Information about current security protocols and ransomware details are critical, but agencies also need to make sure the reports are shared effectively, members of Protocol's Braintrust say.
Good afternoon! While mandatory cyber incident reporting was dropped from the NDAA passed by the house, discussions of how the government should be handling cybersecurity incident data continue to be in full force. In this week's braintrust, we asked the experts to think about how those reports could be set up to be most useful and tell us how the data in them could be most effectively utilized. Questions or comments? Send us a note at email@example.com
Director of Strategic Threat at Darktrace
Incident reporting is essential for helping the government understand the anatomy and impact of an attack, especially in critical infrastructure, and act to reduce the threat’s impact in the future. If the goal of mandatory reporting is for the government to understand impact better, then we need clear definitions of what needs to be reported. These requirements cannot be so burdensome that they detract from a company’s ability to respond and recover from an attack. This information and these requirements must help both the private and public sectors better understand how to maintain resilience and get organizations back to normal operations after an attack. We need a standalone agreement on cybersecurity moved forward by the U.S. government. That agreement needs to include:
- An outline of what content needs to be within reporting communication, including attack vector elements and attacker behaviors
- A commitment and reporting requirement for the government to share relevant, threat-related intelligence back to the private sector
- Recommendations for reporting that align with current incident response best practices to minimize the additional workload on security teams and detract from incident response and recovery
- Clear definitions for what level of incident triggers required notification. (These definitions cannot be so broad that a company’s default position is to report every minor issue out of an abundance of caution. This only degrades both the program and the security team’s effectiveness. It can’t simply be that a breach occurred, but that attackers damaged business operations or stole data.)
Field CTO at Arctic Wolf
The effectiveness of mandated cyber incident reporting will only be as good as the efficiency of lawmakers, and the ability to enforce them and help corral action upon threat reports. They’ll need to truly invest in the validation and enforcement of cybersecurity hygiene standards across all industries. Within mandatory cyber incident reports, businesses should also be transparent about their security practices, from employee training and awareness to operations investment. While government intervention and response is valuable, the onus is on companies to invest properly in cybersecurity operations and share information among their private sector counterparts. Beyond mandatory incident reporting to a governmental body, industries should be fostering a culture of information sharing within the private sector to encourage improved security practices and proactive response to mitigate industry-targeting threats, such as critical infrastructure attacks.
To use that information most effectively, the government needs to engage in a reciprocal cycle. Red tape, bureaucracy and time-to-action are frequent hurdles in acting upon private sector information and can be remedied by more timely connection with the private sector and cybersecurity vendor community to accelerate innovation and achieve better security. Upon receipt of incident reports, the government can be more proactive about engaging with affected industries and partnering with cybersecurity vendors to mitigate and defend against further attacks. Ultimately, we are all learning, public and private sector alike, and a two-way street within the information-sharing cycle will improve security posture for all.
President of Services and CSO at CrowdStrike
Recent legislative proposals for incident reporting direct CISA to work with stakeholders to define reporting elements. Reporting is likely to include important information like indicators of compromise or attack; signatures, samples or other threat information; details on timing and effects; and in the case of ransomware, more specifics around payment details. As this process plays out, it’s important that threats are reported to the government once, to avoid creating confusion or stovepipes or placing additional burdens on victim organizations.
It’s critical, however, that other government agencies have access to the information so they can work together to bring their unique capacity, capabilities and authorities to bear. Information must be assessed, analyzed and shared with appropriate stakeholders inside and outside of government, according to applicable law, and as quickly as possible. This must be a “whole of government” response in order to successfully mitigate these significant risks. Anything less will fail.
CEO and President at Absolute Software
For a variety of reasons, voluntary reporting is less effective when it comes to protecting our most critical sectors from adversaries and cyber attacks. Transparency and information-sharing are two of our most powerful weapons in trying to stay one step ahead. And having the right data is critical when it comes to benchmarking and ultimately strengthening our collective security defenses.
