Reporting an incident to the correct authorities or vulnerability clearinghouses can be an experience fraught with frustration.
You pour time, energy, and resources into fighting an intrusion, all while keeping company officials and stakeholders up to date and preventing sensitive information from getting into the wild.
Explaining what happened might seem just like another layer of hard work and exposure to potential embarrassment when the details are out there for all to see.
But legislators have been pushing enterprise executives to share more information about security incidents and they’re creating new requirements in the United States and around the world to mandate the disclosure of such information. Why?
As painful or counterintuitive as it might seem to explain how the bad guys did what they did to your organisation, there are some great reasons to report breaches.
Many security leaders say they fully support requirements that mandate organisations to report incidents of compromise (IOCs) and provide information on how they occurred, saying authorities can use that intelligence to help cybersecurity community better combat bad actors.
Creating a “proper culture” of notification and investigation
To facilitate the sharing of incident information, many jurisdictions are implementing laws such as the US Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which when fully implemented will require covered entities in the critical infrastructure sector to report incidents and ransomware payments within specific timeframes to the federal Cybersecurity and Infrastructure Security Agency (CISA).
In Australia, the 2018 Security of Critical Infrastructure Act requires covered entities to report to the Australian Cyber Security Centre within 12 hours of becoming aware of a critical cyber security incident.
Singapore’s Cybersecurity Act of 2018 also contains a reporting requirement for critical information infrastructure owners and the European Union’s NIS2 Directive seeks to “streamline reporting obligations” in EU member countries.
“What we need is a proper culture of notification and investigation of all incidents, aimed not at assessing blame (or worse, mocking the victims, as sometimes happens) but rather at learning lessons and improving security for everyone,” says Stefano Zanero, a Polytechnic University of Milan professor whose research focuses on cybersecurity and is an Information Systems Security Association (ISSA) International board member.
Simply put, the reporting process helps organisations defend themselves and others in their industry, says Sara Sendek, managing director for cybersecurity and data privacy communications at FTI Consulting.
“It helps others know what to look for, and it would give CISA a better view of what’s happening so the government could take more offensive actions to disruptive these [hacker] gangs,” says Sendek, a member of the US Secret Service Cyber Investigations Advisory Board and a former CISA public affairs director.
Incident reporting has many benefits
CISOs and their teams, analysts and researchers, security vendor professionals, and even some government officials have a long history of sharing information — albeit not because sharing has been mandated.
Rather, they have typically shared intelligence through industry-aligned nonprofit Information Sharing and Analysis Centers (ISACs), roundtables, conferences, and their own personal networks.
But security officials say many members of the security community have been less inclined to officially report security incidents to government officials or law enforcement. That hinders organisations and government agencies, says Michael Daniel, CEO of Cyber Threat Alliance (CTA) a nonprofit information-sharing organisation.
“The level of reporting getting to the government and law enforcement is not what it should be for the government to do its job right,” he says.
The FBI provided some statistics around this in January 2023 when FBI Director Christopher Wray announced that the agency had disrupted the Hive Ransomware Group; in that same announcement Wray noted that only about 20% of Hive’s victims had contacted law enforcement.
Government authorities and some cybersecurity leaders are calling for security executives to report incidents as well as to more openly and more frequently share information — specifically the hacker tactics, techniques and procedures (TTPs) they’re seeing in their own enterprise operations.
In that announcement, Wray specifically spoke about the value of reporting incidents to authorities, thanking “those victims and private sector partners who worked with us and who helped make this operation possible.”
Sharing is caring when it comes to cyber incidents
Reporting has multiple benefits, Daniel says. To begin with, reporting IOCs allows law enforcement and other government agencies to assist organisations during cyber events. It also enables authorities to collect data, including forensics and evidence.
That information can be used to alert others to TTPs so they can better defend against them and thwart attacks, “so you can potentially reduce the impact of ongoing activity,” Daniel says.
Those data can also be used by authorities to counteract hacker activities through diplomatic, technical, or other channels as well as take down or prosecute bad actors.
Additionally, reporting helps officials to build a better understanding of cybercrime and its impact — an area where Daniel and others say estimates certainly exist but “are all over the map.”
That in turn leads to yet another reason to embrace reporting mechanisms: a way to track progress. As Daniel explains, reporting helps “establish the baseline of the rate and volume of malicious cyber activity across the Internet so we can determine whether what we’re doing is effective.”
The world is digital and interconnected, notes Dena Kozanas, associate general counsel and chief privacy official at MITRE.
“We cannot be an island unto ourselves when it comes to protecting critical assets, like data, in our society. Each entity, whether a government unit or business organisation, must think of itself as part of a larger, interdependent community. This is why it is more important now than ever to encourage and even mandate reporting of cyber incidents.”
Existing information-sharing networks
As vice president and CISO of global tech company Insight and a former security leader at RSA, a security software company, Jason Rader has for years regularly met with US government officials to provide intelligence.
