The commission was formed in 2019 and charged with developing and proposing cyber defense steps to the federal government. So far, 27 of its recommendations have been taken up, but plenty of work remains to shore up defense and ensure principles are turning into practical, enforceable action, said Frank Cilluffo, commission member and director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
“We’re by no means running a victory lap at this point,” Cilluffo said.
One pressing problem is that while chief information security officers may know cyber hygiene and best practices, they’re often resorting to guesswork about whether, for example, $5 million should be spent on employee training or threat-hunting tools, said Paul Rosenzweig, resident senior fellow of cybersecurity and emerging threats at R Street.
That’s because precise metrics are hard to come by in cybersecurity, posing a serious roadblock to public and private efforts to achieve more informed, impactful defense strategies.
“We can tell you qualitatively what we think works,” Rosenzweig said. “We can tell you that multifactor authentication is good. But we can’t tell you how good.”
Answering such hanging questions is the goal of the commission’s yet-unrealized recommendation that the government create a Bureau of Cyber Statistics, Rosenzweig said. Such a body would aim to establish clearly definable cybersecurity metrics and to collect and analyze any relevant data. In theory, a Bureau of Cyber Statistics would be better positioned to identify broad trends about where and how bad actors are operating and predict future threats.
“The transition to ransomware in the bad guys’ panoply of activities in the last five years was a strategic surprise to us,” Rosenzweig said. “But that would have been no surprise had we been paying better attention to the antecedent signals for that, but we simply had no way of measuring it.”
Well-defined metrics could also help agencies evaluate the strength of companies’ cyber defenses, which could then guide government assistance efforts as well as insurance firms’ pricing decisions, Rosenzweig said.
But these goals also depend on the Bureau being able to acquire the information it would need in the first place. Organizations’ tendency to let breaches go unreported continues to hamstring efforts to understand threats and predict — and prevent — future attacks.
Momentum is building for a national breach notification law, Cilluffo said. Such a law would give federal government that much-desired visibility into the scope of cyber threats impacting the country.
A nationwide policy would also spare businesses from the administrative headache they now face when balancing existing reporting laws that vary by state. These laws tend to involve breaches that impact the privacy of personal data, with firms not obligated to report breaches that impact national security.
“Every time they have an issue, they have to do a 50-state analysis of what’s required from them,” said Tom Corcoran, Farmers Insurance Group’s head of cybersecurity.
Standardized, federal reporting procedures can make compliance easier, removing administrative burdens from firms that have just been victimized, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division.
Government officials and cybersecurity experts are also emphasizing that companies should have to alert law enforcement about breaches that threaten national security.
Cybersecurity firm FireEye’s timely disclosure of the SolarWinds breach to government helped officials react more quickly but was an “entirely voluntary” move, said Adam Hickey, deputy assistant attorney general with the U.S. Department of Justice’s National Security Division.
“Sometimes you want legislation that creates incentives so that what was purely voluntary today is encouraged in the future, or potentially required,” Hickey said.
Companies have recently become more willing to offer details about breaches, Hickey said. The growing awareness that cyber incidents are unavoidable in today’s digital environment has reduced the stigma that can keep companies silent. Companies are also motivated to speak because of the need to demonstrate to shareholders and customers that they’re taking action when events do happen, noted Luke Dembosky, partner at Debevoise & Plimpton and former deputy assistant attorney general for national security at the U.S. Department of Justice.
Despite this shift toward greater cooperation, firms that believe their breaches will go unnoticed can still be tempted to sweep events under the rug, Hickey said.
A federal law requiring companies to report breaches isn’t the only way of tackling the problem. Hickey said other proposals include permitting intelligence community authorities to gather incident information themselves through warrantless surveillance of private networks — an approach corporations are likely to find less palatable.
Getting the most impact out of a national reporting law and generating the most goodwill among corporate participants requires federal intelligence agencies to demonstrate that the disclosed information would help all parties improve their security, Ugoretz and Dembosky said. That means intelligence agencies must quickly process reports to glean insights into the attacks and then issue warnings and recommendations to other organizations about how to better protect themselves and respond to the threats, Ugoretz said.