The general lack of transparency around cybersecurity remains one of the most important factors hampering the joint capacity of the public and private sectors to truly defend themselves against the impact of cyberattacks.
Before I get into the details, let me start by saying that the global community of business cybersecurity professionals and leaders has come a long way in a relatively short period of time. Just about six years ago many community discussions about active threats and attacks would fall into one of two general categories: general “breastfeeding” or highly sanitized anecdotes of little value to the public.
Since then, we have seen the creation of highly effective and transparent information analysis and exchange (ISAC) centers spanning many industries, and the security community has ultimately adopted the Chatham House Rule in relation to events in the Chatham House. community.
As for the latter, professionals have set up railings around truly useful information that can be safely shared without affecting the company’s brand or strategy; collaborators respect the fact that all shared information should only be used to improve the program and capabilities of your company.
However, our progress has been much slower in other key areas, especially when it comes to law enforcement, publicly sharing the true cause of disruptions caused by cyberattacks, or even sharing information with the board. about the biggest cyber risks a company and executives face. Let’s delve a little deeper into some of these topics and why they matter.
Why transparency in cybersecurity is a challenge
While we continue to see an increase in the number of reported attacks on law enforcement, overall progress remains slow. In fact, improvements in this area have been driven almost entirely by the privacy regulations introduced in recent years (e.g., GDPR, CCPA).
The combination of the requirement to disclose personal data breaches to affected parties and the high penalty that can be incurred if it does not has been the main contributor to the improvement. However, the vast majority of reported attacks on law enforcement and / or the public involve data breaches. If it has not been determined that any personal or customer data has been breached, the likelihood of the incident being revealed remains very low.
Because? Because most companies and their leadership remain concerned that reporting an incident to law enforcement can lead to one of three outcomes of concern and potential impact on the company: the incident could be made public (even if no citizen or customer experienced any interruption or loss), it may slow down the company’s ability to recover operations or the need to pay ransoms to recover operations and / or data may result downward sanctions.
The impact associated with not notifying these attacks on law enforcement is wide-ranging. The less information is shared with law enforcement about cyberattacks experienced by a company, the more likely it is that the bad actor will operate unopposed for years. Year after year, they are able to grow their resources through successful attacks, along with their ability to affect businesses and their consumers materially.
By the time the world is truly aware of the group, its capabilities are likely to be targeted at large operations with a hard-to-notice impact. The recent Colonial Pipeline attack is the latest example of the impact experienced cyber criminals can feel, even new groups are made up of highly experienced members.
Keep in mind that unopposed does not necessarily mean being arrested and charged with offenses, given that many attacks are carried out from abroad and often within countries where our reach is politically challenged. Rather, it means that a bad actor avoids offensive operations by U.S. intelligence agencies, their partners, and other countries around the world focused on disrupting, dismantling, and devaluing the technical capabilities of cybercrime operations. Allowing these operations to operate without control continues to spread the belief that the rewards are endless and the risks, almost non-existent.
However, the greatest impact is due to the lack of awareness among industries, companies and their most important leaders about the real threats and types of attacks that are having a material impact on other companies considered to be his companions. One of the biggest challenges facing CISOs remains their ability to convince their leaders and peers of the need to prioritize risk mitigation efforts.
Many industries and corporate cultures specifically consider industry metrics to better understand what their peers and competitors face and what they do in response. Because this information is kept so closely outside of effective ISACs, the ability of this CISO to explain this story well is more than a challenge. This, of course, can have a post-impact impact on the ability to prioritize these initiatives let alone fund them, increasing the risk to the company as time goes on.
In an ideal world, we would share the details of the cyberattack with entities like the FBI, which in turn share highly effective industry-specific metrics through InfraGard, a private-sector partnership with the FBI. Federal engagement groups like InfraGard have grown to become a trusted source of information. However, their ability to share the full picture of what our industries really face each day remains limited by the level of information the private sector is willing to share. It’s a vicious circle that only hurts us.
While the cybersecurity executive order will likely have the greatest impact on our ability to truly fulfill that partnership and the beneficial outcomes we just discussed. Now that companies will be forced to report cyberattacks to law enforcement, regardless of the impact of the data, we should also consider our stance when reporting when cyberattacks are behind of interruptions. Only when our society has an understanding and true gratitude for the real effects experienced by such an expansive threat will we be able to solve the challenge together.
This is the executive order that presents much needed changes and standards and to grow our collaborations to respond to threats as a community.