Will new breach reporting rules make defense firms more secure?
- By Sam Curry, Ari Schwartz
- Nov 29, 2017
New information security rules governing defense industrial base firms take effect on Dec. 31. The rules require compliance with the new standard for protecting "controlled unclassified information" from the National Institute of Standards and Technology and set time limits on contractors for reporting system breaches.
The Department of Defense has published guidance to facilitate implementation, but that guidance does not overcome the larger business dilemma the requirements may create.
The financial investment required to implement cyber controls can be overwhelming, particularly for smaller organizations. Fortunately, the guidance makes clear that companies have the freedom to achieve the intended outcomes of the requirements in whatever way is most appropriate for them. This is an important clarification because cybersecurity threats and mitigations change quickly. Companies must be able to identify and implement innovative and robust solutions that fit their needs, and their budget.
Comments submitted to the DOD in response to the interim rule acknowledged the need for better cyber hygiene in the context of contractor relationships, there is concern that some requirements are too prescriptive while others are unclear.
The incident reporting rule requires that when a contractor discovers a covered cyber incident that affects a covered contractor information system or the covered defense information contained therein, the contractor must first review and analyze the incident, and then must report the incident to the DOD within 72 hours of discovery.
Reporting cyber incidents so soon after discovery may do more harm than good. Practically speaking, 72 hours does not give contractors a lot of time to conduct a review for evidence of compromise or an analysis of the covered contractor information system. It is easy to imagine the chaos that could ensue from frequent and false incident reports that are not rooted in careful investigation and due diligence.
One could see attackers creating a slew of light and frequent attacks purely to tie up reporting processes and to hide truly malicious events from overworked staff – a kind of denial of service aimed at gumming up the compliance system. We also do not want those having to make disclosure decisions to make poor security, privacy or safety decisions simply because of a fear of non-disclosure due to an arbitrary deadline choice.
Most U.S. jurisdictions with breach notification rules specify only that disclosure be made in the most expedient time possible, and without unreasonable delay. In those jurisdictions that do require notification within a specific time frame, 45 days is most common – and almost all are longer than 72 hours.
We think the best approach is to emphasize post-event analysis that shows the desire and intent of those accountable for and performing any investigation. They must do so with a sense of urgency and to earnestly disclose as soon as the truth and scope are reasonably known and no further damage will be done to active operations around the breach. Establishing benchmarks and rationale for disclosure that will require greater diligence post-event is a good idea, but timing must be reasonably flexible.
While there are different sensitivities that surround the type of information maintained by government contractors, the same general principle governs: Investigating a security incident can require significant fact gathering, and if handled incorrectly, provide malicious actors with feedback that could destroy evidence or cause further damage.
For network defenders across the defense industrial base ecosystem, meeting this requirement means finding ways to improve real-time visibility while also reducing investigation times for suspected or actual incidents. It also requires that the correct first principles be identified and that those accountable and responsible demonstrate adherence to those over arbitrary deadlines.
Evolving cybersecurity and data protection requirements is a necessary step towards safeguarding government systems and better management of cyber risks resulting from contract dependencies. But with the addition of every new requirement and corresponding control, blind spots can emerge. The very adaptability of our adversaries and pace of change of the environment makes permanent requirements and control landscapes counterproductive. We must be as flexible in allowing defenders of networks and systems autonomy in managing defensive tools and posture as the attackers frequently enjoy.
Sam Curry is chief security officer at Boston-based cybersecurity firm Cybereason.
Ari Schwartz is managing director for cybersecurity services at Venable, and former senior director for cybersecurity on the National Security Council during the Obama administration.