I am close to
wrapping up the manuscript for my 16th book, which is about the Data
Privacy Laws, and how to come into compliance with them. In this piece, I focus on three key pieces of
Legislation: The GDPR, CCPA, and the
CMMC. Of course, I could not cover each
and every page of these Legislations, so I just wrote about the major tenets
and provisions that exist from within them.
I have even included a separate chapter that provides a brief framework
as to how businesses can come into compliance with these Data Privacy Laws.
So, by coincidence,
I came across an article this morning that describes the compliance efforts that
Solar Winds took to help remediate and inform their key stakeholders as to the
security breach that had occurred (this is more formally known as a “Supply Chain
Attack”). The author of this article
points out the flaws and the inconsistencies which took place in this reporting
process.
For example,
on 10/30/23, the SEC filed a legal complaint against Solar Winds. The actual text of this complaint can be seen
at the link below:
http://cyberresources.solutions/blogs/Solar_Winds.pdf
Basically, the
legal document that was filed accused Solar Winds of "misstatements,
omissions, and schemes that concealed both the Company's poor cybersecurity
practices and its heightened — and increasing — cybersecurity risks.”
But as this legal
document came out, and made its way into the public, the criticism of the SEC
started to pour in. For example:
Ø
The
SEC was too slow in addressing anything.
Ø
The
legal document is just a “slap on the wrist” and does to prevent future attacks
like this from happening.
Ø
The
CISO took all the blame.
Ø
Any
future hiring of CISOs will now be carefully monitored as a result.
Of course,
there are other many complaints as well, but these are some of the major ones I
found in the article. But, it is
interesting to point out here that the Cybersecurity troubles actually started
for Solar Winds way b. in 2018, when it
made its filing for an IPO. In its statements
that were made, the SEC accused Solar Winds of simply making “boiler plate”
assumptions about the particular level of Cyber Risk. In other words, they offered no evidence to
back up the statements that they had made, such as providing results into any
Risk Assessment Study that they may have conducted of their digital and
physical assets.
But as time
went on, and as the weaknesses and gaps became more prevalent and known to the key
stakeholders, none of the upper brass took any initiative to disclose them
actually fully. Here is what the SEC even said about this situation:
“Even if some
of the individual risks and incidents discussed in this Complaint did not rise
to the level of requiring disclosure on their own … collectively they created
such an increased risk …" that SolarWinds' disclosures became "materially
misleading."
But even despite
these stark statements made by the Federal Government, the gaps and weaknesses only
got worse. And so from here, the story
goes, nothing was done to remediate these holes, and as a result of it, some
1,000+ victims were impacted, ranging from the private sector and to the public
sector as well. Some of them included the
smallest of the Mom-and-Pop Shops to the largest of the large, such as
Microsoft, and various Agencies within the Federal Government.
My Thoughts On This:
So now, the big question is how do we go from here, to make sure that this is prevented. Although I am by no means a compliance or Data Privacy expert, here are my thoughts, based upon my knowledge in my years of Cybersecurity:
Ø *Stop the blame game. Don’t’ simply make the CISO the first target to shoot at. Everybody is responsible to some degree or another if a security breach does indeed happen to a business. The first thing that should be top of mind is restoring as quickly as possible business operations as quickly as possible. Then conduct a detailed forensics examination, to see what exactly happened. Then point the fingers at who is to really blame.
Ø *It
should be Federal Law that companies, no matte how large or small they are,
must report any security breach to key stakeholders, law enforcement, and the
regulatory bodies within hours, and not wait for four days, which is the
current allowance.
Ø *It
is a fact that Solar Winds depended a lot upon other vendors to carry out their
work. This is why this particular hack
was called a “Supply Chain” one, because of all of the parties involved. In my opinion, it should be a Federal Law
that businesses have to show complete documentation as to how they have vetted
and hired a Third-Party Supplier in this regard.
Ø *The
finger pointing must stop here and now.
Of course, this would only happen in a perfect world, not the real world
in which we live today. As a country and
as a society, we need to be much more proactive and not reactive like
we are today. But, this only
comes from leading by example. In other
words, if an employee is required to maintain a strong level of Cyber
Hygiene, so should the C-Suite and even the Board of Directors, for that matter.
Ø *Just
like the Department of Homeland Security (DHS) was created right after 9/11, the
same needs to be said for a Department of Cybersecurity. At the present time, the states are running
rampant with creating their own Data Privacy Laws, which can vary greatly. Therefore, we need some sort of central body
at the level of the Federal Government that can create common Data Privacy
Laws, as a well as a set of Best Practices and Standards so that everybody can have
an equal playing field, so there is no more ambiguity.
Ø *The sharing of intelligence and other types of data and information must be greatly increased, and this can only happen with a centralized body overseeing all of this.
If I*If a Department of Cybersecurity were to be actually created, then all of the regulatory bodies and agencies must reside here. By having them spread out across different arms of the Federal Government makes it much worse when trying to instill a degree of accountability.
SoSo, here are my thoughts on this matter. More to come in the future.
No comments:
Post a Comment