Key Questions:

• What are the tradeoffs associated with making incident reporting mandatory? 
• What is the history of incident reporting, and how has it evolved? 
• What are the key aspects of the California 2002 Data Breach Reporting Obligation and HIPAA to incident reporting? 
• What are the pros and cons of implementing mandatory incident reporting?
• Which agencies should be responsible for reporting?
• Should incident reports be in the public or private domain?
• What level of detail do incident reports require?
• What should the timing of reporting look like?

Extra Resources: 

• CIRC Cyber Incident Reporting Harmonization Report
• Text of Cyber Incident Reporting Critical Infrastructure Act (CIRCIA)
• Cyber Information Sharing Act of 2015
• Coverage of Info Sharing

Transcript

Sasha O’Connell

Welcome back to Cyber Policy Fundamentals, the Start Here series. My name is Sasha O'Connell, and I'm a Senior Professorial Lecturer at American University and I'm joined by my colleagues, Drew Bagley and Megan Brown from CrowdStrike and Wiley Rein, respectively. We're super excited to launch this episode and dig right into incident reporting. Mandatory cybersecurity incident reporting is a hot topic these days and an ongoing policy discussion at many levels. There are numerous proposals and new mandates coming online, both at the federal and state level. In this episode, we want to break down the fundamentals, assumptions, and tradeoffs so that you can evaluate various proposals and approaches as they come online. So, we're going to start with what is this policy issue? And to start, let me offer from, where I sit, the policy issue most simply is whether cybersecurity incident reporting, so the reporting of cybersecurity incidents, should be mandatory and if so, to whom. And that's really the challenge that policymakers are struggling with to formulate those rules. Megan, is that right? Is that the place to start?

Megan Brown

Yeah, I think it is. I mean, there's a lot of different tradeoffs, but I think a fundamental principle to keep in mind is that cyberattacks and cyber breaches are fundamentally criminal activities, right? If a major company is subject to a major incident, someone has done a very bad thing and violated several federal laws at a minimum and it is unusual in our society and sort of civil justice system to require victims of crime to report that crime. In other circumstances, if you think of victims of robbery, identity theft, physical violence, there’s not some overarching mandate that says all crime victims have to run to the police or tell anybody. That might be a good thing, it might be nice if people did in certain circumstances but that's not the assumption when you're the victim of a crime and so, I think sometimes these discussions forget that private organizations and governments, frankly, are victims of crimes when we're talking about cyber incidents.

Sasha O’Connell

Absolutely. That is really good context and I think that analogy to kinetic or real-world crimes is an important one to keep in mind if there is going to be a change from that tradition, is the justification there. Drew, is there historical context here for cyber internet reporting? What's your thought on that?

Drew Bagley

Absolutely. Cyber incident reporting isn't all that new, especially when we think about the broader family of data breach reporting obligations. So, beginning about 20 years ago, or actually a little more than 20 years ago, in 2002, California passed the first state data breach reporting obligation. The Health Insurance Portability and Accountability Act, also known as HIPAA, was amended in 2003 with its security rule and for those requirements, what you really had was the beginning of an impact driven regime. In other words, where there was some sort of impact on victims and the type of data was the type that could be used, such as to perpetuate identity theft. It was sensitive personal information known as PII. Then that sort of personal information breach would need to be reported. It also mattered how many victims there were, what the circumstances were, and whatnot and these early data breach reporting requirements had very long lead times from when you would discover an incident and then when you needed to tell your regulator. And so, what we've seen over the past few decades is things have gotten more industry specific. The definition of what an incident or breaches has changed, it really applies in some ways to a broader category of data and at the federal level, we haven't seen one overarching federal requirement. Instead, we've seen more of these industry specific approaches. In the same way HIPAA was focused on health care, we now have reporting obligations for critical infrastructure, and we have reporting obligations for the financial sector and other sectors.

