working with law enforcement] an opportunity for [hacked companies] to shift the narrative somewhat, from focusing on you as the victim, to someone that actually did something wrong, the hacker — and making it about the bad guy,” he said.
Boente — who also continues to serve as the U.S. attorney for the Eastern District of Virginia while filling in at the DOJ — said that law enforcement had access to information that others didn’t, including technical data. “We have visibility into intrusion activity around the country that allows us to advise you — if you’re a victim — about activity that’s similar” targeting other companies or different sectors, he said.
The FBI and the Department of Homeland Security have reiterated this message seemingly whenever they have the chance, even though investigations tend to lead to hurdles over information sharing between agencies.
Above all, Boente said law enforcement has the power to fix problems.
“Our authorities are unique,” he said. “If you want to take action, if you want to try and recover data that’s been stolen or if data has been posted online that is a threat to your business, that is a very hard problem set. But because of the relations the FBI has worldwide, because of the unique authorities of law enforcement, we are the best hope to address that situation.”
Over the past year, federal law enforcement officials have joined the Chamber on a nationwide cybersecurity awareness roadshow pushing the message that it’s in a business’ best interest to bring in the feds when they get hacked.
But it doesn’t seem to be working.
“Unfortunately, we are still seeing a large majority of our private sector partners not turning to law enforcement, or [to] us in the FBI, when they do face an intrusion and we need to change this, we really do,” said Paul Abbate, the FBI’s executive assistant director, in a separate presentation.
“We need to get to a place where we have that trust and partnership so you do feel able to come to us,” he added.
You can hear more from Dana Boente and other federal government security experts at CyberTalks on Oct. 18.