SolarWinds, Exchange attacks revive calls for mandatory breach notification, better information sharing | #microsoft | #hacking | #cybersecurity


Credit: Dreamstime

On the heels of three major cyber security incidents over the past six months – the SolarWinds and Microsoft Exchange supply chain attacks and the Colonial Pipeline ransomware breach – US government officials and some in the private sector are reviving calls for better information sharing and national breach notification requirements.

“We seem to talk endlessly about information-sharing,” Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit that enables cyber security providers to share threat intelligence, said during a presentation at the RSA Conference last week.

“Virtually every cyber security panel study or review for the last half-century seems to have an information-sharing recommendation in it. No one is really against information sharing in theory. Yet, information sharing never seems to quite work.”

“One of the reasons that companies feel uncomfortable talking about cyber security incidents or sharing information about cyber security incidents…is because they’re worried that somebody’s going to say, ‘Ha! You had terrible cyber security.'” Daniel tells CSO. “But the issue is that we actually don’t know what’s good or bad cyber security.” He calls for a “standard of care,” some better means of actually measuring what good cyber security constitutes.

Good cyber security statistics are missing

The absence of good statistics limits insight into what constitutes good cyber security. “If I gave you $5 million and said, ‘Spend this on improving the security of an enterprise,’ the average system couldn’t actually put numbers to a proposal to decide whether or not to do threat hunting or a better training of employees,” Paul Rosenzweig, senior fellow at the R Street Institute said at the RSA Conference.

He argues for the creation of a bureau of cyber security statistics. “The ultimate goal here is to have metrics that are transparent, countable, auditable, effective, generally agreed-upon, widely used and scalable. We’re nowhere near that right now,” he said.

Like most cyber security policy experts, Rosenzweig thinks mandatory breach notification is overdue. “It boggles my mind that 15 years into this cyber security crisis, pretty much since 2005, 2006, we still don’t have an operating picture of how frequently and what sorts of breaches occur in the United States. We’re doing better than we did 15 years ago. But without a comprehensive breach notification law, we simply never get a sense of what’s actually happening on the ground. That makes it impossible to do trend analysis or gap analysis with any efforts.”

“We need to make sure that we have reporting structures in place in terms of a breach,” Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, told RSA Conference attendees. “This has been around for decades, but I think there’s finally awareness that we need to be able to move forward on the law there.”

Differing breach notification requirements across states are problematic

An obstacle to practical data breach analysis is the differing set of breach reporting requirements that span all US states and territories. “At this point, where you’ve got all 50 states and all our territories having data breach notification laws, everybody’s agreed that we need to have breach notification,” Daniel tells CSO. “There’s no reason not to have that be on a national scale.”

Tom Corcoran, head of cyber security for the Farmers Insurance Group, agrees.





Original Source link

Leave a Reply

Your email address will not be published.

twenty + = twenty seven