Sasha O’Connell

Awesome. I think that is super important context. So maybe then taking next, we can revisit this idea of defining terms real quickly, then maybe talk a bit more about what the real problem is that policymakers are trying to solve. Again, Megan, to your point, if this isn't how we do it generally, right, why is cybersecurity different, and what problem are we trying to solve, and then some of the factors that make it particularly tricky. So just going back to the definitions real quick. So, as I mentioned, right, incident reporting is when an organization experiences a cybersecurity incident and reports it, we generally consider it to a government agency is what we're talking about right, and it comes in two forms. It can be voluntary, the organization decides for itself whether it tells someone, or mandatory, a law, regulation, or contract situation that requires the organization to notify the government. Is that a fair description? Am I forgetting anything just to level set on what we're talking about here?

Megan Brown

Yeah, no, I think that's right. There also could be, as Drew mentioned earlier, sort of data driven requirements right. You may have to notify consumers or others whose data was affected; but, yeah, that's what we're talking about.

Sasha O’Connell

Perfect. So that's what we're talking about, why is this different? Why do we even‑ what problem is created in cyber that to your point, Megan, it's not created in other families of crime and reporting? What problem is the government trying to solve with this intervention, Megan?

Megan Brown

Yeah, so we've had for years on top of the few mandatory regimes that Drew talked about, it's mainly been a system of voluntary reporting of cyber incidents and Congress has done a few things to try and encourage that. Call the FBI, call DHS. They've enacted statutes to make it easier to do that and to protect companies who do that. And there's a lot of reasons, frankly, why the victims of a cybersecurity incident might not want to go public or might not want to call the government, hesitation about having the FBI in your system. The FBI has done a great job recently over the past, say, 5 to 10 years of changing that culture, but it's heady to pick up the phone and call a law enforcement agency and ask them to sort of get in your business. In addition, you might have an incident that doesn't really have strong indications of harm to consumers or likely identity theft or, systemic impacts. Or you might not know the impacts early on, investigations can often take weeks or months to really figure things out. The victim might not want to tell the government because of regulatory risk. They might not want to tell the public or other companies because of brand impacts as well as class action litigation exposure, or as we saw after Colonial Pipeline, your CEO gets hold before Congress and yelled at for any missteps that might have been made and we've seen this. There is a risk of revictimization after you go public. If reporting happens before your systems are secured or what's going on or even some of the ransomware bad actors will double dip. So, I see a lot of reasonable hesitancy to make certain incident reports both to the government and to the public.

Sasha O’Connell

Okay, I'm officially then not convinced, right. Drew? What's the argument on the other side? What are proponents of mandating reporting arguing? What problem are they trying to solve?

Drew Bagley

Yeah, supporters of reporting mandates are generally citing several different problems that they're trying to solve, and it really depends on the type of reporting requirement, the sector they're focused on, and whatnot. So, if we take all of that together, the list of some of the most common policy aims would be, first of all, raising awareness of some of these data breach incidents or cyber incidents and then in theory, what that means is that if victims know that this sort of thing has happened, that helps them ensure they can better secure their own data. That also helps them think more about who they're going to trust their data with, which then in theory can create incentives for companies to bolster their security and make sure that they're protecting data better. There's other arguments depending on the government agency involved and supporting certain types of requirements; there are investigation and enforcement equities at stake. If the government doesn't know about these incidents, then the government doesn't have the information to investigate them and then also the government doesn't have the ability to use its resources at scale to potentially disrupt adversaries who may be behind these types of attacks or to enforce against companies or even other government agencies that might not be responsible stewards of data. And so there really is this enforcement angle that if you have laws to protect data to begin with, how are you going to be able to enforce those if you're not aware of when there have been lapses in that? And then there are some incentives for those companies themselves. If a company is aware or a government agency is aware that they would be publicly exposed in some sort of way or obligated to tell a regulator or obligated to tell the victims about a cyber incident, then that's going to further incentivize them to protect their data with even more resources, to devote more resources to that, so that a breach or a cyber incident doesn't happen to begin with. We certainly see this a lot today in terms of some of the ideas behind some of the modern legislation where you don't just see a notification obligation, but you also see an obligation to protect data to begin with reasonable measures, something that's intended to change over time. And then there's also this notion that if you have a bunch of these obligations, if they're broad enough, you can overall change the culture. So, a couple decades ago, for example, a Social Security number was something that was much more commonly used as an identifier for things that have nothing to do with Social Security or filing taxes and now, of course, we've seen instead a migration into other forms of identity for various applications. So there really can be this change of culture when certain categories of data are deemed to be regulated and other categories less regulated and have less penalties attached. And then, ultimately, there are arguments that if you have some types of these obligations in place that are requiring this type of data to be produced on cyber incidents and data breaches, and that can better inform policy as a whole. So for example, it might be that if you're seeing lots of different patterns that are consistent with certain types of cyber incidents, and they're all coming from a particular threat actor or using a particular payment method or targeting a particular sector, and that can inform policymakers as to where they should devote their energies and attempt to come up with some sort of new policy solution that instead of focusing merely on the reporting is focusing on stopping the cause of the problem to begin with.

