[BreachExchange] Will new breach reporting rules make defense firms more secure?

Thu Nov 30 18:32:37 EST 2017

https://fcw.com/articles/2017/11/29/curry-schwartz-dib-
disclosure.aspx?admgarea=TC_Agencies

New information security rules governing defense industrial base firms take
effect on Dec. 31. The rules require compliance with the new standard for
protecting "controlled unclassified information" from the National
Institute of Standards and Technology and set time limits on contractors
for reporting system breaches.

The Department of Defense has published guidance to facilitate
implementation, but that guidance does not overcome the larger business
dilemma the requirements may create.

The financial investment required to implement cyber controls can be
overwhelming, particularly for smaller organizations. Fortunately, the
guidance makes clear that companies have the freedom to achieve the
intended outcomes of the requirements in whatever way is most appropriate
for them. This is an important clarification because cybersecurity threats
and mitigations change quickly. Companies must be able to identify and
implement innovative and robust solutions that fit their needs, and their
budget.

Comments submitted to the DOD in response to the interim rule acknowledged
the need for better cyber hygiene in the context of contractor
relationships, there is concern that some requirements are too prescriptive
while others are unclear.

The incident reporting rule requires that when a contractor discovers a
covered cyber incident that affects a covered contractor information system
or the covered defense information contained therein, the contractor must
first review and analyze the incident, and then must report the incident to
the DOD within 72 hours of discovery.

Reporting cyber incidents so soon after discovery may do more harm than
good. Practically speaking, 72 hours does not give contractors a lot of
time to conduct a review for evidence of compromise or an analysis of the
covered contractor information system. It is easy to imagine the chaos that
could ensue from frequent and false incident reports that are not rooted in
careful investigation and due diligence.

One could see attackers creating a slew of light and frequent attacks
purely to tie up reporting processes and to hide truly malicious events
from overworked staff – a kind of denial of service aimed at gumming up the
compliance system. We also do not want those having to make disclosure
decisions to make poor security, privacy or safety decisions simply because
of a fear of non-disclosure due to an arbitrary deadline choice.

Most U.S. jurisdictions with breach notification rules specify only that
disclosure be made in the most expedient time possible, and without
unreasonable delay. In those jurisdictions that do require notification
within a specific time frame, 45 days is most common – and almost all are
longer than 72 hours.

We think the best approach is to emphasize post-event analysis that shows
the desire and intent of those accountable for and performing any
investigation. They must do so with a sense of urgency and to earnestly
disclose as soon as the truth and scope are reasonably known and no further
damage will be done to active operations around the breach. Establishing
benchmarks and rationale for disclosure that will require greater diligence
post-event is a good idea, but timing must be reasonably flexible.

While there are different sensitivities that surround the type of
information maintained by government contractors, the same general
principle governs: Investigating a security incident can require
significant fact gathering, and if handled incorrectly, provide malicious
actors with feedback that could destroy evidence or cause further damage.

For network defenders across the defense industrial base ecosystem, meeting
this requirement means finding ways to improve real-time visibility while
also reducing investigation times for suspected or actual incidents. It
also requires that the correct first principles be identified and that
those accountable and responsible demonstrate adherence to those over
arbitrary deadlines.

Evolving cybersecurity and data protection requirements is a necessary step
towards safeguarding government systems and better management of cyber
risks resulting from contract dependencies. But with the addition of every
new requirement and corresponding control, blind spots can emerge. The very
adaptability of our adversaries and pace of change of the environment makes
permanent requirements and control landscapes counterproductive. We must be
as flexible in allowing defenders of networks and systems autonomy in
managing defensive tools and posture as the attackers frequently enjoy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171130/6e1fdf3e/attachment.html>