Just a few weeks ago, I wrote a blog on how the Federal
Government is trying to come down hard on businesses, both private and public,
for not disclosing Cybersecurity breaches as they are impacted. Probably the first well known law into this is
the Executive Order signed by President Biden earlier this year.
Ever since then, different members of the US Congress have
tried to draft their own bills to make things even harsher.
For example, under new US banking regulations, any bank hit
by a security breach must report that within 36 hours to regulators and
relevant law enforcement agencies. Senator
Mark Warner (D-VA), has also introduced a new bill entitled the “Cyber Incident
Notification Act”, which requires businesses to report to any Cyber attacks within
a 24 hour period, if not, face penalties of up to .5% of revenue on a daily
basis until it is actually reported.
With the bill introduced by Senator Elizabeth Warren's
(D-MA) called the “Ransomware Disclosure Act”, any impacted businesses would have
to report any Ransomware payment made within a 48-hour timespan.
But now the question is starting to hit lawmakers: OK, it’s great to have all of these greatly tightened
requirements, but in the real world, it is even possible to enforce them, just
given the fact how complex Cybersecurity has actually become?
A lot of this is due to the labor shortage. Simply put, many IT Security teams just don’t
have the manpower to report all of these incidents in the prescribed time
period. Their efforts are of course, to
mitigate what has impacted them, and to restore mission critical business
operations as quickly as possible.
Many Cybersecurity experts feel that the politicians who
craft these policies simply have not lived in the real world. Their view is that they can sit in their ivory
towers threatening Corporate America, but what do they know about fighting off
Cybersecurity attacks?
Also, many organizations even here in the US are feeling the
brunt of both the CCPA and the GDPR, and are trying to deal with coming into
compliance with those laws before they get faced with an audit.
There has to be of course some middle ground here, so what
can be done? Here are some ideas I have
come across as I peruse the Cyber news
headlines every day:
1)
What if a Ransomware payment is made?
In the past I have written, and I
still believe in this today, that a Ransomware payment should never be made. But now the Federal Government wants to punish
those innocent victims that have actually made a payment. For example, the Department of Justice is trying
to make to the point that if such a payment were to be made, that company would
be held for acts of treason against the United States. Although we need to know the specific circumstances
for which a Ransomware payment is made, it could very well be the case that the
business really had to make the payment in order to get things moving
again. Take for example a hospital. Suppose they have been hit with Ransomware, their
first thoughts are going to be get things up and running again, for the lives
of their patients. So if it means making a payment, then the will probably do
it. Why let patients suffer because of some government legislation? So this
issue needs to be seriously looked at. I
really don’t think its fair to put a blanket legislation across all businesses. It needs to be reviewed on a case-by-case
basis.
2)
How much information and data should actually
be released?
Just as much as much as businesses
are subject to being scrutinized as to how much confidential information and
data they are allowed to give out, the same holds true for the Federal Government. In other words, how much should they ask for
from the business that has been a victim of the Cyberattack? If too much is given away, is that going to
harm them in any way? Will they be more
subject to scrutiny and audits if too much is given out? Again, this will vary upon each individual business,
as Ransomware attacks vary. In this
regard, you simply cannot apply a one size fits all sort of policy. Also, to what degree will this information
and data be kept private, and out of the eyes of the prying public? Can we actually trust government officials to
keep things sealed, so that it does further impact a businesses good and honest
reputation?
3)
The reporting timeframe:
As stated earlier in this blog, there
is pressure on most businesses to report any security breaches within a 36-hour
time span. But again, how realistic is
this? When a business is first hit, their immediate attention is in trying to
recover as quickly as possible. That in itself can take three days or even
longer. Obviously reporting this is a
priority, it is not an immediate one for most businesses as they have much more
at risk to lose in the end. Also, any
investigation will take a lot longer obviously, so what is the timeframe for
reporting this? It can’t be done in the 36-hour
time period, of course.
My Thoughts On This
I am all for businesses reporting their security breaches to
regulators within a timely period. Not these
crazy deadlines of just one day. But
what defines timely? Again, this is a
gray area. I think maybe within one week
would be fair?
I mean that should give a business enough time to restore
mission critical operations, and yet, still take the time to report it to
regulators. Also, the punishment cannot be
the same for all businesses either.
For instance, what if a subsequent audit shows that an
impacted business have put in all of the necessary safeguards, but they still
got hit? Are you going to invoke the
same kind of financial penalties as a you would, say to a Fortune 500 company
that has been impacted many times over, with no lessons being learned? Probably not.
Another problem here is just the sheer conflict of all of the
data privacy laws that are going to be coming out by all of the individual states. How should a security breach be reported if a
business is hit in one state, and not the others? In the end, we all have a
part in this. Yes, there needs to be a
legislative oversight into all of this.
But the lawmakers in Congress have to know what is realistic,
and businesses have their role too. For
example, perhaps a dedicated resource should be hired for just the very purpose
of reporting security breaches and dealing with regulators.
No comments:
Post a Comment