Sasha O’Connell

It's so interesting and hearing you both lay those out, it's clear why this is an evergreen issue, right. That there's a lot to contemplate in terms of costs and benefits in both sides of the argument. I would say maybe in summary, and I'm curious what you guys think, the reason this is particularly challenging or what makes this so hard to nail down and define sort of falls into a couple, at least priority buckets and one is that there are clearly, as you both said, complexities and tradeoffs, right, for reporting mandates because victims and investigations could be harmed by over reporting or premature reporting. So that's not even necessarily obvious on the investigation side. Additionally, consumers might suffer from notice fatigue or over reporting to be harmful in that way too and that is just too much, particularly in agents in organizations or companies that are in a regulated space. And then I hear you guys talking about too, the move from voluntary to mandatory kind of impacts and complexities for that relationship between the private sector and government, the trust piece there and how that works both positively and negatively. Before we move on to laying out the key players, any other thoughts you guys on why this makes it particularly tricky given the arguments you both laid out?

Megan Brown

I like that you just introduced that concept of trust, Sasha, and I think we'll come back to it, but I think the relationship so far in cyber has frequently, but not always been, built on trying to create that trust that makes companies want to call the FBI, or call DHS, or even call their regulator and there may be downsides to some of these new mandates because with mandates come accountability and enforcement. So that's, I think, one of the big things that policymakers have to balance and you've seeing that in a lot of the regulatory comment cycles that are ongoing.

Drew Bagley

Yeah. I think another difficult issue to grapple with some of these reporting requirements is that we moved away from an era in which there was a long lead time with these reporting requirements; to one in which there's an expectation to report nearly immediately and granted, there definitely are thresholds. There's thresholds on determining the incidents of high impact, making a determinability, determination, etc., but ultimately, in those first few hours and days after there's some sort of data breach in modern times, you're usually dealing with a cyber incident, and usually, the priority is to mitigate that incident, stop the bleeding, and ensure that more data is not going to get out. And so sometimes I think that there's many equities at stake and interest with regard to the brief reporting itself, but this isn't done within a vacuum. I think that's really important to remember.

Sasha O’Connell

Yeah that's great. So, in addition to this idea of voluntary versus mandatory, you're pointing out two other things, to how big of a breach or cyber security incident does it need to be to be reported this idea of materiality spoken another way, and then you said a couple of times too, I think it's really important, the time aspect. How long do victims have to report? So those are all three kind of important things that need to be considered when thinking about any of these policies going forward. That's super helpful. Let's turn for a second to the key players here and their equities and interests. I think it really helps understand the context of these discussions to understand where people are coming from and what their incentives are, and their equities are when they bring it to the debate. Drew, can you start with the private sector side? I know that’s a big task. Can you sum up how the private sector feels real quick on this? But what are some key points there?

