[BreachExchange] Stopping Data Breaches Will Require Help from Governments
Destry Winant
destry at riskbasedsecurity.com
Mon Dec 17 09:02:37 EST 2018
https://hbr.org/2018/12/stopping-data-breaches-will-require-help-from-governments
Not a month goes by without a major corporation suffering a cyber
attack. Often state-sponsored, these breaches are insidious,
difficult to detect, and may implicate personal information relating
to millions of individuals. Clearly, the current approaches to
safeguarding sensitive data are insufficient. We need to reorient
expectations for the role of the private sector in cybersecurity. As
the risk of cyberattacks has become better appreciated, we see an
increasingly punitive focus on holding corporate America solely
responsible.
Multiple, overlapping laws at the national and state level require
companies to have “reasonable” security, a concept that is largely
undefined and elusive, especially given that threats and available
defensive measures constantly evolve. And regulatory enforcement
actions and lawsuits in the wake of cyberattacks declare any exploited
security vulnerability to be de facto “unreasonable,” without a
meaningful assessment of the company’s overall security program or
acknowledgement that the company has been the victim of a crime.
This approach is premised on an unreasonable expectation that every
company in the United States has the resources and capability to
defend itself against even the most sophisticated cyber actor. We
should move away from laws that focus on finding companies at fault,
rather than as victims of criminal cyber activity. This framework is
neither fair nor effective in improving our collective cybersecurity.
In our experience, despite increasing security spend, most companies
face significant obstacles to successfully managing cyber risk.
Although some industry security standards have emerged, they are
vague, and available security solutions are seldom turnkey. Rather,
effective security requires application of significant judgment in the
context of unique and complex corporate network architectures, as well
as the ability to adapt as security solutions and threats evolve.
Unfortunately, the talent pool with the requisite cyber experience and
knowledge is limited. It is simply not possible, at present, for
every company in America to have sufficient internal cyber expertise
to manage the risk.
The challenge is compounded by the resources and sophistication that
state and criminal cyber attackers can bring to bear. In no other
arena do we expect every business to defend itself from foreign
intelligence and military agencies or sophisticated criminal threats.
Although there has been a significant focus on sharing threat
information, both within the private sector and between the government
and the private sector, such sharing remains incomplete at best,
particularly when it comes to the techniques, tactics, and procedures
that particular actors are employing. As a result, companies often
lack sufficient knowledge of the specific threats they face so they
can best defend themselves.
Given these and other factors, companies that suffer cyberattacks are,
and should be treated primarily as, victims. When a bank suffers a
physical robbery, we do not think of blaming and shaming it – even
though there is almost always some additional precaution the bank
could have taken that might have helped prevent the attack (such as a
police officer stationed at every teller window or limiting customer
access to tellers). While banks are expected to implement some
security measures, there is no expectation that those measures will
prevent criminal attacks entirely, and banks are not vilified if they
did not have every available precaution in place that might have
prevented them. Yet in the cyber context, a company that suffers a
breach faces a substantial risk of multiple regulatory investigations
and class action lawsuits, all focused on assigning blame to the
organization for having inadequate security measures to defeat the
criminal attack perpetrated by others – no matter the strength of the
company’s overall security program or the amount of the investment it
has made in security.
That perspective is not only unfair, but counterproductive. Instead
of focusing on remediating the incident, restoring operations,
improving security going forward, and mitigating potential harms, a
company in the midst of a cyber breach also needs to worry about the
record that is being created – what is being written down, whether
lawyers are sufficiently involved in the forensic investigation, and
other considerations bearing only on protecting against liability.
Moreover, the fear of potential downstream liability constrains what
information a company is willing to share – it may not disclose the
incident at all, let alone how and why the intruder was able to evade
existing security measures, depriving the broader community of the
opportunity to learn lessons from the incident, as happens in aviation
and other industries.
Although the Cybersecurity Act of 2015 provided some protections, they
are narrow and have not resulted in a material increase in information
sharing. As a result, our collective cybersecurity is diminished: we
do not harness the enhanced security or efficiencies that a more
collaborative approach to threat intelligence and defense would yield.
We need to reorient our cybersecurity focus. We should place less
burden on individual companies by focusing more on systemic ways to
address cyber threats. In part, that approach would require the
federal government to take a more active role in cyber defense. The
government has a number of comparative advantages over the private
sector, such as the ability to collect and exploit intelligence and to
coordinate internationally with other governments and law enforcement
agencies. The government should do more to give the private sector
the benefit of these advantages.
For example, the government should devote more resources to collecting
intelligence about potential cyber-attacks against private entities,
particularly from nation-state actors, and then take steps to help
prevent them — not merely notify companies believed to be at risk and
then leave them alone, with imperfect and incomplete information, to
investigate and respond. As the Department of Homeland Security
takes on greater responsibilities for identifying and minimizing
cybersecurity risks to the U.S. economy it should issue pragmatic,
cost-effective operational guidance to companies on how to defend
against evolving risks.
We also need to focus more on incentivizing security improvements at
points in the cyber ecosystem that can have a scale effect and protect
large groups of users and companies, rather than leaving each one on
its own. We are collectively better off the more that software
providers can use secure coding practices and thereby prevent a
vulnerability – rather than requiring every user to install a patch
somewhere down the line. We will also be better served if more
Internet service providers mitigate the effects of a botnet by
filtering traffic to limit IP-spoofing – rather than requiring every
target to fend off a denial of service attack.
Legal and policy reforms are likely needed to achieve these goals and
encourage companies to collaborate with the government on these
initiatives. Such collaboration is unlikely unless the law provides
greater confidentiality and liability protections than those presently
available for companies that take actions to aid our collective cyber
defense. But with the right protections, companies may be more
willing to join forces with the government in this way and others to
reduce cyber risk.
While we are not challenging that it makes sense to impose some
cybersecurity obligations on individual companies, those obligations
should be reasonable and clear. Companies that meet a defined set of
risk-based requirements, which could be developed through a
collaborative, multi-stakeholder process, should have a safe harbor
from liability – recognizing that they are victims, not perpetrators,
of malicious cyber activity.
More information about the BreachExchange
mailing list