The U.K.’s National Cyber Security Center last week posted a joint blog with the nation’s regulatory commissioner’s office about the need for better cybersecurity breach transparency. They’re concerned about the unreported incidents, in particular ransomware cases, which are getting more dangerous, more prevalent and more costly.

The situation creates a vicious cycle: “If attacks are covered up, the criminals enjoy greater success, and more attacks take place,” they wrote in the post. This echos what former Cybersecurity and Infrastructure Security Agency head Jen Easterly said in a February 2023 Foreign Affairs article (registration required): “Victims of cyber-intrusions too rarely share information about malicious activity with the government or with other firms, allowing adversaries to reuse the same techniques to compromise countless victims.”

The U.K. authors go on to bust a few myths about transparency. Among them: Coverups are fine (they aren’t because they prevent others from learning tactics and early warning signs), reporting attacks can’t be done without public disclosure (privacy is more the norm now with many agencies), paying the ransoms is the most expedient solution (it often backfires or encourages the attackers to try to leak your data), and fines are only levied if your data is leaked (the two things are independent of each other and organizations can be fined for all sorts of violations).

Despite these myths, there are several reasons why organizations don’t divulge when and how they have been breached. One big reason that the authors of this blog post didn’t mention is that a company’s legal team and insurance provider often advocate against disclosure.

“It is the first thing the lawyers and insurers tell you when they hear about your breach,” faculty member Stuart Madnick said at the MIT CIO Symposium this week. “‘Don’t say anything.’ That is counterproductive.”

A second reason is that breach reporting regulations are all over the map in terms of when, how and what is reported. There is no consistent definition of what constitutes a breach: is it a private data leak? A network intrusion? One employee who has been compromised? An attack on critical infrastructure such as a pipeline? The Securities and Exchange Commission specifies a “material” breach, which has a definition that works for public companies but doesn’t make sense for everyone else.

Speaking of pipelines, there were no reporting requirements in force back in 2021 when breach that happened to the Colonial Pipeline Co. It helps to have very public failures to crystalize our thinking, to be sure. But they also show that the regulations are a moving target.

Finally, there’s no consistent timeline for when to report the breach, either. The EU’s General Data Protection Regulation was one of the first to require a mandatory three-day report, after which it would levy huge fines. And it has, with collective fines of more than 3 billion euros issued in the more than five years of its history.

That’s great, but back across the pond, there is the mishmash of state and federal regulations in the U.S. to deal with. This has made reporting a full-employment act for cybersecurity lawyers. (That link connects to a compendium of the specifics of each state’s regulations.) Indeed, each state has its own requirements. For example, Utah has 45-day requirement, while Connecticut has 60 days. And various federal regulators have three- or four-day requirements.

Breach transparency also has several separate dimensions. One is being transparent to customers and suppliers, so they know what private data has been leaked. Another, of course, is to be transparent to the various government regulators. Although I focused on the timelines, there are numerous other differences in what is reported to the various regulatory and law enforcement bodies, as I wrote about earlier this month on our disjointed national cyber strategy.

And then there’s the goal to be transparent to management and to set their expectations as to what will happen as in response to the incident, how various systems will be fixed and what are the risks to the company and stockholders. All of these groups have some common elements as part of the transparency operation, such as how long operations will be down and what steps the organization is taking to prevent this from happening again.

A good template for how to report incidents to the public can be found with the recent Dragos data extortion attack. The company wrote this report within two days of learning of the incident.

It was super-transparent, describing what happened, how it prevented the attack from getting much worse, an event timeline, screen captures of its text message traffic with the adversary, mapping the attack into the various threat techniques, and a bunch of recommendations for others to follow.

Almost all of the breach blog after-action reports have few of these items, lack the specificity of what Dragos posted, or are so vague and filled with legalese that they are mostly useless. Plus, many of these posts take months to see the light of day.

The upshot: We have a long way to go to improve our breach transparency. The time to take these baby steps is now.

“Every organization should demand transparency from its technology providers about whether they have adopted strong safety practices,” wrote Easterly. She recommended a variety of actions, including having a national cyber security strategy and holding more CEOs and corporate boards more accountable and knowledgeable about cybersecurity measures.

Image: geralt/Pixabay