Drew Bagley

Yeah, absolutely. If we look back at the history of data breach reporting, there are, of course, all 50 states have data breach reporting laws, but now what we've layered upon that are many industry specific reporting obligations, so now you have many larger organizations in the private sector that really fall into multiple categories. So, they have a Venn diagram of reporting obligations whenever there is an incident, and there's no consistency over even how those incidents are defined or what those timelines are for reporting those incidents. So, I think that when you think about where the private sector is with anything in the regulatory space, they're always looking for consistency. Then you can resource around consistency, design processes around consistency, and then comply with the law, and then organizations that aren't, there can be enforcement penalties but where you make things very confusing and layered, then it's very hard for organizations to comply with the law, especially smaller ones when they have competing, potentially competing legal standards. So I think consistency is one of the key things that the private sector is interested in.

Sasha O’Connell

That's perfect, and then thinking about it from a consumer perspective or an advocacy, civil society perspective, I think it's important to think about too, the dual piece of being concerned about one's personal data and security and privacy, and how those things kind of come out in the wash in terms of a balance of protecting one's data and getting that notification and also protecting the ability to control one's data right in reporting to government and where that data goes. So that's a whole other piece; I think that's very much in the mix. Megan, what do you think about both of those and also, can you talk about the government's perspective real quick?

Megan Brown

Yeah, sure. I think on the consumer side, one element that we've seen is not just an interest in consumers and security of their data, but also the reliability of the services that they have come to expect and so I think you've seen a shift in how the government thinks about the private sector's duties, which is, I think we've kind of moved beyond, frankly, some of the data focused regulations, and now we're talking about resiliency, availability, etc.; really important services. That's why there's this focus on critical infrastructure. From the government's perspective, there are a lot of actors and whenever I think about who the key players are in government, I also because, I'm a lawyer, I think about what are their authorities? Have they been told to go do this? So we have a few key players. The FBI has been doing this for a really long time. The Department of Homeland Security is now a major player, and I think that creates some friction with the FBI in policy decisions, but DHS has the cybersecurity and infrastructure security agency that has been given a bunch of new authorities from Congress. They're supposed to be kind of the belly button of the civilian critical infrastructure government relationship, but you have these other regulators who are out there that layer on top of from the Federal Communications Commission to the Federal Trade Commission to the Transportation Security Administration, EPA, the securities regulators. They are all doing things on cyber, and I think everyone in policy world needs to think about what are they doing, how does it relate to all the other activities and what are their authorities. And then finally, another huge player in this space are the state legislatures and regulators. Because as Drew mentioned, there's not an overarching federal privacy or cyber regime right now, the states are kind of off to the races and creating some additional complexities. California is one, New York Department of Financial Services is another, but there's a whole bunch. So that's kind of the, as you like to call it, Sasha, the who's who in the zoo. From my perspective, on the federal side, it is an ever-expanding set of characters, unfortunately.

Sasha O’Connell

Absolutely. Thank you both for your help breaking this all down. While many know about current or pending incident reporting requirements or proposals, unfortunately, I don't think we often stop and think about definitions, historical context, and real problems or issues we're trying to solve as we've covered here, because we want to take some time on this topic to dig into some of the proposed interventions more specifically. We're going to reconvene for another episode of Start Here to do just that. Thanks for joining us. We look forward to seeing you next time when we continue this conversation and please be sure to follow the link to our website available in the show notes to access additional resources on this and other related topics.

Key Questions: 

• To whom should reporting be required?
• How can we achieve uniformity in reporting regulations?
• Should reports be public or confidential?
• What should the timing standard be for reporting?
• What data is used to decide reporting standards?

Trancript

Sasha O’Connell

Welcome back to Cyber Policy Fundamentals, the Start Here series. My name is Sasha O'Connell and I'm a Senior Professorial Lecturer at American University, and I'm joined by my colleagues Drew Bagley and Megan Brown from CrowdStrike and Wiley Rein, respectively. Today we're going to continue the conversation about Incident Reporting Policy. If you're looking for history and context on this topic, I would recommend a listen to Episode 2 first, where we dig into those issues, because today we're going to jump right into policy choices currently under consideration. And with that Drew, can you kick us off?

