Cyber Proposals Should Reject Impractical Obligations and Victim Shaming
There is a growing clamor in Congress and the Executive Branch to do something after the Colonial Pipeline incident and other high-profile cyber-attacks. Rushing to impose broad new obligations is perilous. Policymakers should not be in a hurry to create sweeping new reporting obligations that may do more harm than good.
Our cyber team helps clients handle tough incidents, working with varied parts of the U.S. government on readiness, reaction, reporting, and recovery. We have long encouraged cooperation with the Department of Homeland Security (DHS) and the FBI, and have been heartened to see the stand up of Cybersecurity Information Sharing Act (CISA) and a redoubled commitment to partnership in vital work against shared adversaries. However, recent cyber incident reporting initiatives seem to focus more on creating unneeded assessments of the victim company’s security posture than on gathering intelligence about threat actors that could help the government take action to protect U.S. citizens, businesses, and infrastructure.
First, what is being considered? Across government, several initiatives aim to create substantial and disruptive reporting obligations, often focused on the victim company’s cyber posture and response. Some proposals require working with agencies beyond the FBI, which is the lead law enforcement agency investigating threat actors. For example, members of Congress were disappointed that Colonial Pipeline worked with the FBI but did not loop in DHS, and past recommendations from the Cyberspace Solarium Commission emphasized the desirability of the government having access to more information about incidents through mandatory reporting to DHS.
After Colonial Pipeline, parts of the energy sector were targeted with a cyber directive from Transportation Security Administration (TSA) and CISA, within DHS. That directive mandates, among other things, rapid self-assessments by covered companies against 2018 guidelines, and cyber incident reporting within 12 hours. A proposal by Senators Warner, Rubio, and Collins would mandate detailed reporting within 24 hours. What few say publicly is that many incident reporting obligations are impractical and can be counterproductive. In the energy sector, companies in the midst of a cyber incident (or “potential” incident…more on that later) will be expected to complete a 40+ page questionnaire that asks dozens of questions whose answers are likely unknowable at the time of the required report, and that will distract operators (and their lawyers) from incident management, and require the disclosure of sensitive, evolving, and privileged information.
What is wrong with recent moves to mandatory reporting? In a nutshell, a lot. Based on proposals circulating, there are several things to be wary of. The central concern is that these proposals will provide relatively minimal impact on cyber-attacks while putting added burdens on victim companies. Current proposals seem to ignore bipartisan 2015 information-sharing legislation and bypass opportunities to improve existing information sharing models.
Timelines can be very unrealistic. Cyber incidents develop and unfold in unpredictable ways, as companies look to verify intrusions, evaluate possible data loss, analyze data and logs, consider their legal and contractual obligations, and work with law enforcement or other partners. In many incidents, 24 hours is not enough time to reliably report facts about an incident to the government. The Department of Defense’s cybersecurity reporting obligation is 72 hours and that is challenging, often resulting in preliminary information being shared in order to check the box on compliance. Premature information may lead the government astray and, given the fluidity of cyber investigations, updates may be frequent, onerous, or require revisions to earlier estimates. The need to meet early requirements and provide updates may slow down incident evaluation and response. Chief information security officers (CISO) and incident response teams should be focused in the short term on containment and returning to normal operations—not on attribution and certainly not on providing a root cause analysis to the government.
Unclear thresholds and triggers for reporting will result in over reporting. If proposals do not differentiate based on incident severity, then they risk creating a deluge of notices about minor issues. Indeed, mandating reports of “potential” incidents is folly. A “potential” incident could include anything from phishing attempts to network probes to alerts of internal policy violations related to exceeding account privileges. Reporting these potential incidents will greatly increase the noise of false or unimportant alerts but will make it harder to find the signal of real threat actor activity.
Some proposed reporting obligations may key off of the involvement of a nation-state or transnational organized crime group. While it is sometimes possible to be confident in the nature or source of an attack, attribution—especially in the early days of an attack—is often difficult and an inefficient use of resources. One proposal requires reporting when there is “demonstrable harm” to the economy and other interests, but what standards will guide companies and their lawyers in making such determinations? More rules from federal agencies can attempt to clarify but will also add complexity. Ultimately, unclear reporting triggers based on the identity of the attacker or the impact from the incident likely are impractical and may lead many companies to over report.
