Cybersecurity reporting mandates could make us more vulnerable, not less

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

On March 17, President Biden signed the Strengthening American Cybersecurity Act into law. The Act requires companies in the 16 sectors that comprise our country’s critical infrastructure (including energy, hospitals, banks, and transportation) to report any and all cybersecurity breaches within 72 hours and any ransomware payment within 24 hours.

Reporting mandates have been debated for more than a decade, but the trifecta of SolarWinds, last year’s string of ransomware attacks and the Russia-Ukraine conflict gave the Administration’s new cybersecurity regime and its allies in Congress the political capital to finally force (and rush) them into law.

While the intent is to make critical infrastructure more resilient to cyberattacks, the Act is short-sighted and could have disastrous impacts on private industry and government. The only thing it strengthens is the disincentive for companies to truly look for breaches. 

The long-term implication is that it will make American cybersecurity weaker. The good news? The law won’t take effect for at least two years. The government and industry need to work together to set the rules that will truly address the problem.

Mandatory reporting increases risk to victims

Those who call for mandatory reporting have the right intent, but if it’s not implemented in the right way, it will cause more harm than good. 

Mandatory reporting almost always puts companies at risk, either legally or through financial penalties. Penalizing an organization for not reporting a breach in time puts it in a worse cybersecurity posture because it is a strong incentive to turn a blind eye to attacks. Alternatively, if a company knows of a breach, it will find ways to “classify” it in a way that falls into a reporting loophole.

The reporting timelines in the law are arbitrary and not based in the reality of effective incident response. The first hours and days after a breach are integral to the actual incident reporting process, but they are chaotic, and teams are sleep-deprived. Working with lawyers to determine how to report and figuring out the evidence that companies do and don’t want to “see” just makes the process harder. 

This will force companies to report a breach before they even fully understand it themselves, which can lead to confusion, bad assumptions, and inaccurate news about the breach that can harm a company from a marketing or valuation standpoint.

Another issue is that there’s no offer of help from the government, except FBI Director Christopher Wray’s assertion in recent testimony that the Bureau would have a technically trained agent on a company’s doorstep within an hour.

A report issued by Senator Rob Portman (R-OH) on March 24 detailed the experiences of companies attacked by the REvil ransomware group over the past year. It cited the fact that two companies reported the attacks to the Federal Government but received “little help” with protecting their data and mitigating the damage. According to the report, these companies “indicated they did not receive advice on best practices for responding to a ransomware attack or other useful guidance from the Federal Government.”

Could mandatory reporting work?

While the Act is now law, the organization responsible for carrying it out, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), has two years to fully implement it through a rule-making process.

For any kind of reporting regime to really do what is intended, it needs to be packed with protections for companies who comply, sheltering them from the information going public, lawsuits, negative government actions and more. But considering how much protection a company would need to receive, that could be fraught with abuse, and companies will use that to hide from blame when they really did things wrong.

In the end, it’s best not to require any kind of mandatory reporting and instead to put a regime together that highly encourages companies to report and incentivizes them with benefits of reporting, such as free assistance with incident response as well as hunting down the adversaries to recover stolen data, money, and intellectual property. Such a regime would rely on strong public-private partnerships.

In addition, a successful solution needs to include an update to current laws, such as the 36-year-old Computer Fraud and Abuse Act. The law has been amended several times over the years, most recently in 2008, but the current legal regimen concerning cyberattacks is about 25 years old, dating to a time when no one envisioned a world where everyone and everything is connected. 

As it stands now, the law forbids unauthorized access to computer systems and leaves cyber response to the Federal Government. Going forward, it needs to include giving private companies a path to respond effectively to cyberattacks by trained and licensed private companies in partnership with the government and law enforcement.

We’re in a cyber war that no single country, government, or private organization can win alone. It’s going to take everyone working together to solve the problem. With everything needed to be successful here, we’re better off without mandatory reporting. We need to work together to implement an incentives scheme to encourage reporting through offers for free incident response, recovery of lost data and intellectual property, and the support for every organization to put nation-state level defense into practice.

Max Kelly is founder and CEO at Redacted.

Originally appeared on: TheSpuzz