The conflict in Ukraine could indirectly trigger more investment in cybersecurity

introduction

The Strengthening American Cybersecurity Act of 2022 was signed by President Joe Biden on Tuesday, March 15. The main takeaway from the law is that organizations that maintain critical infrastructure must report significant cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after determining that an incident has occurred. Organizations must also report any ransomware payments made within 24 hours.

The new law follows an executive order issued on May 12, 2021, focused on protecting federal government IT infrastructure. This order was directly related to the SolarWinds and Colonial Pipeline attacks and focused on protecting software supply chains and software BOM requirements. This latest legislation also has its roots in the attack on the colonial pipeline and focuses on strengthening the CISA, but the urgency of its passage can be directly linked to the threats posed by escalating tensions between the United States and Russia over the conflict in Ukraine.

The catch

An often asked question regarding the conflict in Ukraine is whether the potential for an offensive Russian cyber attack on the United States in response to economic sanctions and military aid would induce US-based companies that maintain critical infrastructures to invest more in cybersecurity. There will certainly be investments directly related to the conflict; Security leaders in organizations considered critical infrastructure will likely take advantage of changes in the threat landscape to convince business leaders of the wisdom of certain expenditures. of President Biden March 21 statement encourages this conversation, exposing that private industry can be pushed into the sometimes uncomfortable role of national defense, especially when it comes to cyberattacks. However, a larger investment trigger may be a step downstream of the conflict, and that is the expansion of breach notification requirements for critical infrastructure outlined in the recently signed Strengthening American Cybersecurity Act of 2022.

Historical Background to Breach Notification Laws

California Senate Bill 1386, signed into law in 2002, kickstarted the passage of similar state laws requiring companies to disclose a data breach to customers in writing, and as such remains the one of the most significant changes in the history of cybersecurity. Customer data breaches could no longer be a private matter for a company, and disclosure resulted in direct costs of contacting customers and resolutions such as credit monitoring payment, but also downstream costs such as loss of customers, lawsuits and damage to reputation. Companies were presented with a direct incentive to minimize information security risks and at least maintain some ability to determine what happened after a successful cyberattack. The significant impact of notice laws and the desire to avoid the downstream expense they incur can be directly correlated to investments in information security.

Purpose of CISA and potential problems for private companies

There is nothing new in the promotion of information sharing on security threats between public and private operators of critical infrastructures; some of the first Information Sharing and Analysis Centers (ISACs) were created in 1999 in response to Presidential Decision Directive-63 (PDD-63). Separating this from previous efforts, the approach outlined here involves penalties for non-compliance, including the ability of the CISA Director to issue subpoenas to compel disclosure. Failure to respond to a subpoena may result in a civil action by the Attorney General. The value for CISA is clear; it can mobilize resources and accurately flag an attack on private infrastructure that jeopardizes public interests, as well as identify patterns across multiple different enterprises under attack.

That said, while CISA is identified as the lead in these investigations, part of its mandate is to share information with other federal entities and information-sharing organizations (e.g., the aforementioned ISACs). So, first, there’s a greater potential for information to leak to the public, and second, some of the data may be a request for public records for many journalists. This is quickly becoming, in practice, a breach notification to the market that did not exist before (where customer personal information was at the center of these laws).

As noted earlier, history teaches us that many organizations seek to avoid such notifications, and they become an engine to bring order to cyber defense as part of this risk avoidance when possible. Where that is not possible, having an information security program that is at least defensible to public scrutiny, despite an issue, becomes the requirement. Not all attacks can be defended; as shown in the figure below; there is a class of threats associated with government funding and resources historically referred to as Advanced Persistent Adversary (APT) where detection and response become key attributes of a security program over prevention.

It is also reasonable to ask whether the combination of having to report ransomware payments semi-publicly, increasing ransom amounts being demanded, and the partial withdrawal of the insurance industry from offering coverage for such attacks will translate into by reducing the number of ransoms paid as a cost. -the calculation of the benefits of handing money to attackers changes. Government entities at all levels, for their part, attempt to discourage such payments because such funding enables continued profitable business for bad actors; however, this interest may not replace a business’s desire to get back up and running as soon as possible, as downtime also has a very tangible cost.

Sources of threats that cybersecurity teams believe are least prepared to counter

Source: Search 451, Voice of the company: information security, organizational dynamics 2021
Q Which of the following sources is your organization least prepared to address as a data security threat?
Base: All respondents, abbreviated field (n=328)

Download report


Source link

Comments are closed.