Saturday, December 18, 2021

What Will It Take For Congress To Understand The Real World Of Cybersecurity Law

 


Just a few weeks ago, I wrote a blog on how the Federal Government is trying to come down hard on businesses, both private and public, for not disclosing Cybersecurity breaches as they are impacted.  Probably the first well known law into this is the Executive Order signed by President Biden earlier this year. 

Ever since then, different members of the US Congress have tried to draft their own bills to make things even harsher.

For example, under new US banking regulations, any bank hit by a security breach must report that within 36 hours to regulators and relevant law enforcement agencies.  Senator Mark Warner (D-VA), has also introduced a new bill entitled the “Cyber Incident Notification Act”, which requires businesses to report to any Cyber attacks within a 24 hour period, if not, face penalties of up to .5% of revenue on a daily basis until it is actually reported.

With the bill introduced by Senator Elizabeth Warren's (D-MA) called the “Ransomware Disclosure Act”, any impacted businesses would have to report any Ransomware payment made within a 48-hour timespan. 

But now the question is starting to hit lawmakers:  OK, it’s great to have all of these greatly tightened requirements, but in the real world, it is even possible to enforce them, just given the fact how complex Cybersecurity has actually become?

A lot of this is due to the labor shortage.  Simply put, many IT Security teams just don’t have the manpower to report all of these incidents in the prescribed time period.  Their efforts are of course, to mitigate what has impacted them, and to restore mission critical business operations as quickly as possible.

Many Cybersecurity experts feel that the politicians who craft these policies simply have not lived in the real world.  Their view is that they can sit in their ivory towers threatening Corporate America, but what do they know about fighting off Cybersecurity attacks? 

Also, many organizations even here in the US are feeling the brunt of both the CCPA and the GDPR, and are trying to deal with coming into compliance with those laws before they get faced with an audit.

There has to be of course some middle ground here, so what can be done?  Here are some ideas I have come across as I peruse the  Cyber news headlines every day:

1)     What if a Ransomware payment is made?

In the past I have written, and I still believe in this today, that a Ransomware payment should never be made.  But now the Federal Government wants to punish those innocent victims that have actually made a payment.  For example, the Department of Justice is trying to make to the point that if such a payment were to be made, that company would be held for acts of treason against the United States.  Although we need to know the specific circumstances for which a Ransomware payment is made, it could very well be the case that the business really had to make the payment in order to get things moving again.  Take for example a hospital.  Suppose they have been hit with Ransomware, their first thoughts are going to be get things up and running again, for the lives of their patients. So if it means making a payment, then the will probably do it. Why let patients suffer because of some government legislation? So this issue needs to be seriously looked at.  I really don’t think its fair to put a blanket legislation across all businesses.  It needs to be reviewed on a case-by-case basis.

2)     How much information and data should actually be released?

Just as much as much as businesses are subject to being scrutinized as to how much confidential information and data they are allowed to give out, the same holds true for the Federal Government.  In other words, how much should they ask for from the business that has been a victim of the Cyberattack?  If too much is given away, is that going to harm them in any way?  Will they be more subject to scrutiny and audits if too much is given out?  Again, this will vary upon each individual business, as Ransomware attacks vary.  In this regard, you simply cannot apply a one size fits all sort of policy.  Also, to what degree will this information and data be kept private, and out of the eyes of the prying public?  Can we actually trust government officials to keep things sealed, so that it does further impact a businesses good and honest reputation?

3)     The reporting timeframe:

As stated earlier in this blog, there is pressure on most businesses to report any security breaches within a 36-hour time span.  But again, how realistic is this? When a business is first hit, their immediate attention is in trying to recover as quickly as possible. That in itself can take three days or even longer.  Obviously reporting this is a priority, it is not an immediate one for most businesses as they have much more at risk to lose in the end.  Also, any investigation will take a lot longer obviously, so what is the timeframe for reporting this?  It can’t be done in the 36-hour time period, of course. 

My Thoughts On This

I am all for businesses reporting their security breaches to regulators within a timely period.  Not these crazy deadlines of just one day.  But what defines timely?  Again, this is a gray area.  I think maybe within one week would be fair? 

I mean that should give a business enough time to restore mission critical operations, and yet, still take the time to report it to regulators.  Also, the punishment cannot be the same for all businesses either.

For instance, what if a subsequent audit shows that an impacted business have put in all of the necessary safeguards, but they still got hit?  Are you going to invoke the same kind of financial penalties as a you would, say to a Fortune 500 company that has been impacted many times over, with no lessons being learned?  Probably not.

Another problem here is just the sheer conflict of all of the data privacy laws that are going to be coming out by all of the individual states.  How should a security breach be reported if a business is hit in one state, and not the others? In the end, we all have a part in this.  Yes, there needs to be a legislative oversight into all of this.

But the lawmakers in Congress have to know what is realistic, and businesses have their role too.  For example, perhaps a dedicated resource should be hired for just the very purpose of reporting security breaches and dealing with regulators. 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...