The type of information required may not be helpful. To have a meaningful impact on preventing future cyber-attacks, reasonable incident reporting should be laser-focused on information that will help government identify bad actors and take action. This means that indicators of compromise, malware signatures, IP addresses may be in play, but information that goes to the victim company’s cybersecurity posture, internal operations, and incident management should be out of scope.
Unfortunately, many proposals prescribe elements of a required report that have little to do with actionable threat intelligence. In the case of the TSA/CISA Pipeline Directive, covered entities are required to provide indicators of compromise to the government, like suspect IP addresses and malware used. The government also requires disclosure of an array of sensitive and likely privileged information, including descriptions of the victim’s network, how the intrusion was detected, ongoing mitigation and eradication activities, and estimated publicity from the event. This type of information is less helpful if the goal is to track down the attackers and prevent future incidents. This type of data might assist DHS in helping a victim company—but victim companies already can and do reach out to DHS when assistance is needed and appropriate. There does not appear to be a justification for victim companies to be forced to provide this sensitive data to DHS. If the government is concerned about being caught unawares in a repeat of the high-profile Colonial Pipeline attack, a far narrower reporting regime for severe incidents could accomplish its goals with far less burden to the private sector.
Policymakers do not appear to have explored the track record of mandatory reporting. Mandatory reporting exists in several sectors, states, and agencies (usually for data breaches but also intrusions for some contractors). It does not appear that policymakers have considered whether such mandatory reporting has generated actionable intelligence, or enabled us to defend forward overseas. Several seem to just point to Colonial Pipeline and JBS as evidence that the system is “broken” and move to mandatory incident reporting. Policymakers may want to look at the nature of the information reported under those laws and the use of that information by government for lessons learned.
It is not clear what the government will do with information reported, or that it has the resources or staff to handle a wave of reports. Infosec folks like to say that “information sharing” is the “thoughts and prayers” of cybersecurity. This is because, despite the passage of legislation in 2015 to encourage collaboration with DHS by protecting voluntary sharing of cybersecurity threat indicators (CTIs), information sharing didn’t appear to catch fire. There are likely several reasons for that. It is partially because of the government’s focus on the details of its “Automated Indicator Sharing (AIS)” portal, but it is also because the government has not done as good job as it could in sharing actionable cybersecurity and supply chain information out to the private sector. Given that, it is far from clear that increasing the volume and type of information in the hands of the government will lead to improved defenses and resilience across the private sector, or deterrence of our cyber adversaries.
The new reporting obligations are in addition to—not in place of—existing systems and obligations. The FBI already ingests lots of information about cyber threats and has dramatically increased its attention to ransomware and other cyber-attacks. The intelligence community does its own collection and surveillance. New reporting obligations will multiply the burdens already faced by organizations that have to consider reporting obligations to multiple federal agencies as well as increasing state regulators (like the New York Department of Financial Services, which requires covered companies to tell it when they report a breach to another regulator). A new reporting mandate risks creating information silos and reducing information reported to the FBI.
Monetary penalties will distort incentives. Some proposals may contain punitive measures for failure to report or perhaps for mistakes or omissions in reports. This would fundamentally subvert the longstanding public-private partnership that has been the hallmark of the private sector’s collaborative relationship with DHS. Also, the threat of fines can distort organizations’ decision making. Reports will be heavily caveated and require careful legal review for accuracy and privilege protection. This will increase burdens and may reduce the utility of information provided to the government.
In sum, the United States should not rush into broad, new incident reporting obligations. Any mandatory reporting should be carefully calibrated to specific desired outcomes, be reasonable in burden and timing, preserve confidentiality and collaboration with the government, and expressly disavow victim-shaming. Before mandating reporting, policy makers should have a clear vision of what they hope to achieve, a rationale for how disclosing data to the government will prevent future attacks, and more robust protections for victim companies.