On the heels of three major cyber security incidents over the past six months - the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware breach - US government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.
"We seem to talk endlessly about information-sharing," Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit that enables cyber security providers to share threat intelligence, said during a presentation at the RSA Conference last week.
"Virtually every cyber security panel study or review for the last half-century seems to have an information-sharing recommendation in it. No one is really against information sharing in theory. Yet, information sharing never seems to quite work."
"One of the reasons that companies feel uncomfortable talking about cyber security incidents or sharing information about cyber security incidents…is because they're worried that somebody's going to say, 'Ha! You had terrible cyber security.'" Daniel tells CSO. "But the issue is that we actually don't know what's good or bad cyber security." He calls for a "standard of care," some better means of actually measuring what good cyber security constitutes.
Good cyber security statistics are missing
The absence of good statistics limits insight into what constitutes good cyber security. "If I gave you $5 million and said, 'Spend this on improving the security of an enterprise,' the average system couldn't actually put numbers to a proposal to decide whether or not to do threat hunting or a better training of employees," Paul Rosenzweig, senior fellow at the R Street Institute said at the RSA Conference.
He argues for the creation of a bureau of cyber security statistics. "The ultimate goal here is to have metrics that are transparent, countable, auditable, effective, generally agreed-upon, widely used and scalable. We're nowhere near that right now," he said.
Like most cyber security policy experts, Rosenzweig thinks mandatory breach notification is overdue. "It boggles my mind that 15 years into this cyber security crisis, pretty much since 2005, 2006, we still don't have an operating picture of how frequently and what sorts of breaches occur in the United States. We're doing better than we did 15 years ago. But without a comprehensive breach notification law, we simply never get a sense of what's actually happening on the ground. That makes it impossible to do trend analysis or gap analysis with any efforts."
"We need to make sure that we have reporting structures in place in terms of a breach," Frank Cilluffo, director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security, told RSA Conference attendees. "This has been around for decades, but I think there's finally awareness that we need to be able to move forward on the law there."
Differing breach notification requirements across states are problematic
An obstacle to practical data breach analysis is the differing set of breach reporting requirements that span all US states and territories. "At this point, where you've got all 50 states and all our territories having data breach notification laws, everybody's agreed that we need to have breach notification," Daniel tells CSO. "There's no reason not to have that be on a national scale."
Tom Corcoran, head of cyber security for the Farmers Insurance Group, agrees.
"Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what's required," he said at the conference. "Setting a national standard would certainly make things a lot easier for American companies, especially for companies that don't have the resources to have a big regulatory team figure that out."
Other experts and law enforcement specialists at RSA echoed the call for mandatory breach reporting. "It's very challenging for a company that does business across state lines to figure out what are all the various potential breach notification obligations," Luke Dembosky, partner, Debevoise & Plimpton LLP, said.
Companies have to undertake "intensive legal analysis that involves identifying what states people are residing in, whether they have a second residence somewhere else that should be taken into consideration," and that's just in the US alone. The EU's General Data Protection Regulation (GDPR) layers a whole different set of obligations on organisations, Demosky pointed out.
Better information sharing will help combat threats
Aside from better statistics and mandatory breach notification, better information sharing between the government and the private sector will help organisations combat cyber threats.
Pointing to the successful role cyber security company FireEye played in helping the government manage the SolarWinds crisis, Tonya Ugoretz, deputy assistant director at the FBI, told RSA attendees that "it was very important that they came to the government quickly, but we can't count on that happening in all cases."
This uncertainty highlights the need for national data breach reporting, she said. "It also shows the importance of some of the kind of proactive relationship building that the government does."
"That was model behaviour, and it was entirely voluntary, and it's in the public good," Adam Hickey, deputy assistant attorney general, National Security Division, at the Department of Justice, said, referring to FireEye's quick action in informing the government of its SolarWinds malware infection.
"We're saying this anecdote demonstrates why that kind of reporting so important. So, let's make it easier. Let's make it mandatory. Let's encourage them - whatever combination of carrots and sticks comes out of the policy process."
Government needs to share, too
Daniel warns that information sharing shouldn't be all in one direction. The government needs to share information back with the private sector. "If you really want to put a dent into the world of cyber crime, it's going to involve the government letting some parts of the private sector in on things that they're very uncomfortable letting the private sector in on," he tells CSO.
Daniel says the government does not hold a comparative advantage in technical cyber threat intelligence, pointing to FireEye's role in helping to identify and manage the SolarWinds crisis as proof.
It does, mainly through intelligence agencies such as the NSA, have the advantage of "saying that indicator right there, that indicator is actually associated with this bad guy over here. And this bad guy over here is doing something particularly pernicious right now. That's where the government's comparative advantage is, adding that context and adding that additional information."