Private Sector Keeps Mum on Cyber Attacks
The biggest surprise to computer-security experts isn’t that Google Inc. was targeted by attackers from China. It’s that the Internet giant chose to disclose the incident. Despite repeated efforts by the U.S. government to get the private sector to share information about threats, many companies have long kept such incidents confidential.
“There’s a culture of secrecy around any bad news, and data breaches are always bad news,” said Larry Ponemon, a security and privacy consultant with the Ponemon Institute. “Organizations don’t like to reveal it.”
The reticence can apply both to public disclosure of attacks as well as information-sharing among companies and government agencies—exchanges that can help organizations prevent future break-ins
This is dead on. Though, I think that Google had no choice but to disclose this because so many other entities including defense group contractors got popped too. Google actually may have been the vector that the attacks came from in the first place. After Aurora popped Google, it is likely that the Gmail acconunts that were hacked were also potentially used to send the emails. Or, perhaps Googles SMTP/POP3/IMAP systems were captured. I have not heard much though as yet.
I hardly think though, that Google decided to just come clean. Maybe also it was the whole idea that they were going to have to throw down on China and pull out over this and the whole filtering of their search capacity inside the great firewall…
In any case, all too many places do not report because of the FUD factor that will ensue after they fess up. Just how much reputational loss can they have post hack? Ask TJX.. Better yet ask Card Systems.