Top Reasons for Upgrading to Windows 11 – Part 1
December 20, 2021The Log4j exploits are just beginning.
December 20, 2021It was reported last Friday that the National Security Council has released a new policy requiring the FBI and other federal agencies to report to the White House, as quickly as within 24 hours, on cybersecurity incidents impacting certain critical infrastructures. After a significant number of cyber disruptions in 2021 that impacted pipelines, energy, food, retail, technology, and other supply chain issues, this new policy appears to be an attempt for the White House to quickly get out in front of cyber events that might require a federal government response to mitigate an escalation that impacts the economy.
This new policy follows arguably the most active year for cybersecurity in White House history. Actions have included an executive order, a national security memorandum on improving cybersecurity for critical infrastructure control systems, a cybersecurity summit with CEOs of some of the nation’s largest companies, and the appointment of cybersecurity experts to leadership positions in the administration.
While the federal government has long been active in investigating and assessing the impact of cyber incidents impacting critical infrastructures, this new policy highlights a new sense of urgency to get the White House involved as early as possible. Concurrently with this new policy, Congress has been working for months to include a section in the National Defense Authorization Act (NDAA) that establishes a requirement for companies in certain sectors of the economy to report significant cyberattacks to the federal government. Despite fairly broad bipartisan support, the language for cyber reporting has fallen out of the NDAA and Congress is now evaluating other avenues to get this reporting requirement codified.
Lacking any kind of consistent national cybersecurity incident reporting requirements, implementation of this policy will result in incredibly erratic and unreliable reporting between different sectors. Unfortunately, unless the disruption of a private company’s products or services gets media visibility due to a critical shortage or severe outage, it’s highly unlikely the federal government will even be aware of it within a reasonable time.
This doesn’t mean the incident isn’t important or impactful, but simply that it falls into the Fortune 500 vs. Unfortunate 5,000 category of issues where smaller companies don’t get the same attention as large companies even though disruption of their products or services could be equally impactful. This policy will likely result in stale reporting of old information which isn’t useful but more importantly, is a waste of critical resources.
Another problem with such a short reporting timeline is that cybersecurity incidents almost always take several days to determine the extent of the damage and can take much longer to make an accurate attribution of the culprits. This reporting policy will create an incredible distraction for those CIOs and CISOs trying to mitigate and extinguish the flames of a cyber incident, by having to engage with the FBI and other agencies while their company is burning down. The first 48 hours after discovering a cyber incident are the most intense and CIO’s will need to build new communication protocols into their incident response and crisis communication planning strategies to deal with these government incursions.
Following quickly on the heels of President Biden’s meeting with Russian President Vladimir Putin last Tuesday, there has been speculation that the new policy is a response to the apparent tolerance of sheltering cybercriminals operating within the borders of Russia. The initial reports highlight however that this new policy isn’t in response to any particular government or government action, but rather just requires a quick assessment about whether a cyber event is an issue the president should be aware of. I attribute the policy as simply a response to the growing accumulation of nation-state actors and cyber threats such as ransomware which have become a costly scourge on our society.
Even with these limitations, there is great value in a policy that can quickly evaluate the threat a significant cybersecurity incident might have on society. If nothing else, recent history has taught us that self-regulation in the cybersecurity space is often lacking and while I’m not a fan of too much regulation, when the safety and security of society are at stake, it isn’t unreasonable to expect the government to take an interest. The quicker the White House is aware of an event and can prepare to respond with personnel, supplies, and other resources, the quicker a disruption might be resolved and therefore mitigate the impact to citizens.