SolarWinds Fallout: When Will Breach Reporting Become Mandatory?

// php echo do_shortcode (‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’)?>

It’s been one year since the SolarWinds hacking revelations rocked the cybersecurity community.

The key takeaways were the vulnerability of software supply chains, whether a software bill of materials should be required from suppliers and the need for greater visibility into critical and high-severity vulnerabilities. Some progress is being made in these areas, including vulnerability disclosure programs.

Also needed are incentives for organizations, especially those operating critical infrastructure, to promptly report data breaches and other cyberattacks. Relevant legislation has been slow to materialize, while breaches and exposures of personal and other sensitive data continue in all sectors.

Breaches continue

In November, the Robinhood mobile stock trading platform revealed it had suffered a breach of millions of users’ names and email addresses. The breach also included many more account details for a much smaller subset of users.

In September, a company that routes SMS text messages for all major US carriers, Syniverse, disclosed via a regulatory filing that it has known about hackers’ access to databases of its operational and IT systems since May 2021. The breach occurred over a five- year period. Syniverse was vague regarding what data may have been exposed.

Meanwhile, the Epik data breach revealed in September was, well, epic. The hack of the web service affects 15 million users including non-customers.

Even larger breaches occurred in August. One exposed 38 million records in 1,000 web applications stored in Microsoft’s Power Apps Portal. The records included sensitive personal data, including Covid-19 contact tracing platforms and employee databases.

Another affected more than 50 million current and former customers of T-Mobile, whose sensitive personal information was stolen.

Federal action

Since SolarWinds, calls for mandatory breach reporting have grown louder, including federal legislation that would replace the current state-level patchwork of laws.

In response, the Biden administration issued an executive order in May requiring both federal agencies and their software suppliers to report data breaches and cyberattacks. But the requirement is limited in scope.

While not affecting all private sector companies, work on mandatory breach and cyberattack reporting for organizations operating critical infrastructure has been ongoing since the SolarWinds hack.

After many months of congressional debate and dialogue among government and industry stakeholders, mandatory breach and cyberattack reporting legislation was approved by the House in September. However, it has so far failed to clear the Senate. Although breach and incident reporting has bipartisan support, it was not included in the compromise version of the 2022 National Defense Authorization Act that cleared the House on Dec. 7.

The omitted legislation was the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2021. The proposed legislation would require private companies operating critical infrastructure to report incidents within 72 hours to the US Cybersecurity and Infrastructure Security Agency.

Elsewhere, other federal agencies aren’t waiting for Congress to act. In October, for example, the Justice Department announced it would sue government contractors for failing to report data breaches or cyberattacks.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Lisa Monaco, US deputy attorney general. US contractors receiving federal funds can be sued under the False Claims Act. The Act also includes a whistleblower provision protecting private parties.

DoJ precedent?

DoJ’s action could accelerate federal action on cybersecurity. “I think [it’s] a monumental change for any federal contractor, but especially for Department of Defense contractors, ”Eric Noonan, CEO of CyberSheath told EE Times.

Eric Noonan

Although the feds established cybersecurity baseline standards for contractors in 2015, they were not enforced and did not include audits.

Earlier this year, CyberSheath analyzed 600 military industrial base companies to gauge their ability to meet basic cybersecurity standards. It found that about 70 percent lack any kind of plan.

Two-thirds or more failed on several counts: level of multi-factor authentication; appropriate access controls for controlled unclassified information (CUI); correctly marking media for CUI and distribution limitations; establishing and enforcing security configuration settings; and testing their organization’s incident response capability.

“So, there are some foundational hygiene issues being ignored, and this is five or six years into mandatory compliance,” Noonan noted.

US officials moved last year to assess contractors’ self-assessments. Since then, “we’ve seen an exponential change with subcontractors getting serious with cybersecurity,” added Noonan. “This new DoJ whistleblower program creates, in effect, a shadow auditing force for the US government. I think [all] this is transformative and long overdue. Coupled with President Biden’s executive order announced in May, the federal government is getting detailed and aggressive in enforcing cybersecurity at all levels. ”

The DoJ decision could also have a downside, depending on how it’s implemented. Inga Goddjin, Risk Based Security’s executive vice president, is torn.

“Transparency is incredibly important, and for too long there’s been a lack of it in breach reporting, and in sharing information that can help prevent other organizations from being compromised or attacked,” she said.

Inga Goddjin

“So, anything that can open up dialogues between organizations and their suppliers is good.”

To be truly effective, however, cyber initiatives must include standard reporting methods while understanding the consequences of an investigation. “Contractors deserve to know what the roadmap looks like, and they deserve to be able to share the information effectively — and in a way that’s not necessarily going to be an additional burden to them,” Goddjin argued.

“Adding a reporting requirement that may be difficult to comply with isn’t going to achieve the objective of better reporting.”

Even if it advanced through Congress, “legislation is always a trailing indicator,” Goddjin added. “It takes a while between the action prompting the legislation and the resulting legislation taking effect.”

She said the Biden administration’s executive order removed “the red tape so the different agencies could work together – the FBI, DoJ, Treasury, and for them to work with Interpol, too….”

Noonan said the Justice Department’s action will at least shine a light on the problem. “The ultimate solution is a documented, annual audit of compliance with requirements, like your car inspection,” he said.

Also needed at the federal level is an independent third-party assessment akin to an auto safety inspection for determining whether contractors are meeting baseline security standards.

“The takeaway for me is: Until we have mandatory cybersecurity minimums that are audited or at least verified, we won’t have cybersecurity,” said Noonan.

Leave a Comment