We look forward to presenting Transform 2022 in person again on July 19 and virtually from July 20 to 28. Join us for insightful conversations and exciting networking opportunities. Register today!
On March 17, President Biden signed the Act Strengthening America’s Cybersecurity into law. The law requires companies in the 16 sectors that make up our country’s critical infrastructure (including energy, hospitals, banks and transportation) to report all cybersecurity breaches within 72 hours and all ransomware payments within 24 hours.
Reporting mandates have been debated for more than a decade, but the trifecta of SolarWinds, last year’s string of ransomware attacks, and the Russia-Ukraine conflict gave the government’s new cybersecurity regime and its congressional allies the political capital to finally enforce (and… to rush) them into law.
While the intent is to make critical infrastructure more resilient to cyberattacks, the law is short-sighted and could have catastrophic ramifications for both private business and government. The only thing that strengthens it is the disincentive for companies to actually look for violations.
The long-term implication is that this will weaken American cybersecurity. The good news? The law will come into force in two years at the earliest. Government and industry must work together to set the rules that truly address the problem.
The obligation to report increases the risk for the victims
Those calling for mandatory reporting have the right intention, but if not implemented properly, it will do more harm than good.
Reporting requirements almost always puts companies at risk, either legally or through fines. Penalizing an organization for not reporting a breach in a timely manner puts them in a worse cybersecurity posture, as this is a strong incentive to turn a blind eye to attacks. Alternatively, when a company learns of a breach, it will find ways to “classify” it to fall into a reporting gap.
The reporting deadlines in the law are arbitrary and not based on the reality of effective incident response. The first few hours and days after a breach are an essential part of the actual incident reporting process, but they are chaotic and sleep-deprived teams. Working with attorneys to determine how the reports should be made and finding the evidence that companies want to “see” and not “see” only makes the process more difficult.
This forces companies to report a breach before they even fully understand it, which can lead to confusion, false assumptions, and inaccurate messaging about the breach that can harm a company from a marketing or review perspective.
Another problem is that there has been no offer of government assistance other than FBI Director Christopher Wray’s claim in a recent statement that the bureau would have a technically trained agent on a company’s doorstep within the hour.
A report issued by Senator Rob Portman (R-OH) on March 24 details the experiences of companies targeted by the REvil ransomware group over the past year. It noted that two companies reported the attacks to the federal government but received “little help” in protecting their data and mitigating the damage. According to the report, “These companies said they received no best practice advice or other useful guidance from the federal government for responding to a ransomware attack.”
Could reporting work?
While the law is now law, the organization responsible for its enforcement, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Administration (CISA), has two years to fully implement it through a rulemaking process.
For any type of reporting system to truly do what it is intended to do, it must be packed with safeguards for companies that comply, protecting them from disclosure of information, lawsuits, adverse government action, and more. But considering how much protection a company would need to be given, this could be fraught with abuse, and companies will use this to hide from blame when they really did something wrong.
Ultimately, it is best not to require any form of reporting and instead put together a system that encourages companies to report and incentivizes them with the benefits of reporting, such as: B. Free assistance in incident response and hunting down the adversaries Recovery of stolen data, money and intellectual property. Such a regime would be based on strong public-private partnerships.
In addition, a successful solution must include an update to current legislation, such as B. the 36-year-old Computer Fraud and Abuse Act. The law has been amended several times over the years, most recently in 2008, but the current legal position regarding cyberattacks is around 25 years old and dates from a time when no one imagined a world where everyone and everything was connected.
As it stands, the law prohibits unauthorized access to computer systems and leaves cyber defenses to the federal government. In the future, private companies must also have a way to effectively respond to cyberattacks by trained and licensed private companies in partnership with government and law enforcement.
We are in a cyber war that no single country, government or private organization can win alone. Everyone must work together to solve the problem. With everything that has to be successful here, we are better off without reporting. We must work together to implement an incentive system to encourage reporting through offerings for free incident response, recovery of lost data and intellectual property, and support for each organization in implementing defense at the nation-state level.
Max Kelly is the founder and CEO of Redacted.
data decision maker
Welcome to the VentureBeat community!
DataDecisionMakers is the place where experts, including technical staff, working with data can share data-related insights and innovations.
If you want to read about innovative ideas and up-to-date information, best practices and the future of data and data technology, visit us at DataDecisionMakers.
You might even consider contributing an article of your own!
Read more from DataDecisionMakers