U.S. Government Grapples With Cyber Incident Reporting Pain Points
The U.S. government wants cyber incident reporting to be more consistent, but it must work through several challenges, including the stigma around the repercussions of reporting.
After seizing $500,000 from a North Korean state-sponsored group in May, the Justice Department (DoJ) was quick to point out that one of the group’s ransomware victims - a Kansas-based healthcare provider - was the reason it was able to trace the money after the provider notified the FBI when it was attacked.
The promotion of cyber incident reporting has emerged as a priority not only for the DoJ, but for several agencies across the U.S. government - including the Cybersecurity and Infrastructure Security Agency (CISA) - over time, but especially on the heels of recent high-profile ransomware attacks. An increased number of tips on incidents could help authorities both support victims but also better understand the cybercrime landscape, reasons that were touted by Deputy Attorney General Lisa O. Monaco recently at the International Conference on Cyber Security, who said the cooperation of the Kansas-based healthcare provider allowed authorities to identify the ransomware strain and recover ransom payments of previously unknown victims.
“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Monaco in a statement.
The U.S. government faces an uphill battle. The right incentives are needed for organizations that have historically feared reputational backlash. At the same time, concerns remain about the government’s bandwidth to process, analyze, respond to and effectively share data once it has actually been reported.
However, from a long-term perspective, security professionals agree that more consistent cyber incident data reporting could translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective or not in hindering cybercriminals, such as sanctions by governments.
“At the plainest level, it's giving the government a sense of whether the policy tools, including regulatory tools, and other measures it’s taking to measure ransomware, are actually having an impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology (IST) and co-chair of the IST’s Ransomware Task Force. “Without the information, we’re kind of flying blind. There’s not an ability to use the full scope of the government's authorities to manage this risk with an imperfect information environment.”
“Without the information, we’re kind of flying blind.”
Historically, cyber incident reporting has been hindered by the stigma of being a victim of a breach or cyberattack. Companies like Uber and CafePress have actively attempted to cover up security incidents. Stifel said that businesses have ongoing, longstanding concerns about liability and reputational damage. Opportunities remain for the government to better articulate the “scope of liability protection” for sharing information, she said.
“No one wants to be the first one, or second one, or third one to say ‘we shared this information with the government and we were protected;’ that still doesn’t help them with reputational risk,” said Stifel. “We’re also not yet in the place where the market rewards companies for being more transparent about that. More conversation needs to happen around those competing issues.”
DoJ officials have praised FireEye's role in the discovery of the SolarWinds attack - where malware was installed in SolarWinds software updates that were pushed out to 18,000 companies and government entities - as “model behavior” in hopes of highlighting the benefits of incident reporting. FireEye, one of the victims of the 2020 supply-chain attack, disclosed the incident publicly, helping to unearth the full scope of the campaign and its impact on other companies. However, the government needs to go a step further beyond commending businesses that report cyber incidents and provide them with actual incentives and even rewards, Stifel argued. She added, the government grants available for state and local government entities to help them address security risks and threats mark potential progress in this area.
“I think we’re still on the incentives piece where… [we’re asking] could we be offering more to victims coming forward to incentivize their disclosure to the government? Is there something like a safe harbor that would be useful? Could we offer them support - not to pay the ransom - but in the form of resources or grants to rebuild systems in the event of an incident?”
“If you look at the ways you could report to the U.S. government, it’s all over the map.”
Over time, the government has relied on regulatory policies for cyber incident reporting. However, the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents.
Research from the R Street Institute in June tracked at least 24 existing cybersecurity incident and breach reporting policies (not including state, local, tribal and territorial reporting mandates) that showcased variations in the authoritative agencies receiving the reports, the scope of reporting, the definition of disclosure and the timeline to disclosure.
“You have to report the same information to a lot of different entities, and this isn’t even at the state level,” said Sofia Lesmes, senior research associate, Cybersecurity and Emerging Threats with the R Street Institute. “So you could hypothetically see some businesses or banks saying ‘well, I already reported to the government once, why do I have to now to three different banking institutions?’”
