We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!
On March 17, President Biden signed the Strengthening American Cyber Security Act. The Act requires companies in 16 sectors that cover our country’s critical infrastructure (including energy, hospitals, banks and transportation) to report any and all cyber security breaches within 72 hours and any ransomware payments within 24 hours.
The reporting mandate has been debated for more than a decade, but Solarwinds’ Trifta, last year’s string of ransomware attacks, and the Russia-Ukraine conflict provided political capital (and rush) to finally push the administration’s new cyber security regime and its allies in Congress. In law to them.
While the intent is to make the critical infrastructure more resilient to cyber attacks, the law is short-sighted and can have devastating effects on private industry and government. The only thing that makes it stronger is the frustration for companies to find the real breach.
The long-term effect is that it will undermine American cyber security. The good news? This law will not be in force for at least two years. Government and industry need to work together to set rules that really solve the problem.
Mandatory reporting increases the risk for victims
The motive of those who call for mandatory reporting is true, but if not properly implemented, it will do more harm than good.
Mandatory reporting almost always puts companies at risk, either legally or through financial penalties. Punishing an organization for not reporting a breach in a timely manner puts it in a worse cyber security position as it is a strong incentive to turn a blind eye to attacks. Alternatively, if a company is aware of a breach, it will look for ways to “classify” it into a reporting loophole.
Reporting timelines in law are arbitrary and are not based on the reality of an effective event response. The first hours and days after a breach are integral to the actual incident reporting process, but it is chaotic, and teams are deprived of sleep. Working with lawyers to determine how to report and finding evidence of what companies do and don’t want to “see” makes the process more difficult.
This will force companies to report violations before they fully understand them, which can lead to confusion, misconceptions and inaccurate news about breaches that could hurt the company from a marketing or valuation standpoint.
Another point is that there is no offer of help from the government, except for a recent testimony by FBI Director Christopher Rena stating that the bureau will have a technically trained agent at the company’s doorstep within an hour.
A March 24 report by Senator Rob Portman (R-OH) details the experiences of companies attacked by the REvil ransomware group in the past year. It cites the fact that the two companies reported the attack to the federal government but received “little help” in protecting their data and reducing losses. According to the report, these companies have “indicated that they have not received advice on best practices for responding to ransomware attacks or other useful guidance from the federal government.”
Can Compulsory Reporting Work?
While the act is now law, the organization responsible for enforcing it, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA), gives it two years to fully implement it through the legislation process.
In order for any type of reporting system to truly serve its purpose, it needs to be full of security for companies that comply with it, harboring public information, lawsuits, negative government actions, and more. But given how much protection a company needs to achieve, it can be fraught with abuse, and companies will use it to hide guilt when they actually do wrong.
Finally, there is no need for mandatory reporting and instead set up a system that encourages companies to report more and with the benefits of reporting, such as free assistance in response to an incident as well as hunting down competitors. Recover stolen data, money and intellectual property. Such an arrangement would depend on strong public-private partnerships.
In addition, a successful solution would require an update of existing laws, such as the 36-year-old Computer Fraud and Abuse Act. The law has been amended several times over the years, most recently in 2008, but the current legal system regarding cyber attacks is almost 25 years old, dating back to a time when no one could have imagined a world where everyone and everything was connected.
As it is now, the law prohibits unauthorized access to computer systems and leaves cyber responses to the federal government. Going forward, it needs to involve private companies trained and licensed in partnership with government and law enforcement to provide a way for private companies to respond effectively to cyber attacks.
We are in a cyber war that no single country, government or private entity can win alone. It will all work together to solve the problem. With everything we need to succeed here, we are better off without mandatory reporting. We need to work together to implement an incentive scheme to encourage free event feedback, recovery of lost data and intellectual property, and incentives to encourage reporting through offers to support each organization to put nation-state defenses into practice.
Max Kelly is the founder and CEO of Reddit,
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including tech people working on data, can share data-related insights and innovations.
If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing to your own article!
Read more from DataDecisionMakers