There has been much made about Obama’s proposal for cybersecurity reform, which includes criminal penalties which may do more harm than good, questions surrounding liability protection, and concerns that the government is simply looking to grow its spy network by having corporations share their data with them. Another issue that has generated much debate is that of the 30-day requirement for breach notifications to consumers.
Since incident response is generally an after-thought to most companies and not well understood, the level of concern that this time frame has generated is understandable. In contrast, I believe the 30-day window, while a step in the right direction, will drive the wrong behaviors.
Guest article by Sean Mason, Vice President of Incident Response for Resolution1 Security
Let us consider the fundamental premise of breach notification: a company has detected a breach. This would generally assume some underlying investment in technology and staff to discover the breach – but not every company has invested in the people and processes to be able to make this distinction. The large majority of incidents continue to be reported by an external entity, such as the FBI, NSA or similar government agency. I recall a dialogue with a CIO that ended with “Should we just turn off our SIEM so we avoid knowing what the issues are, thus, we won’t be held responsible or negligible?” The bottom line is, what good is a breach notification window if you don’t discover any breaches?
What Obama’s proposed legislation should address is the rapid detection and response of cyber intrusions on networks. I would propose three alternatives:
- Require full disclosure of all incidents to the SEC.
The general reality is that businesses do not disclose attacks, or even disclose what was taken in the case of intellectual property theft. We do see the occasional SEC filing, but in general there is little enforcing and incentivizing for companies to do so. A change in direction may actually encourage the correct behaviors of investing in rapid detection and response. Network defenders can detect a breach is happening, can quickly move to contain the issue and perhaps even prevent a larger scale data breach. By mandating public disclosure, businesses would be more inclined to invest appropriately to add advanced capabilities to detect and respond quickly, thus mitigating the need to disclose to the SEC.
- Impose penalties on companies that do not detect and respond to breaches within a certain timeframe.
While I think the breach notification window is arbitrary at best, what is more concerning is that it focuses on a symptom, not the bigger issue. There needs to be a radical shift in how incidents are discovered, and a move towards shifting the discovery of incidents directly to the company, as opposed to notifications from external parties.
Detecting an incident in its infancy enables a faster time to resolution, as the attackers will not have time to “setup shop” amongst a number of target machines. Responding to an incident involving one to a handful of hosts is considerably different than responding to an incident in which hundreds of hosts were impacted.
When you start enforcing penalties on breach detection timing with mandatory disclosure (suggestion #1), it begins to drive the appropriate behaviors in a business whereby they are responsible for policing their own network.
- Provide incentives to make rapid detection & response a reality and priority.
While the previous two suggestions would be the proverbial “stick”, my final suggestion would be the “carrot.” It is no secret that we simply do not have enough information security professionals, something Obama himself has stated many times. A recent Ponemon survey stated that 73% of organizations have one full time employee or less dedicated to incident response. Similar to the practice of states looking to attract businesses by providing incentives for hiring skilled professionals, Obama should also provide incentives for companies to build out IR teams that can secure networks, and specifically detect and respond to incidents.
Information security may be one of the hottest issues in information technology, however, most organizations continue to be hamstrung by the inability to add headcount. By tying monetary incentives to auditable headcount, this enables the hiring of professionals to protect their network, while also significantly increasing the talent pool of information security professionals.
I commend Obama for pushing cyber security reform where it has sorely been missing for years. I do question the fact that those advising him put forth a proposal that has been picked apart from every angle. It simply misses the mark on too many issues. Couple this with the widespread lack of technical knowledge in Congress and I am not confident that the government can do anything to help the cause or if they are able to pass the proposed legislation. As we have seen, businesses will continue to bleed intellectual property and customer information unless there are convincing reasons to change the way businesses look at information security.
For more on the importance of incidence response, read the Aberdeen report When Your IT Hits the Fan: Why Your Organization Needs an Incident Response Capability
Sean Mason is the Vice President of Incident Response for Resolution1 Security. After serving his commitment to the US Air Force, Sean has spent his career with Fortune 500 companies (GE, Monsanto, Harris & CSC) where he has worked in a variety of IT & industry verticals, including software development, auditing, information security, Defense, Aviation, Finance, Energy, Biotechnology, and Healthcare. Sean served as the Defense Industrial Base (DIB) representative for Harris from 2009-2011 and also notable is that Sean was the Director of Incident Response for GE for a number of years. Sean also serves as a Subject Matter Expert for ISC2, helping to design credentials’ common body of knowledge and exam questions as well as sitting on the ISC2 Application Security Advisory Council (ASAC).