Matt Georgy is the CTO at [redacted], the mission-driven cloud security company that levels the playing field against attackers.
In the wake of confusion over cyber incidents such as the Colonial Pipeline ransomware attack, Congress is taking up the issue of mandating requirements for cybersecurity incident reporting. This is happening just as the Cybersecurity and Infrastructure Security Agency (CISA) and its new director, Jen Easterly, are looking to build trust with the industry on the critical issue of cooperatively sharing attack information.
Reporting incidents and sharing information is fundamental to mitigating attacks and keeping them from spreading, but Congress and the White House need to be sure that they don’t undercut the real purpose of public-private collaboration with overly draconian rules that ultimately could erode that trust. They also need to establish a clear chain of command when it comes to reporting incidents and coordinating responses.
The Downsides Of Mandatory Reporting
The bills before Congress propose a mix of requirements for reporting cyber incidents, including whether organizations must report an attack within 24 or 72 hours (the latter time frame favored by industry). Significantly, Sen. Mark Warner, D-Va., who introduced one of the proposed bills in the Senate, has said that failure to report should carry penalties — unlike legislation included in the Defense Authorization Act that the House passed, which Warner called “toothless.”
The arguments over reporting requirements and penalties are ongoing. Some see mandatory reporting as essential to mitigating attacks on a nationwide basis; others see mandatory reporting and penalties as revictimizing the targets of an attack. However, from an overall perspective of building trust and collaboration in a unified cybersecurity effort, I believe legislation should strongly encourage reporting but stop short of mandating it. Any entity seeking help from the government does have a responsibility to report attacks, but making it a requirement could eventually hinder cooperation.
MORE FOR YOU
Establishing strict rules that major corporations could handle may also place an undue burden on small and mid-sized organizations — such as regional banks, smaller hospitals or private firms — that can’t afford to spend 20% or 30% of their profits on the security necessary to meet the requirements.
An important element that the current proposed legislation doesn’t address is establishing a single agency for reporting incidents. Clearly, it should be CISA and nobody else, which would help avoid the confusion that plagued the initial responses to the Colonial Pipeline attack — the largest attack yet on U.S. critical infrastructure and deemed a threat to national security. Having a single point of contact would simplify reporting and be one step toward establishing a collaborative environment.
How CISA Can Build Bridges
Attempts at sharing cybersecurity information between the government and industry have often been disjointed, lacking context around threat advisories. Private companies were left in a precarious position, forced to endure increasingly sophisticated attacks with little to no advanced warning and no real consensus on how they could respond. Before CISA was established in late 2018, many companies held the attitude that cybersecurity information from the government was not to be trusted because it often was outdated or useless in practice.
CISA was created to address that gap in trust, and while it has taken steps in the right direction, many of the old problems persist.
The Senate’s confirmation of Easterly to head CISA presents a solid opportunity for CISA to deliver on a long-promised goal of providing a single point of collaboration. The asymmetric nature of cyber warfare combined with industry’s tight-knit role in the country’s operations and the severity of the threat (as witnessed in recent high-profile attacks) make this a priority.
CISA doesn’t have the workforce or the funding to handle the job by itself. It needs to engage more with the vast resources of private-sector companies to augment its own capabilities. The private sector also needs access to better, more timely threat information as well as the authorization to take a bigger role in its own defense.
Building a collaborative, unified defense is a two-way street, however, and there are steps that both CISA and the private sector can now take toward reaching that goal.
What CISA, Industry Can Do
In order to lead enterprises toward a collective defense, CISA can try to close the gaps that exist between government and industry. One effective step would be to establish standards and norms between enterprises, industry groups and CISA. These norms would allow government notification and collaboration on leads generated by victims while not appearing to be a “black hole.”
Guidance on responding to attacks also would be helpful — such as disrupting an attacker’s operations and helping victims secure their systems but doing it without directly attacking the attacker. That level of response is appropriate for industry while avoiding the potentially murky legal waters of launching a counteroffensive.
The private sector, for its part, needs to appreciate the complexity of CISA’s position as a federal agency focused on protecting its citizens while not disclosing sensitive sources. The question of “intelligence gain/loss” is one of the most difficult decisions a federal cybersecurity leader will make because disclosure of this information can put the sources and methods used to collect the intelligence at risk. Industry should appreciate the gravity of CISA’s responsibility and give the agency time to establish standard operating procedures and build on the excellent advisories published to date.
As governments continue to grapple with the asymmetric nature of cyber warfare, private entities will increasingly be forced onto the “front lines,” whether it’s part of the nation’s defensive posture or not. We’re in a cyber war that no single country, government or private organization can win alone. It’s going to take everyone working together to actually solve the problem.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?