Unless you’re still hung-over from the holidays, you most likely saw the news regarding President Obama pitching cyber reform. While I applaud the idea at a high level, especially around having a universal law in the US that provides a guide on what companies are required to do in the event of a breach, it is my opinion that there are a number of misses with what has currently been proposed. This blog is not intended to be political commentary, but rather the perspective of someone who has been responding to incidents for years, as well as previously a member of the public-private sharing organization known as the Defense Industrial Base (DIB).
One of the first comments I hear in regards to the proposal is disagreement with the 30-day window to notify consumers if their data has been breached. Most individuals have been quoted as saying that this is not a very long window of time to understand the scope of an incident and notify consumers. I disagree and if anything, believe it will drive the wrong behavior amongst companies; on the contrary, the primary behavior that should be driven is to detect breaches quickly, with the secondary being to understand what happened so they can notify consumers considerably quicker than within 30 days. Consider that almost all incident/breach reports identify that it takes months to years to identify an incident- what good is a 30-day window when the breach happened 6 months ago?
Be sure to check out a previous post I did on a related topic, Incident Response Metrics, that addresses the importance of IR metrics to help organizations understand the real story with better actionable intelligence and insight.
If we take a look at the Target breach, it took less than 30 days from the discovery of the breach for the cards to show up on rescator, and to be ultimately be sold and used. I would imagine the turn around time for Personally Identifiable Information (PII) is similar as well. Debit cards aside- which I would surely hope nobody is using by now- I don’t understand how a 30-day window is protecting consumers. Couple this with the fact that consumers are not liable for fraudulent charges and there is even less of a case.
I cannot argue with the ridiculousness of the current state-by-state requirements, and other than making a US-wide standard all companies must follow, the 30-day window is nothing more than rhetoric trying to mask the underlying problem- lack of proper investment in Intel-Detection-Response (IDR) capabilities. The 30-day window is glaring indication of how poorly incidents are planned for, responded to, and misunderstood by policy makers and those advising them. For organizations that have not invested properly in IDR capabilities, 30 days may seen rather fast, especially if you consider a week is lost from not knowing what to do, and another couple of days to a week is lost bringing in outside help. Is that the behavior we are trying to encourage? I certainly hope not.
In short, you generally have three outcomes from an incident:
1. We don’t know what happened at all.
2. We pieced together a good bit of it, but didn’t have all the evidence to definitively paint the entire picture.
3. We believe we know everything that happened.
Organizations that have invested properly will rarely, if ever, encounter outcome #1. This leaves us with outcomes #2 & #3. Based on my years of experience, I can say that it certainly can take a couple of weeks to piece everything together for a large incident; however, if you have invested properly in the right people, process and tools, you will come to definitive conclusions much quicker than that- especially around data exfiltration. There are also times (#2) you cannot definitely say if data was breached or not. What happens then? Regardless, proper investing in IDR is what we should be encouraging, not arbitrary 30 day windows to notify consumers.
I would be remiss if I did not address another proposal: liability protection for sharing intel with the US Government. Sharing intel with the government has been happening for a number of years (6+), most prominently through the Defense Industrial Base, though it has always been done voluntarily. There has never truly been any tangible incentive to share, and the liability protection has been something the private sector has been dangling in front of the US Government for years to make it work “better”. My view is that the liability protection is not needed and the companies that have made the investments to do this are already doing it and would have continued to share. As I’ve mentioned in another post, some companies simply don’t care.
I have a number of examples, but rather than provide the stories, I will also state that the government is not the greatest clearinghouse for intelligence and many of the sharing communities outside of the governments influence do a much better job. If you read these posts from 2012, you’ll get a flavor of what I’m referring to.
Carnegie Mellon University found that NSA provided few signatures to private partners that the companies did not already have and that the companies were able to identify threats without the signatures using tools unknown to NSA.
Perhaps instead of dangling a carrot in the form of liability protection, there should have been more of a stick used- mandatory public disclosure of attacks against a company- because while we do see SEC filings on occasion, the general consensus is businesses doesn’t disclose. A change in direction this way may actually encourage the correct behaviors of investing in IDR so if network defenders detect a breach is underway, they can quickly move to contain the issue and perhaps even prevent the breach. Yes, just because attackers have gotten into your network doesn’t mean they’ve won; if you have the capability to respond quickly enough, you can remove them from your network before they accomplish their objectives.
In summary, Obama has tried for a number of years to encourage Congress to pass legislation and has yet to be successful. Given this fact coupled with the widespread lack of understanding information security in Congress, I don’t know if he will be successful this time. If there is legislation passed by Congress, it needs to be legislation that drives behaviors towards proper investing in IDR, as opposed to rhetoric that does not move the ball forward and change the way businesses look at information security.
As always, I’d love to hear feedback, so feel free to reach out to me on Twitter @SeanAMason.
This blog post is a slightly modified version of my post at Resolution1 Security.