The criticality of rapidly sharing risk data cannot be understated. What we know is that it is rarely just one organization under attack or adversely affected. There is so much we can learn from each other if we avoid looking at this as a blame game, or public shaming exercise, and instead approach this massive undertaking as “we are all in this together.”
The hard and simple truth is that there is no one tool or one approach, no matter how well-informed or well-funded, that can protect an organization — either public or private — from these perpetual threats, notably ransomware attacks. While looking to prevent breaches in the first place, organizations should be equally encouraged and incentivized to acknowledge that it is likely not a matter of if, but when, someone will find a gap or vulnerability to expose. The most effective defenses will be built on resilience, not resistance — with solutions that are capable of self-healing and bouncing back when they are tampered with and stop working effectively.
CEO and Co-founder at Netskope
There has been increased focus recently on the need for more rapid reporting, including the Cyber Incident Reporting Act of 2021 which sets a 72-hour deadline for reporting to CISA. Any cyber IR requirements must first consider the type of event, and while speed is important and 72 hours is a good stake in the ground, we should recognize that in many cases this is not enough time to gather the forensic data an investigation will require.
To be more specific, a report generated within 72 hours may only identify/provide insights to:
- An anomalous activity or event
- An indicator that a process or behavior has been identified as anomalous
- Initial telemetry from tools/technology/process that generated the initial alert
- Initial insights from people or teams confirming the alert is a valid event and/or incident and requires deeper investigation
- Response process steps, if any, that have been taken to contain the harm
- Plans, or other pending actions, to assess the harm, investigate the impact and take appropriate eradication steps
The most effective and useful reports to CISA will be submitted with credible, objective data to help law enforcement help companies to connect the dots between identifying, evaluating and responding to anomalous activities and the threat actors that may be responsible. We can provide credible, objective data through the life cycle of the activity. This objective data could also be used to assess the security posture at the time of the event and to determine if poor cyber hygiene or other key risks, such as those associated with an organization's supply chain, could be connected with this event.
CTO at Barracuda Networks
In recent years, we’ve seen cybersecurity incidents skyrocket and affect consumers everywhere. From industries like health care, education and even public infrastructure, no one is safe. With these types of incidents affecting more people every day, I’m a firm believer that cyber incident reporting should become the norm and that government intervention is key to making this happen.
For government-related guidance, we’ve been starting to see governments taking cybersecurity very seriously and expressing desire to collaborate at the nation-state level. The actions from these collaborations are slowing down the ransomware attackers' ability to transfer their assets, which will impact the volume of attacks. If attackers deploy a ransomware attack and they’re not able to collect — even if there is the willingness to pay or negotiate — it gets to a point where there is enough fear and uncertainty to make them less likely to attack.
In terms of what type of information in cyber incident reporting should be included, we need to prioritize the following: disclosure of event date(s), number of customers affected, specific type of data taken, ransom amount paid, name of ransomware company responsible and the specific actions that the breached company is taking to better its future security practices.
With the new year quickly approaching, we need to continue to work together as a global alliance to make sure we slow down the movement of these assets. If we can effectively slow down the wealth movement, it will make a difference.
Carey O'Connor Kolaja
CEO at AU10TIX
Companies should be required to alert regulating bodies when their systems are breached. Mandating transparency in the event of a cyber attack is the right step in ensuring that when an incident occurs, companies take steps to remediate and protect highly sensitive data. Cyber incidents result in a significant damage to both companies and individuals, resulting in not just economic loss but also threatens the public safety of individuals whose personal information has been compromised.
Unless companies start sharing more information about hacking threats with government, industry peers and other organizations who may also be impacted for nefarious behavior, cyber criminals will always have the upper hand. While transparency is a good first step forward, it’s not enough. What we need to consider next is how to ensure information on threats is shared so that companies that could potentially be impacted by the same cyber criminals can fortify their systems against attack. We at AU10TIX have noticed in our consortium that the same attack vector is used on more than four companies on average. Therefore, it is necessary to create frameworks and systems to report threats but also educate individuals as to what steps to take to protect themselves and their identities and ensure resources are made available to keep citizens and businesses safe.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.
More from Braintrust