The issue of cyber security has come to a critical point. After the efforts of more than a decade old private sector organizations to deal with cyber incidents in their own way, the current extent and impact of cyber attacks indicates that the impacts of these incidents can occur across societies and borders.
Now, governments feel the need to "step in," and many are considering introducing new laws and regulations. Even so, the legislators often make an effort to regulate technology with the political urgency in mind, and many cannot even fully comprehend the technology they aim to control. Consequences, impacts and uncertainties on the companies often go unnoticed until it's too late.
In the United States, a number of new regulations and practices are being performed: The Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy, Cyber Security and Infrastructure Security Agency are working on new rules. Additionally, in 2021, 36 states enacted new cyber security laws. Across the world, there are many initiatives and requirements such as data localization in China and Russia, incident reporting by computer and emergency response team CERT-In in India, GDPR (The General Data Protection Regulation) and incident reporting in the EU.
But companies do not need to sit around and wait for the rules to be written and enforced. Instead, they need to understand the regulations that are currently being managed, identify uncertainties and potential effects, and prepare to take action.
Up until today, cyber security regulations of most countries have focused on privacy rather than cyber security, and so most cyber security attacks did not need to be reported. In case of the theft of private information such as names and credit card numbers, the situation must be reported to the relevant authority. However, when Colonial Pipeline, for example, suffered a ransomware attack that caused the pipeline supplying fuel to about 50% of the east coast of the US to be shut down, did not report the incident since no personal information was stolen. (Of course, it was pretty difficult to keep things a secret when thousands of gas stations couldn't receive fuel.)
Consequently, it is impossible to know how many and in what ways the cyber attacks actually occurred. Some say only 25% of cyber security incidents are reported, others say only 18% are reported, and some say this rate is 10% or less.
It seems that we are not even sure what we don't know. This really is a terrible situation. Let's remember the famous quote of the managerial genius Peter Drucker: “If you can’t measure it, you can’t improve it.”
Governments decided that this approach was unacceptable. For example, in the United States, the White House, Congress, U.S. Securities and Exchange Commission, and many other institutions and local authorities are considering, enacting, or starting to implement new rules that will require companies doing business in critical infrastructure industries such as energy, healthcare, communications, and financial services to report cyber incidents. Under these new rules, Colonial Pipeline should have reported the ransomware attack.
These requirements are, to some extent, inspired by the recommended reporting for “near-miss” or “close call” situations for airplanes. Following aircraft nearly escaping a crash, the failures that caused it need to be identified and avoided in the future.
A similar requirement in terms of cyber security sounds quite plausible at first glance. The problem is that what should count as a cyber security "incident" is a much more indistinct situation than a "near-miss" of two planes being closer than allowed. A cyber "incident" is an event that could lead to a cyber breach but may not become a true cyber breach. By definition, A cyber incident only requires an action that "imminently endangers" a system or poses an “impending threat" of breaking a law.
However, this keeps companies in a state of uncertainty. For instance, if someone tries to log in to your system but is denied because the password is incorrect. Is this an "imminent threat"? What about a phishing e-mail? Or what would you think of someone looking for a known, common vulnerability in your system like the log4j security vulnerability? What if an attacker actually breached your system but was detected and removed before he/she could do any harm?
This uncertainty requires companies and regulators to strike a balance. All companies become more secure when they have more information about what the attackers are trying to do. However, this can only happen if companies report incidents in a timely manner. For example, based on the data gained from the current incident reports, we learned that of the approximately 200,000 known vulnerabilities in the National Vulnerability Database (NVD), only 288 were actively targeted by ransomware. Knowing this allows companies to prioritize these security vulnerabilities.
On the other hand, using an overly broad definition may mean that an ordinary large company may need to report thousands of events per day, even spam e-mails, many of which are ignored or sent back. For both the company that produces the reports and the agency that has to process and make sense of such a flood of reports, this would be a colossal burden.
Moreover, international companies would have to comply with different reporting standards in the European Union, Australia and other places, including how quickly a report must be filed. Regardless of if it's six hours in India, 72 hours in the EU within the scope of GDPR, or four working days in the United States, or variations in various countries based on a set of regulations from different agencies.
Companies subject to SEC (U.S. Securities and Exchange Commission) regulations, which includes most of the large companies in the United States, are required to quickly define their "priorities" in light of these new regulations and review their current policies and procedures to determine whether this "priority" applies. If such decisions are to be made frequently and quickly, they will need to review them and bring their operations up to speed.
Regulations are also being made in areas such as reporting ransomware attacks and even criminalizing paying ransoms. Company policies on paying ransomware and possible changes to cyber insurance policies need to be reviewed.
Due to the way their software was packaged, most companies didn't know that their systems had a log4j security vulnerability. Regulations have been proposed requiring companies to maintain a detailed and up-to-date Software Bill of Materials (SBOM) to quickly and accurately identify all the different pieces of software embedded in complex computer systems.
While an SBOM is also useful for other purposes, like the way software is developed and acquired, your company may require more significant changes. The effects of these changes need to be reviewed by management.
Someone, or possibly a group within your company, should review these new or proposed regulations and consider their possible impact on your organization. These are seldom technical details to be left up to your information technology or cyber security team, but rather have company-wide implications and may bring potential changes to many policies and procedures throughout your organization. To the extent that many of these new regulations are still scalable, your organization may want to change the direction these regulations are heading into and whether or not they will be implemented.
Source: Harvard Business Review