The Writing on the Wall: Accountability is Coming
The Strengthening American Cybersecurity Act was signed into US law on March 15 to address cybersecurity threats against both critical infrastructure as well as the federal government by imposing cyber incident and ransomware attack response protocols on businesses operating in core industry sectors of the U.S. economy. Motivated by fear of retaliatory Russian attacks on US critical infrastructure for lending support to Ukraine, the new law was passed uncharacteristically fast and with unanimous bipartisan support from US lawmakers. And, while many see this as a move in the right direction, there has been sharp criticism from numerous leaders in cybersecurity, arguing that the law does little to address the core issues that would truly strengthen American cybersecurity.
While acknowledging that information sharing via reporting requirements to increase visibility across the attack surface is a crucial step, criticisms have been made that the law is too narrow in scope and neglects to include new protocols or liability standards that could have a significantly greater impact on mitigating the explosion in ransomware and other cyber-attacks by forcing US businesses to be held accountable – especially those in critical infrastructure industries. Below are just a few of the criticisms circulating, presented with both sides of the argument.
Note: Government regulation is highly controversial and zvelo does not advocate for, or against, one viewpoint or the other in terms of whether or not the following suggestions should be included within the scope of the law.
Personnel and Training Requirements
According to a recent Fortinet survey, 80% of organizations suffered one or more breaches that they could attribute to a lack of cybersecurity skills and/or awareness. Further, 67% agree that the shortage of qualified cybersecurity candidates creates additional risks for their organizations. Establishing training requirements relative to a company’s size, industry, and cyber threat risk, in addition to a prescribed headcount for cybersecurity roles could be an effective way to force companies to proactively invest in preventative measures.
The counter argument here is a significant skills gap for cybersecurity roles. The same survey mentioned above also found that 60% of organizations struggle to recruit cybersecurity talent and 52% struggle to retain it. Regulating personnel and training requirements would further strain the organizations already facing recruitment and retention challenges.
Steeper Penalties for Gross Negligence
While there are penalties for breaches, those have yet to be enough of a deterrent to get companies to voluntarily invest in cybersecurity. Especially when companies have been enabled by cybersecurity insurance as a fallback to minimize any potential losses from ransomware or breaches, and writing those off as a standard cost of business. As cybersecurity insurance coverage continues to decline, additional penalties imposed by the US government could escalate the financial and legal risks to provide a far more effective deterrent than what currently exists.
Counter to the above viewpoint, is the perspective that companies are already facing increasing escalating costs resulting from lax security that should provide the impetus to implement changes. The average cost of a data breach is now more than $4 Million USD, and as high as $10.5 Million USD in certain industries like Healthcare. Ransomware demands have spiked as high as $50 Million USD and companies are quickly losing the insurance safety net enabling them to dismiss the payoffs as a standard cost of business. Further, companies that are actually able to obtain cybersecurity insurance are hit with skyrocketing premiums, as well as the requirement to meet very stringent cybersecurity measures to prevent, detect and mitigate their risks.
System and Configuration Requirements
On average, it takes about 9 months to identify and contain a data breach – a clear demonstration that the vast majority of cybersecurity departments lack tools, resources, and processes necessary for adequate cybersecurity. Companies should be held accountable for adhering to clear guidelines for establishing and maintaining the secure configuration of enterprise assets and software. This would include things like end-user devices, network devices, IoT devices, servers, operating systems, and applications. Having a set of basic minimum guidelines in place could more effectively ensure that companies in the critical infrastructure industries are better protected against cyber-attacks.
The counter arguments on this point are much the same as those from above. The growing attack surface, escalating costs of attacks, and dwindling insurance safety nets should be enough to drive changes. Add to that, the growing potential for top level executives and board members to be held personally liable for cybersecurity failures under the Caremark law, the need for further regulation may be unnecessary.
Expanded Reporting Requirements
The reporting requirements are a good thing and the limited time frames for reporting should not be an issue for companies that have the appropriate, and increasingly necessary, Incident Response plans in place. The criticism, however, is that the requirements should be expanded to include all companies rather than just those operating in critical infrastructure industries. The court of public opinion is harsh, and no business wants to make headlines for a breach so expanding the reporting requirements to all companies might be what it takes to force companies to be held accountable for negligent cybersecurity practices.
On the opposing view for expanding the reporting requirements is a strong concern that companies would begin reporting just for the sake of reporting which would undermine the value of the intended goal. As it stands, when breaches do get reported, as few as 16% of the incidents were reported correctly according to ISACA’s 2020 State of Cybersecurity report. The other big concern is the short timeframes required to report incidents. As the law is currently written, critical infrastructure entities and civilian federal agencies must report any ‘substantial cyber incident’ within 72 hours and any ransomware payment within 24 hours to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA). The 72-hour timeframe in particular, has even the companies with already mature systems and protocols in place for incident response wondering how they can meet the reporting requirements without impeding the more critical task of threat mitigation when many of them are already operating with lean resources.
Protecting the critical infrastructure industries in the US is deeply convoluted as a large portion of those companies are owned and operated by the private sector. Much like the ongoing privacy vs security conundrum, the role of government regulation in cybersecurity is likely to be an endless debate with no clear winner on one side or the other. With growth and profits at the forefront driving investment decisions, many companies have willfully neglected to dedicate funds for improving cybersecurity efforts. Perhaps, it’s because they have, at least up until recently, been able to leverage cybersecurity insurance to take the financial hit. Or maybe it’s because it’s too difficult to justify the costs for cybersecurity when there is no tangible ROI for protecting against something that ‘might’ happen. Regardless of the multitude of reasons an organization may have, the core issue is that they haven’t focused efforts on cybersecurity because there has been little to no incentive for them to do so. Whether the incentive is driven by legislation, or by increased financial liability from declining insurance coverage, the writing on the wall is clear. Regardless of a critical infrastructure designation, in one way or another, accountability is coming.