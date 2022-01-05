In any number of cybersecurity courses that I teach, from undergraduate coursework rather introductory in nature to the more graduate-level and esoteric lessons, there comes a common point related to the legal and regulatory domain. The point that can be made in any strata of cybersecurity tutelage also always presents as tongue-in-cheek. Whether the lesson is about the omnipresence of security threats and breaches—X-number of daily incidents that breach corporate information systems—or it’s about the requirements under the law to remain in compliance—every state has breach notification laws on the books such that consumers deserve to learn if their private information was compromised—the follow on is something like this: “Let’s all agree that we’re swimming in ignorance because companies are loathe to admit and advertise their security failures.”
When a company gets hit with a data breach, it’s prone to initially seek out legal ways that it need not report the incident. The C-suite rationale for the cover-up, to be dramatic but accurate, runs the gamut but follows a theme. If its customers learn that it was sloppy with their data, business will suffer. If the business directly deals with healthcare or financial information, its reputation might be irretrievably broken. If it gets into public view that some hacker was able to defeat its security, surely others will attack the wounded animal and potentially do so with intelligence gleaned from the advertised attack. There are other sentiments, but they all seem to follow the thread of minimizing further risk.
This seems familiar to anyone who’s already operating in the human existence that we do. On a more personal level, we nary boast about the so-called black sheep in our families. When a team loses a big, or even less meaningful game, the message is to “look forward … don’t dwell on [or even speak of] the loss that’s behind us.” We’re compelled by law to disclose the shortcomings of a property being sold because we’re naturally hesitant to highlight the negatives. I or my students will be quick to brag about earning an overall 3.XX GPA, and never utter one iota about the “C” that I barely achieved in that one class.
I don’t know if it’s hard-wiring that has us accentuate the positive. I feel that it is more learned behavior to eliminate the negative, which is an act in the space I’m discussing that may be illegal, and seems to be unhelpful when it comes to the overall health of our cybersecurity. There is growing evidence that in fact ‘fessing up about these security vulnerabilities, while being uncomfortable and bearing marketplace risk, can be a mitigating act itself.
At what may be the highest American level of all this, our national defense, history shows that our government has been aligned with the commercial enterprises that only reluctantly expose their security flaws. By logic, I cannot reliably say that the U.S. government actively conceals its intelligence leaks, its defenses thwarted, and its cybersecurity shortcomings. How can I know about these things that presumably are being swept under? Recently, though, it seems that the counter-approach is being experimented with.
In September, the Port of Houston Authority released a public statement about enduring a cyber-attack. Port Houston is kind of a big deal. It directly and indirectly creates and supports over 3 million jobs and leads to over $800 billion in annual GDP dollars. For its officials to admit it was attacked was a bold move. The U.S. Cybersecurity and Infrastructure Security Agency director openly discussed the attack. It was not the first time this transparency was realized, but again historically we were never so revealing.
One theory about the shift-change harkens back to Cold War days when deterrence was effectively realized by openly touting otherwise secret abilities. Knowing that many presidential or prime ministerial desks include that notorious Red Button also caused a level of effective deterrence: “If I depress mine, others will in kind, so I best not.” When CISA advertised that Port Houston overcame its attack—an obviously easier message to disclose since it was in fact caught—it was also speaking to the attackers. It put them on notice that they were caught and stopped, and the implication may be that other threats might subside lest their attackers be caught too.
Across the pond, and throughout the European Union, it is beginning to be understood that holding commercial enterprises more responsible for publicly disclosing security incidents is beneficial. It can be a good thing, a deterrent even, to pony up about vulnerabilities and attacks. The U.K. and E.U. comply with the General Data Protection Regulations, a legal suite of cybersecurity and privacy protections that America, generally, is hesitant to take on; though, countless U.S. organizations are forced to follow the GDPR to some degree because they have E.U. customers or operations.
In the U.K., for example, its cybersecurity laws recently were revised. Now, the previous financial penalties levied against companies that failed to implement strong cybersecurity, or that neglected to report security incidents, are being expanded further to increase the deterrent effects. It’s real synergy, a fashionable business word I rarely deploy, because demanding greater security necessarily decreases attack effectiveness, which then makes it more manageable, though no less embarrassing, to air the dirty laundry of having been attacked whether the criminals were stopped in their tracks.
This newfound approach is maybe one of the highest-level solutions to be explored. We’re not quite ready, it appears. The recently signed National Defense Authorization Act of 2022 failed to include a mandate for private firms to report, so we’ll have to await new laws to catch up with the U.K. in this way. Pioneering, dare I say patriotic, companies might lead the charge and self-report. Most will wait until it’s mandated, though, regrettably.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
