Privacy in Cybercrimes Promised

Senior law enforcement officials assured technology executives Thursday that government will increasingly work to keep secret the names of companies that become victims to major hacking crimes, along with any sensitive corporate disclosures that could prove embarrassing.

The effort, described at a cybercrime conference in northern Virginia, is designed to encourage businesses to report such attacks and build public confidence in Internet security. Officials promised to use legal mechanisms, such as protective orders and sealed court filings, to shield corporate hacking victims from bad publicity.

“It’s important for us to realize that you have certain concerns as victim companies that we have to acknowledge,” FBI Director Robert S. Mueller III said. He promised, for example, that FBI agents called to investigate hacking crimes will arrive at offices discretely without wearing official jackets with FBI emblazoned on them.

“The mere calling of us in an investigation can have an adverse impact on the image of your company,” said Mueller, who has made cybercrime an FBI priority.

In exchange for this protection, Mueller said, companies should more frequently admit to the FBI when they are victims of hacking.

“You’re not enabling us to do the job,” Mueller said.

Government efforts to tighten Internet security and investigate online attacks have long been hampered by reluctance from companies to admit they were victims, even in cases where executives quietly paid thousands of dollars in extortion to hackers. Companies say they fear loss of trust by customers and shareholders, costs associated with a formal investigation and increased scrutiny by regulators.

New efforts to protect the identities of hacking victims also contrast markedly with traditional hacker culture, which frequently blames companies and organizations that are targets of online attacks for failing to secure their networks adequately.

“There may very well be ways that law enforcement can get a criminal sanction imposed but not have all the names of the companies made public,” said Marty Stansell-Gamm, chief of the Justice Department’s computer crime section.

But she cautioned: “That’s not something that law enforcement can guarantee.”