The targeting for many of these policies ranges from a 2016 policy from the Coast Guard that requires Maritime Transportation Security Act-regulated vessels to report on security breaches, to a 2021 TSA security directive that requires transportation operators to report incidents to CISA. Also varying are the timelines for reporting; a final rule approved by the Federal Deposit Insurance Corporation (FDIC) in March mandated that banks notify federal regulators of security incidents within 36 hours; while a set of amended rules proposed by the U.S. Securities and Exchange Commission (SEC) would require publicly traded companies to disclose security incidents within four days after they have been determined.
Stifel said that the government needs to work toward a system that makes it “as easy as possible” for entities that want to report a cyber incident.
“If you look at the ways you could report to the U.S. government, it’s all over the map,” she said. “We really do need to be working towards some sort of baseline where even small businesses or SMBs could support the information ecosystem in a more holistic manner that better equips us to manage the risk.”
“A lot of this was already coming down the pike before Colonial Pipeline.”
While these efforts existed long before the hack of Colonial Pipeline, the resulting Cyber Incident Reporting for Critical Infrastructure Act that was signed into law in March 2022 brought with it a renewed focus not just on reporting requirements for critical infrastructure sectors with built-in liability protections, but also an overall effort by the governments to better improve and standardize federal incident reporting.
“A lot of this was already coming down the pike before Colonial Pipeline,” said Mary Brooks, resident fellow, Cybersecurity and Emerging Threats with the R Street Institute. “We were tightening this for years, there was an awareness that the government did not know as much as it wanted to know about industry, and that that limited it from a national security perspective. Colonial Pipeline just blew it up more.”
Under the law, critical infrastructure operators must report cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours. The act also calls for the Department of Homeland Security (DHS) to establish a Cyber Incident Reporting Council, which is tasked with creating a list of recommendations for Congress on how the government can “coordinate, deconflict and harmonize Federal incident reporting requirements.” CISA, which already oversees several incident reporting regulations including the Federal Incident Notification Requirements (effective in 2017) that require federal civilian executive branch agencies to disclose security incidents to the agency and OMB, has until 2024 to develop proposals for finalized rules for the Cyber Incident Reporting for Critical Infrastructure Act.
Different government agencies are also undertaking their own efforts around incident reporting. In its strategic goals for the coming fiscal years, the FBI recently said it planned to increase the percentage of reported ransomware incidents “from which cases are opened, added to existing cases, or resolved or investigative actions are conducted within 72 hours” to 65 percent. The FBI did not respond to a request for comment about previous reporting percentages; however, in June officials said that less than 25 percent of NetWalker ransomware victims reported incidents to law enforcement.
“Incident reporting is an element, but it’s not an end in itself.”
Moving the needle on cyber incident reporting is important, but arguably more significant are the processes government agencies leverage to receive, analyze and respond to that data. Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, stressed that the end goal is not reporting, but rather the ability to create a speedier transmission of information and analysis of that information.
“Incident reporting is an element, but it’s not an end in itself,” said Montgomery. “It’s a means to an end of a better understanding of the threat environment, and then really long term a better more ubiquitous sharing of information.”
At the same time, security experts like Eleanor Fairford, deputy director for incident response with the National Cyber Security Centre have previously pointed out a problematic lack of response by government officials once an incident is reported. In order to keep up with the influx of data on cyber incidents being reported, government agencies need a quality information sharing and distribution system as well as professional statisticians with the capabilities to sift through the data and understand the trends that are occurring (a database with such capabilities is also one of the many factors in the Cyber Incident Reporting for Critical Infrastructure Act that CISA is continuing to flesh out).
The Cyberspace Solarium Commission has proposed the establishment of a Bureau of Cyber Statistics for the U.S. government, which would serve as an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public. National Cyber Director Chris Inglis last year expressed support for the idea.
“We absolutely have to build the infrastructure for data sharing, so that this information begins to become easily transferable,” said Montgomery. “This information after it is shared has to be analyzed and then also needs to be shared with others so that we each can have a good understanding of what the threat signals are out there, and what the tactics and procedures used by the attackers are.”
Overall, the government is taking steps in the right direction around cyber incident reporting, and Stifel said she hopes that public perception around data breach reporting will change in the future, particularly with more collaboration between private and public entities around cybersecurity.
“I do think it will change," she said. "I hope it will change… with the evolution of the market rewarding good cybersecurity, it’s reasonable to expect to see less shame in the next 10 years or so."