Making transparency a norm in cybersecurity
The general lack of transparency around cybersecurity continues to be one of the largest factors holding back the combined ability of the public and private sector to truly defend against the impact of cyberattacks.
Before we get into the details, let me start out by saying that the global community of enterprise cybersecurity practitioners and leaders has come a long way in a relatively short period of time. It was only a short six or so years ago that many community discussions regarding active threats and attacks would fall into one of two overall categories: general “chest thumping” or highly sanitized anecdotes with little value to the audience.
We’ve since seen the establishment of highly effective and transparent information sharing and analysis centers (ISACs) spanning many industries, and the security community has ultimately embraced the Chatham House Rule in relation to community events.
In terms of the latter, practitioners have established guardrails around the truly useful information that can be safely shared without impact to company brand or strategy; collaborators respect the fact that any information shared should only be used in support of bettering their company’s program and capabilities.
However, our progress has been much slower on other key fronts — particularly when it comes to engaging law enforcement, publicly sharing the true cause of outages caused by cyberattacks, or even transparently sharing insights on the greatest cyber risks facing an enterprise with the board and executives. Let’s dive a little deeper into some of these topics and why they matter.
Why cybersecurity transparency is a challenge
Though we continue to witness an increase in the number of attacks being reported to law enforcement, overall progress remains slow. In fact, improvements in this area have been driven almost entirely by privacy regulations introduced in recent years (e.g., GDPR, CCPA).
The combination of the requirement to disclose personal data breaches to impacted parties and the high penalty that can be incurred if failing to do so has been the single biggest contributor to the improvement. However, the vast majority of attacks disclosed to law enforcement and/or the public involve data breaches. If no customer or personal data has been determined to have been breached, the likelihood of the incident being disclosed remains very low.
Why? Because most companies and their leadership remain concerned that reporting an incident to law enforcement could lead to one of three outcomes of concern and potential business impact: the incident could become public (even if no citizens or customers experienced an outage or loss), law enforcement may slow down the ability for the company to recover operations or the need to pay ransoms to recover operations, and/or data may result in downstream penalties.
The impact
The impact associated with failing to report such attacks to law enforcement is broad. The less information shared with law enforcement regarding cyberattacks experienced by a company, the more likely it is that the bad actor will operate unopposed for years. Year over year, they are able to grow their resources through successful attacks, along with their ability to affect companies and their consumers in a material manner.
By the time the world is truly aware of the group, their capabilities are likely being aimed at large operations with an impact that’s hard not to notice. The recent Colonial Pipeline attack is the latest example of the impact that can be felt by experienced cyber criminals, even new groups are formed of highly experienced members.
Note that unopposed doesn’t necessarily mean arrested and charged with offenses, considering that many attacks are executed from abroad and often within countries where our reach is politically challenged. Rather, it means that a bad actor avoids offensive operations by US intelligence agencies, its partners, and other countries in the world focused on disrupting, dismantling and devaluing the technical capabilities of cyber criminal operations. Allowing such operations to operate unchecked continues to propagate the belief that the rewards are endless and the risks, almost non-existent.
However, the larger impact comes in the lack of awareness among industries, companies, and their senior most leaders in regard to the actual threats and types of attacks that are having a material impact on other companies considered to be their peers. One of the greatest challenges that CISOs face remains their ability to convince their leaders and peers of the need to prioritize risk mitigation efforts.
Many industries and corporate cultures look specifically to industry metrics to better understand what their peers and competitors are facing and what they’re doing in response. As this information remains so closely guarded outside of effective ISACs, the ability for this CISO to tell this story well is more often a challenge than not. This of course can have a downstream impact on the ability to prioritize such initiatives let alone fund them, growing the risk to the company as time goes on.
In an ideal world, we would share cyberattack details with entities like the FBI, who in turn share back highly effective industry-specific metrics through InfraGard, a partnership between the private sector and the FBI. Federal engagement groups like InfraGard have grown to become a highly trusted source of such information. However, their ability to share the complete picture of what our industries are truly facing every day remains constrained by the level of information that the private sector is willing to share. It’s a vicious circle that only hurts us.
Though the cybersecurity executive order will likely have the single largest impact on our ability to truly deliver on this partnership and the beneficial outcomes that we’ve just discussed. Now that companies will be forced to report cyberattacks to law enforcement, regardless of the impact to data, we should also consider our stance on reporting when cyberattacks are behind outages. It’s only when our society has a true understanding and appreciation for the actual impacts being experienced by such an expanding threat that we can all truly solve the challenge together.
Here’s to the executive order bringing forward much needed change and standards and to growing our collaborations in responding to such threats as one community.