“It wasn’t uncommon for me to give a dossier to the government,” he says, noting he and his research teams often reported suspicious activities that indicated that a cyberattack was imminent to government agencies.
Rader continues to communicate with agencies such as CISA and the FBI. He regularly meets with other CISOs, engaging in roundtables governed by Chatham House Rule, whereby participants can use the information being discussed but may not disclose specifics.
He passes information along through his professional network, sharing insights on security events via phone calls and the like.
All these channels, Rader says, help him and other CISOs pass along critical insights “in a relatively short amount of time,” something that helps validate security strategies and even stop or limit attacks in action.
In addition to those channels described by Rader, institutions exist for more formalised information gathering and sharing. While ISACs are a good place to start, there is, for example, InfraGard, a partnership for information sharing between the FBI and the private sector “for the protection of US Critical Infrastructure.”
Europe and other countries have similar entities, such as the National Cyber Security Centre in the Netherlands, which shares cybersecurity news and facilitates multiple ISACs.
Yet their data comes only through voluntary sharing, and to date that has limited their potential impact, some experts say. “We’ve largely operated in a voluntary world for sharing,” says Jeff Pollard, vice president and principal analyst with Forrester Research.
“You have email, chat, Slack, or Discord, and subscription email lists where people informally pass along information. You have these ‘whisper networks’ where practitioners share [information] when they see something interesting.”
Pros and cons of today’s intel-sharing channels
Each reporting channel has advantages and disadvantages, benefits, and limitations. For example, one-to-one sharing among enterprise security professionals can quickly distribute relevant information such as a new attack technique or a hacker’s actions following an initial breach to those in the field who can put the information to immediate use.
That kind of one-to-one sharing among professional colleagues can more easily pass along context and even offers of mutual aid during actual attacks.
“When it’s organic information sharing, people are sharing the information they think is most useful. That’s really important because they need those technical indicators, they need to know the tactics, techniques, and procedures of the adversaries,” Pollard says.
“What I worry about, when it’s formalised or forced, is that the information becomes less relevant, or too much information might be shared so it’s less useful, or it might be dated and the adversaries have moved on.”
Meanwhile, existing informal and formal sharing networks can protect the identities of organisations witnessing the hacker activities that are raising alarms — something that can be important to executives and legal teams particularly when the incidents are concerning but not compromising the business (and thus don’t need to be publicly disclosed or officially reported).
Furthermore, security leaders say existing networks often disseminate information that wouldn’t have to be disclosed under existing or future reporting laws — a novel attack attempt, for example — yet is valuable intelligence, nonetheless.
Today’s sharing networks aren’t perfect
Experts also acknowledge that there are problems with today’s information-sharing networks. First, the networks, particularly informal ones based on relationships and professional connections, exclude large numbers of security workers who could benefit from the insight.
As Sendek asks: “Shouldn’t everyone have the same access to information to protect themselves?”
Additionally, because whether and what to share is voluntary among such networks, CISOs and their executive and legal teams may be unwilling to disclose critical details, fearing repercussions or liabilities.
“Everyone I have ever spoken to agrees that sharing incident intelligence is the wise thing to do to build industry-wide capability, awareness, strength, and resilience,” says Steve Wilson, an Australia-based vice president and principal analyst at Constellation Research. “But opening one’s kimono is difficult.”
“It’s hard to get permission (or even understanding) from non-cyber specialists in a firm’s management,” Wilson says.
“Incident details of course are often highly commercially sensitive. So, there’s a prisoner’s dilemma: participants in principle will agree to share sensitive information about their own organisations if everyone agrees to do so for the common good, but at the same time they all suspect their peers are going to hold back.”
Such networks also tend to be formed around industries, as is the case with ISACs, which means information can be readily distributed in one sector but may not make it to others.
A push for more comprehensive data
Consequently, there is an emerging consensus among many security leaders who believe the existing networks of information sharing are not adequate to build the collective knowledge required to better defend against bad actors. “We don’t know everything, and that’s what makes everyone uneasy,” Rader says.
Others also point out that even though security practitioners are sharing information, there’s no comprehensive centralised repository of who’s hitting whom with details on the actor type, attack type, and other critical information.
That’s the kind of information the cybersecurity profession could use to evolve and mature, says Charles Harry, an associate research professor at the University of Maryland School of Public Policy, director of the school’s Center for Governance of Technology and System (GoTech), and a senior research associate with the Center for International and Security Studies at Maryland (CISSM).
Some data, of course, exists. In fact, CISSM has the Cyber Events Database, which collects publicly available information on cyber events, beginning in 2014 to the present. (Information on the website notes “It was created to address a lack of consistent, well-structured data necessary for making strategic decisions about how to invest resources to prevent and respond to cyber events.”)
“We are the largest source of repository data in the world, which is sad, because I’m doing this with undergraduates. That’s a major problem,” Harry says.
He says he supports more mandatory reporting requirements to ensure officials truly have the most complete data possible. “If you look at the data, we need both the informal networks, because they’re effective, and we also need the formal networks to bring the industry forward in a more methodical way.”