Businesses Can No Longer Keep Cyberattacks Under Wraps
Reporting regulations to make breaches known are already in place in the EU and in 36 U.S. states
“Cybersecurity has reached a tipping point,” wrote MIT professor Stuart Madnick in a recent Harvard Business Review article, New Cybersecurity Regulations Are Coming. Here’s How to Prepare. “After decades of private-sector organizations more or less being left to deal with cyber incidents on their own, the scale and impact of cyberattacks means that the fallout from these incidents can ripple across societies and borders.”
Given the growing threat of cyberattacks, there’s an urgent need to improve the security of IT systems. However, we still don’t know a lot about cyberattacks, including how many attacks have taken place and who’s been attacked. Until recently, cybersecurity regulation were mostly focused on data privacy, and the only attacks that had to be reported were those involving personal information, such as the theft of names and credit card numbers.
For example, when Colonial Pipeline suffered a serious ransomware attack in May of 2021 that shut down nearly 50% of fuel deliveries to the U.S. East Coast, neither the company nor the pipeline operators were required to report the attack because personal information wasn’t stolen. “As a result, it’s almost impossible to know how many cyberattacks there really are, and what form they take,” said Madnick.
“Some have suggested that only 25% of cybersecurity incidents are reported; others say only about 18%, while others say that 10% or less are reported.”
We need detailed information on who is being attacked, how are they getting attacked, what are the attackers after, and what have they’ve actually stolen.
Following GDPR’s Lead
Governments around the world are now proposing or enacting new laws and regulations. The General Data Protection Regulation (GDPR) requires that the EU’s 27 member states must report serious data breaches within 72 hours. In the U.S., new regulations and enforcements are likely to come from the White House, Congress, the Cybersecurity & Infrastructure Security Agency (CISA), the Securities and Exchange Commission, the Federal Trade Commission, and a number of other agencies.
Thirty six states have already enacted new cybersecurity legislation.
These new rules would require companies to report cyber incidents, like the Colonial Pipeline attack, especially when critical infrastructure industries are involved, such as energy, health care, communications and financial services.
The most effective way of improving cybersecurity is to increase the amount and quality of cyberattack information. In another recent WSJ article, Why Companies Need to Start Sharing More Information About Cyberattacks, Madnick discussed the types of cyber incident information that would be most helpful to report.
· Types of Attacks: “Cyberattacks can range from personal information being exposed, to money being stolen, to computer systems being held hostage due to ransomware. … This information is usually known rather quickly by the impacted company.”
· Methods Used: “For example, how did the intruder get into your system? Was it due to a link in a phishing email that some employee clicked on, or was it due to a known vulnerability in your system that hadn’t been patched. … Sharing this information will help other companies identify their own vulnerabilities.”
· Impact: “Were normal business operations disrupted or actual money lost, such as through ransom payment? … Shareholders require transparency, and hiding significant business impact only reduces the trust between shareholders and management.”
· Current Status and Recovery Methods: “[L]earning how long the organization was impacted and the methods that were used to recover from the disruption could be of great value in preparing other companies to be more resilient in the face of a cyberattack.”
How Serious an Attack?
However, it’s not at all clear what constitutes the kind of serious cyber incident that should be reported amid the large number of such incidents that companies face every day.
In the HBR article, Madnick explained the gray area that companies need to navigate by comparing cyber incidents to near-collision close calls for aircraft.
The Federal Aviation Administration (FAA) has long established a reporting program in the aviation system so that the unsafe conditions that led to a potential accidents can be identified, corrected and avoided in the future before they lead to serious accidents.
“On its face, a similar requirement for cybersecurity seems very reasonable,” noted Madnick. “The problem is, determining what should count as a cybersecurity incident is much less clear than the near miss of two aircraft being closer than allowed. A cyber incident is something that could have led to a cyber breach, but does not need to have become an actual cyber breach: By one official definition, it only requires an action that imminently jeopardizes a system or presents an imminent threat of violating a law.”
As is the case in aviation, reporting all meaningful cyber incidents would help companies better address their key vulnerabilities. But, what constitutes the kind of meaningful cyber incident that must be reported? “For example, based on data gathered from current incident reports, we learned that just 288 out of the nearly 200,000 known vulnerabilities in the National Vulnerability Database (NVD) are actively being exploited in ransomware attacks,” added Madnick.
Companies and regulators must strike a balance.
An overly broad definition of what constitutes a cyber incident might require a company “to report thousands of incidents per day, even if most were spam emails that were ignored or repelled. This would be an enormous burden both on the company to produce these reports as well as the agency that would need to process and make sense out of such a deluge of reports.” In addition, international companies would also need to navigate the flood of regulations and reporting standards coming out of diverse agencies in countries around the world.
Begin Actions Now
“Companies don’t need to just sit by and wait for the rules to be written and then implemented, however,” said Madnick. “Rather, they need to be working now to understand the kinds of regulations that are presently being considered, ascertain the uncertainties and potential impacts, and prepare to act.” In particular, he recommends that companies start implementing a few key actions.
- Make sure your procedures are up to the task. “Companies subject to SEC regulations, which includes most large companies in the United States, need to quickly define materiality and review their current policies and procedures for determining whether materiality applies, in light of these new regulations.”
- Keep ransomware policies up to date. “Regulations are also being formulated in areas such as reporting ransomware attacks and even making it a crime to pay a ransom. Company policies regarding paying ransomware need to be reviewed, along with likely changes to cyberinsurance policies.”
- Prepare for required Software Bill of Materials in order to better vet your digital supply chain. Many companies are not aware of the vulnerabilities in their systems because their software is often bundled with other software, which in turn includes other software, and so on. “There are regulations being proposed to require companies to maintain a detailed and up-to-date Software Bill of Materials (SBOM) so that they can quickly and accurately know all the different pieces of software embedded in their complex computer systems.”
Finally, Madnick recommends that companies carefully review the new and proposed regulations and evaluate their overall impact on the organization. “These are rarely just technical details left to your information technology or cybersecurity team — they have companywide implications and likely changes to many policies and procedures throughout your organization. To the extent that most of these new regulations are still malleable, your organization may want to actively influence what directions these regulations take and how they are implemented and enforced.”
This blog first appeared October 20 here.
