Cybersecurity has reached a tipping point. After decades of letting private sector organizations more or less deal with cyber incidents on their own, the scale and impact of cyber attacks means that the consequences of these incidents can ripple across societies and borders. .
Now, governments feel the need to “do something”, and many are considering new laws and regulations. However, lawmakers have often struggled to regulate the technology: they respond to political urgency, and most do not have a firm understanding of the technology they seek to control. The consequences, impacts and uncertainties in companies are often not realized until later.
In the United States, a whole set of new regulations and enforcement is coming: The Federal Trade Commission, the Food and Drug Administration, the Department of Transportation, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency are all working on new rules. Additionally, in 2021 alone, 36 states enacted new cybersecurity laws. Globally, there are many initiatives, such as China and Russia’s data localization requirements, India’s CERT-In incident reporting requirements, and the EU’s GDPR and its incident reporting.
However, companies do not need to just sit back and wait for the rules to be written and then implemented. Rather, they should be working now to understand the types of regulations currently being considered, determine the uncertainties and potential impacts, and prepare to act.
What we don’t know about cyber attacks
To date, most countries’ cybersecurity-related regulations have focused on privacy rather than cybersecurity, so most cybersecurity attacks do not need to be reported. If private information, such as names and credit card numbers, is stolen, it should be reported to the appropriate authority. But, for example, when Colonial Pipeline suffered a ransomware attack that caused him to shut down the pipeline that fueled almost 50% of the US East Coast, he was not required to report it because no personal information was stolen. (Of course, it’s hard to keep things a secret when thousands of gas stations can’t get fuel.)
As a result, it is almost impossible to know how many cyberattacks there really are and what form they take. Some have suggested that only 25% of cybersecurity incidents are reportedothers say only about 18%others say that 10% or less reported.
The truth is that we don’t know what we don’t know. This is a terrible situation. As management guru Peter Drucker said, “If you can’t measure it, you can’t manage it.”
What should be reported, by whom and when?
Governments have decided that this approach is unsustainable. In the United States, for example, the White House, Congressthe Securities and Exchange Commission (SEC)and many other agencies and local governments are considering, pursuing, or beginning to enforce new rules that would require businesses to report cyber incidents, especially critical infrastructure industriessuch as energy, health care, communications, and financial services. Under these new rules, Colonial Pipeline would be required to report a ransomware attack.
To some extent, these requirements have been inspired by the reports recommended for “near misses” or “close calls” for aircraft: When aircraft are about to crash, they must file a report so that failures causing such events can be identified and avoided in the future.
At first glance, a similar requirement for cybersecurity seems very reasonable. The problem is that what should count as a cybersecurity “incident” is far less clear cut than the “near miss” of two planes closer than allowed. A cyber “incident” is something that could have led to a cyber breach, but need not have become an actual cyber breach: for an official definitionit only requires an action that “imminently endangers” a system or presents an “imminent threat” of violating a law.
However, this leaves companies navigating a gray area. For example, someone tries to log in to your system but is denied because the password is incorrect. Is that an “imminent threat”? What about a phishing email? Or someone looking for a known common vulnerability, such as the log4j vulnerability, on your system? What if an attacker did get into your system, but was discovered and kicked out before any damage was done?
This ambiguity requires companies and regulators to strike a balance. All businesses are safer when there is more information about what attackers are trying to do, but that requires businesses to report significant incidents in a timely manner. For example, based on data collected from current incident reports, we learned that only 288 out of almost 200,000 known vulnerabilities in the National Vulnerability Database (NVD) are actively exploited in ransomware attacks. Knowing this allows companies to prioritize addressing these vulnerabilities.
On the other hand, using too broad a definition could mean that a typical large company might be required to report thousands of incidents per day, even if most were spam emails that were ignored or rejected. This would be an enormous burden both on the company producing these reports and on the agency that would need to process and make sense of such an avalanche of reports.
International companies will also need to navigate the different reporting standards in the European Union, Australiaand elsewhere, including how quickly a report must be filed, whether six hours in india, 72 hours in the EU under GDPReither four business days in the United Statesand often many variations in each country, as there is an avalanche of regulations coming from various agencies.
What companies can do now
Make sure your procedures are up to the task.
Companies subject to SEC regulations, which include most large companies in the United States, should quickly define “relevance” and review their current policies and procedures to determine whether “relevance” applies to the light of these new regulations. They will likely need to review them to streamline their operation, especially if such decisions need to be made frequently and quickly.
Keep ransomware policies up to date.
Regulations are also being formulated in areas such as ransomware attack notification and even make it a crime to pay a ransom. Company policies regarding payment for ransomware should be reviewed, along with possible changes to cyber insurance policies.
Prepare for the required “Software Bill of Materials” to better examine your digital supply chain.
Many companies were unaware that they had the log4j vulnerability on their systems because that software was often bundled with other software that was bundled with other software. Regulations are being proposed to require companies to keep detailed and up-to-date records Software Bill of Materials (SBOM) so they can quickly and accurately understand all the different pieces of software embedded in their complex computer systems.
Although an SBOM is also useful for other purposes, it may require significant changes in the ways that software is developed and acquired in your company. The impact of these changes should be reviewed by management.
What else should you do?
Someone, or probably a group in your company, should review these new or proposed regulations and assess what impacts they will have on your organization. These are rarely just technical details left to your IT or cyber security team – they have company-wide implications and likely changes to many policies and procedures across your organization. To the extent that most of these new regulations are still malleable, your organization may want to actively influence the directions these regulations take and how they are implemented and enforced.
Acknowledgement: This research was supported, in part, by funds from members of the Cybersecurity at MIT Sloan (CAMS) consortium.