Corporate hacks deserve more regulatory sunshine

The FBI wants to know about cases of corporate espionage but firms don't want to come forward

By Gina Chon

WASHINGTON (Reuters Breakingviews) — Companies are hacked all the time, but it's not often made public. The recent U.S. prosecution of a cyber attacker who broke into Boeing's systems is a rare example. The FBI wants to know about cases of corporate espionage, but firms often don't want to come forward. Regulators could help by doing more to encourage disclosure and less — for now — to punish the victims.

Breaches have become an epidemic. A record 79 per cent of respondents said they detected at least one breach over 12 months and large companies discovered an average of 446 hacks each in the period, according to a 2015 report from PricewaterhouseCoopers. Cyber security professionals say more than 80 per cent of intrusions go unreported while 87 per cent of IT workers surveyed by Lieberman Software last year said big financial hacks are happening more often than reported.

One problem is that both the technological landscape and enforcers' responses are evolving. Reporting a breach can be embarrassing, and the result unpredictable. Only Boeing was mentioned by name in Chinese businessman Su Bin's guilty plea, released by prosecutors on Wednesday. But his associates also sought data on other companies' products, including fighter jets made by Lockheed Martin.

Meanwhile, regulators have increased enforcement actions for inadequate cyber security, according to legal experts. The Securities and Exchange Commission, bank watchdogs and others have already imposed penalties. Lax defenses need to be policed, but it's challenging to fight determined hackers in a fast-changing technological environment — as the U.S. government knows, having suffered breaches at the White House, the Defense Department and elsewhere.

This environment makes companies reluctant to come clean with investors, and the rules generally don't require them to do so except in cases where personal information is hacked. Yet intellectual property breaches can be at least as damaging because rivals may learn about pricing, research and development and future plans. Prosecutors link job losses at U.S. Steel to a cyber attack there by the Chinese military.

The SEC says companies should disclose material breaches but the regulator's guidance is vague and leads companies to cite general risks rather than specific attacks. Just as businesses disclose lawsuits and other potentially expensive mishaps, hacks that could matter to investors need regulatory sunshine.


CONTEXT NEWS

• Su Bin, a Chinese national, pleaded guilty on March 23 to a six-year conspiracy to hack into computer networks of large U.S. defense contractors including Boeing, according to the U.S. Justice Department. Su, who owns an aviation and aerospace company, was arrested in Canada in July 2014.

• He is accused of working with two unnamed co-conspirators, who are in China, to hack into computer networks and sell the information they accessed. Some of the stolen files related to information on Boeing's C-17 military transport aircraft, which was built in California. Su faces a maximum five-year prison sentence and a fine of $250,000. He is scheduled to be sentenced in July.


Latest stories