First appeared in Reuters
At least a half-dozen major U.S. companies whose computers
have been infiltrated by cyber criminals or international spies have not
admitted to the incidents despite new guidance from securities regulators
urging such disclosures.
Top U.S. cybersecurity officials believe corporate hacking
is widespread, and the Securities and Exchange Commission issued a lengthy
"guidance" document on October 13 outlining how and when publicly
traded companies should report hacking incidents and cybersecurity risk.
But with one full quarter having elapsed since the SEC
request, some major companies that are known to have had significant digital
security breaches have said nothing about the incidents in their regulatory
filings.
Defense contractor Lockheed Martin Corp, for example, said
last May that it had fended off a "significant and tenacious" cyber
attack on its networks. But Lockheed's most recent 10-Q quarterly filing, like
its filing for the period that included the attack, does not even list hacking
as a generic risk, let alone state that it has been targeted.
A Reuters review of more than 2,000 filings since the SEC guidance
found some companies, including Internet infrastructure company VeriSign Inc
and credit card and debit card transaction processor VeriFone Systems Inc,
revealed significant new information about hacking incidents.
Yet the vast majority of companies addressing the issue only
used new boilerplate language to describe a general risk. Some hacking victims
did not even do that.
"It's completely confusing to me why companies aren't
reporting cyber risks" if only to avoid SEC enforcement or private lawsuits,
said Jacob Olcott, former counsel for the Senate Commerce committee. The chair
of that committee, John D. Rockefeller, urged the SEC to act last year.
Stewart Baker, a corporate attorney and former assistant
secretary of the Department of Homeland Security, said the SEC guidance was
detailed enough that companies that know they have been hacked will "have
to work pretty hard not to disclose something about the scope and risk of the
intrusion."
Otherwise, "this is an opportunity for enforcement that
practically hands the case to the SEC on a platter," Baker said.
Lockheed spokesman Chris Williams said hacking was covered
under the company's most recent annual securities filing, which has as one of
many risk factors "security threats, including threats to our information
technology infrastructure, attempts to gain access to our proprietary or
classified information, threats to physical security of our facilities and employees,
and terrorist acts."
Williams said the May attack had "no material effect on
our business."
Mantech International Corp, CACI International Inc and other
defense and technology firms that have been reported by security researchers as
hacking victims were likewise silent in their most recent filings. Neither
Mantech nor CACI responded to interview requests.
"It's common knowledge" that most large defense
contractors have been penetrated, said Olcott.
Sikorsky Aircraft, mindful of a strict New Hampshire law
warning individuals at risk of identity theft, wrote to that state's attorney
general in August that hackers had gotten into its system and could have
accessed Social Security numbers of 55 employees who lived in the state.
Sikorsky said the employee data likely was not the hackers'
target, which suggests that they might have been after designs or other trade
secrets. But Sikorsky parent United Technologies Corp did not mention the May
intrusion in subsequent SEC filings.
"Like other companies, our businesses are subject to
(information technology) security attacks at times. We monitor systems and
cooperate closely with the government when appropriate," said United Technologies
spokesman John Moran.
DEARTH OF CONFESSIONS
Melissa Hathaway, a former intelligence official who led
U.S. President Barack Obama's initial cybersecurity policy review and helped
push the SEC to enact a disclosure policy, said she was "surprised"
at the dearth of new confessions.
"The SEC division of corporate finance has an
obligation to ask these companies why they didn't disclose," she said.
"We need to have transparency on the state of the situation, and we need
to have a national conversation regarding the near-term impact of economic
espionage and the long-term health of the nation."
The SEC declined to comment. The agency's guidance
officially clarifies previous policy instead of establishing a new rule, a
process that takes longer and requires a vote of the commissioners. A person
close to the agency said it expects fuller disclosures in annual 10-K filings
that will begin appearing in volume this month.
Cybersecurity has been an increasing concern in Washington,
and Obama asked during his State of the Union speech for action on legislative
proposals. Security experts believe hackers are frequently targeting valuable
digital information including strategic plans, blueprints and secret formulas.
But security experts in and out of government have
complained for years that most companies don't disclose even very successful
hacking attacks, because they never find out about them or simply don't want to
spook investors, customers or business partners.
The U.S. National Counterintelligence Executive, in a
landmark November report that openly accused China of sponsoring military and
economic cyber espionage, said that it is hard for companies to estimate the
impact of losses that might not be apparent for years.
One Pentagon contractor that did go into some detail
recently about the threat was Northrop Grumman Corp, which warned:
"Cybersecurity attacks in particular are evolving and include, but are not
limited to, malicious software, attempts to gain unauthorized access to data,
and other electronic security breaches that could lead to disruptions in
mission critical systems, unauthorized release of confidential or otherwise
protected information and corruption of data. These events could damage our
reputation and lead to financial losses from remedial actions, loss of business
or potential liability."
A few technology companies gave even more specific warnings,
including Juniper Networks Inc, which makes gear for routing Internet traffic,
and chip-maker Intel Corp. Intel had been one of the few to disclose a
successful breach in the past, along with Google Inc, which has complained of
attacks originating in China.
In a November filing, Intel repeated that hackers had gotten
inside and warned that "the theft or unauthorized use or publication of
our trade secrets and other confidential business information as a result of
such an incident could adversely affect our competitive position and reduce
marketplace acceptance of our products."
Some companies asserted that they had not been hacked, or at
least averred that they had not been subject to a "material" or
"catastrophic" intrusion.
Others confessed to breaches for the first time, including
VeriSign and VeriFone Systems, which said it had experienced "security
breaches or fraudulent activities related to unauthorized access to sensitive
customer information."
The company did not respond to requests for elaboration.
Point-of-sale terminals including VeriFone's models are popular targets for
criminal hackers, who can tamper with them in order to record passwords and
card numbers.
VeriFone has been reported as a supplier of machines to
Michaels Stores Inc, a retail chain of hobbyist stores that had to replace more
than 7,000 terminals last year after discovering tampering in 20 states.
Two other companies said they disclosed breaches because of
the SEC guidance. Tumi Holdings, the luggage maker that is pursuing an initial
public offering, said in a stock prospectus that security systems in some of
its retail stores had been compromised in the past.
In an interview, Tumi Chief Financial Officer Michael Mardy
said there had been no theft of a database or other massive breach. Instead, he
said there had been occasions where store employees had conspired with
outsiders on a small scale, for example by giving refunds to people who had not
made purchases.
"We felt it was necessary to list as a risk factor
because it actually is a risk factor," Mardy said.
University of Phoenix parent Apollo Group Inc, which in the
past had noted attempted breaches, for the first time said some attempts had
succeeded.
"We are facing an increasing number of threats to our
computer systems of unauthorized access, computer hackers, computer viruses,
malicious code, organized cyber attacks and other system disruptions and
security breaches, and from time to time we experience such disruptions and
breaches," it wrote in a 10-Q.
Apollo spokesman Rick Castellano declined to say how
extensive the breaches had been. "Cybersecurity is an area of growing area
of concern for all companies", Castellano said. "We devote
significant resources to manage any potential threat."