For eight years, Arbor Networks (News - Alert) has been tracking the cyber threat landscape through our annual Worldwide Infrastructure Security Report. Of course, much has changed over that time period. The peak DDoS attack size rising from 400mbps to well over 100gbps is just the start. The rise of stealthy application-layer attacks and the rise of hacktivism have dramatically changed the game for network operators and enterprises alike.

One thing that has remained remarkably consistent over the years, however, has been the hesitance about reporting network security incidents to law enforcement, and a lack of confidence that anything can be done.

Arbor’s 8^th annual report shows that the reasons most cited for not reporting attacks include a lack of resources and time, low confidence in law enforcement investigative efficacy, and corporate policy.

Here are a couple comments from respondents who do not currently make law enforcement referrals:

• from an enterprise, “concerns regarding seized equipment”; and
• from a service provider, “that is the customer’s decision”.

Attribution of cyber attacks can be incredibly difficult, costly and time consuming. These dynamics naturally discourage reporting and make hacking an attractive vector for criminals, as they have a relatively low chance of getting caught vs. attempting to commit crimes in the physical world. 

For the targeted organization and its network security vendors, the most pressing questions are around how and not who. How did they target the network? How did they bypass existing defenses? What techniques did they utilize that made them successful?

The federal government is playing an increasing role in cyber security as the potential implications to national security become clearer. With the rise in state-sponsored cyber activity, and the fragility of the nation’s critical infrastructure, the Department of Defense has made improving attribution capabilities a top priority. A sign of just how invested the government is in improving its attribution capabilities came last fall when then Department of Defense Secretary Panetta warned cyber attackers that, “[p]otential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.”  

Of course, the better our attribution capabilities, the more law enforcement can do. At the FBI, Director Robert Mueller recently testified before Congress that, “We are working with our partners, both foreign and domestic, to develop innovative ways to identify and confront the threat as well as mitigate the damage…. Just as the FBI has transformed its counterterrorism and intelligence programs to deal with an evolving and adapting threat, the bureau is strengthening its cyber program and capabilities. Computer intrusions and network attacks are the greatest cyber threat to our national security.”

Government interest in cyber security isn’t limited to law enforcement; it extends to the halls of Congress as well. There are multiple pieces of cyber security legislation currently, and many analysts expect that some form of incident disclosure will be an eventual outcome.

Ironically, another change factor is the sheer number of organizations that have been successfully hacked. The number of A-list organizations that have been victimized is long and growing every day.

Because of the success that hackers have had in recent years, the stigma of being a victim has been dramatically minimized. This is leading some of America’s largest companies to voluntarily disclose cyber attacks today as part of their fiduciary responsibility to shareholders.

According to Bloomberg News, of the top largest 100 companies in the United States, 27 have reported cyber crime incidents in 10-K filings to the Securities and Exchange Commission. 

Until very recently, the decision to report cyber crimes seemed liked a thankless task, with far more downside than upside. There are multiple reasons for optimism that one of the basic advantages of the hackers – the absence of fear of getting caught – may be eroding. Government and law enforcement continue to make cyber crimes a top priority, more high profile arrests continue to take place, and the stigma of reporting attacks is beginning to fade away.

Gary Sockrider is solutions architect at Arbor Networks (www.arbornetworks.com).