Drew Bagley

Sure. Well today, there are state data breach reporting obligations in all 50 states. There is no federal equivalent, so no federal standard, that supersedes those 50 independent laws. Now those laws obviously have developed over the course of a similar time period, so many of them are similar in their requirements and then how they define what type of data that needs to be reported. But then layered on top of that, are both in some states and then certainly at the federal level, sector specific reporting obligations, and that's where the definitions of what needs to be reported change, but also the thresholds of when something needs to be reported. In other words, you could have some sort of incident where you have a data leak, data loss, data breach, but it doesn't rise to the threshold of what needs to be reported, and that is something that varies greatly with different laws. And then on top of that, we now have seen newer requirements through the rulemaking process, such as by the SEC, for publicly traded companies to report material cybersecurity incidents. That means that you have some requirements where the duty is to either tell a regulator or directly inform a victim of some sort of data breach or cyber incident, and you have a newer requirement where there's a duty to tell the world, and so that's a bit different as well.

During this time too, what we've seen is because you have 50 different state regulators, then you have different government agencies that regulate different sectors, even how you report a cyber incident or data breach is different. And in terms of what form you fill out, what information is required, who you send it to, and when you need to turn over that information and do that notification. So, for example, something like HIPAA, going back to the early days, that standard is still in place, that's a 60-day notification window, whereas there are now

some that are as short as 24 hours. In addition to that, what we've seen is, we have seen some discussions in Washington and some efforts to try to even picture what would harmonization look like. So for example, if we take one of the more recent requirements, CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, that law, one of the things it created, in addition to new mandates for critical infrastructure, was it created something known as the Cyber Incident Reporting Council. And that was chaired by DHS and recently came out with a report. What the CIRC was focused on was coming out with a report on what harmonization could, should, and would look like, in terms of breach reporting. So that even if there were agencies that have completely different remits and completely different equities, there could at least be a way in which a victim could report to one place and have their data then sent to the appropriate venue depending on how they were regulated or appropriate venues.

So we do see certainly an appetite for harmonization, but no clear path at this time.

Sasha O’Connell

So, there are 50 different versions of this, plus the new requirements coming out of CIRCIA and the SEC depending, addressing the critical infrastructure focus and publicly traded companies, specifically. And this is all a bit of a jumble in terms of the specifics, and we could use some harmonization, perhaps through federal law, but that doesn't seem to be happening. Do we know what the issue is here in terms of getting this all aligned?

Megan Brown

Yeah. I think we've identified at least six that have come up in the development of the law that Drew was describing, CIRCIA, that Congress had to grapple with, but also that DHS and CISA are going to have to – they're resolving right now in many respects, as they implement that law. But the first big question we stumble upon, I think, is to whom should reporting be made, if you're going to have mandates? And one major policy debate underlying that legislation was the role of DHS versus the FBI. Sort of does a mandate to report to CISA undermine voluntary reporting to the FBI or should the FBI have some sort of more robust role? And I think that's a hard question. Congress resolved it in CIRCIA, that major incidents are going to be reported to DHS and CISA. Related to that, should regulators get the information that is reported? Should they have their own mandates? Should they rely on DHS, or should DHS keep that information kind of siloed for operational uses and not use it for regulatory enforcement type things? And related to those questions are, does the agency receiving reports, whether it's TSA or the Environmental Protection Agency or DHS, does that agency have the capacity and capability to do something

meaningful with the reporting? Those are kind of key policy questions about that first question, which is, to whom should reporting be required?

Sasha O’Connell

And Megan, what's your thought just on that to finish up to whom? Right? Drew also raised this question of public versus confidential. Right? That if you're reporting, is that protected in that way? Or, again, we saw this with FCC and maybe some other things coming forward, that requirement to make it public too. Right? Adds another complexity.

Megan Brown

I personally think it does add a lot of complexity, and I think policymakers are grappling with that. We saw in the regulatory process at the Securities and Exchange Commission, basically the private sector crying out for less public reporting or at least less public fast reporting, which we'll talk about timing shortly. But this question of, should you report to a law enforcement agency who can operationally help find bad guys, or are you reporting publicly for some other purpose? It goes back to that threshold question Drew identified at the outset, kind of what is the purpose of the reporting? And that is going to be an evergreen question. Whenever a reporting mandate is being discussed, I think policymakers and regulated entities need to think about public or confidential. What are the benefits and tradeoffs of each of those?

Sasha O’Connell

Okay. So, we've got to whom – and we've got a bit of discussion about then what the receiving entity does with it or doesn't do with it. Right? So, and I interrupted you there, but what about the question of what to actually report? Right? And then that triggering mechanism, what triggers it and the timing? I think those are the outstanding issues.

Megan Brown

So, I think in terms of what you report, this is going to be a real challenge for regulators across settings is, how detailed do you want reports to be, and what is the purpose of the information you're demanding. Right.

I think there can be a tendency to want more and more information because someone might find it useful or interesting, but I think policymakers need to ask themselves, what is that trade off about? The more information you demand, the harder the report is going to be to do quickly and accurately. And then what is

going to be the use of that information? And you've seen in a lot of comments, the private sector encouraging actionable timely information. And is the government going to do anything with it that will help the private sector, or are they just pulling in a lot of information that may not actually be actionable? I think Drew had some thoughts on some prior legislation.

Drew Bagley

Yeah. What we've seen certainly is that there is a government interest in knowing, especially at a macro level, not a trend level, what sorts of threat actors are posing a threat to companies in the United States, as well as government in the United States and victims as a whole, so that they can understand where our government resources appropriate to address those, where is, victim self-help the most appropriate way to defensively protect against those. And so, years ago there was legislation passed that went into effect in 2015, that allowed and even created conditions to encourage the sharing of certain information with the government, with DHS, so the cyber threat indicators and defensive measures.

But what we've seen is that that's specific of course to, sharing with one agency, and there certainly is always skepticism from the private sector in sharing certain types of information with government agencies, because government agencies, of course, depending on the agency, they also have the ability to enforce fines against the company. They have the ability to enforce criminal penalties and whatnot or just even raise costs by creating more process in the form of more information requests and subpoenas, and the like. So, that's where I think it's really important to Megan’s point, to be really thoughtful in terms of what is actually necessary in terms of information sharing. How's that information going to be used? But also, what is that benefit for the victim organization sharing that information. Is it that over time, they're going to get some information back that helps them be more secure? Is it that there's some sort of benefit from an immunity perspective with regards to what else could happen with that information being shared and whatnot. So, that's where that sort of incentive structures are really working under this realm.

Sasha O’Connell

That makes sense. Before we sum up, let me throw back on the table this idea of timing too. On addition to everything that's been put out there for consideration, Congress seems to like this idea of 72-hours for reporting. Any quick thoughts on that? I know you guys have been involved in real life incident reporting incidents. Give us some context for 72-hours. What's happening in response? Is that reasonable? And where do you see the conversation about timing going. Megan, I know you've got thoughts on this one.

Megan Brown

So, yeah Sasha, there are various timeframes being adopted and considered for incident reporting. Some are really in contrast to existing state data breach laws that may provide that you have to notify a state AG in a “reasonable time for as soon as practicable.” We're seeing now more rigid and shorter time frames. Congress seems to like the 72- hours. That's in the new incident reporting law for critical infrastructure. I find 72-hours to be a bit arbitrary. Why that number? Did anybody study the benefits of that as opposed to another period, perhaps longer? The other federal proposals that are on the table right now range from 8-hours for federal contractors, which I think is frankly wildly unrealistic. Some regimes require 24- hours from some other agencies. The FCC, for its part, just recently adopted a data breach reporting rule, and it requires reporting, “without unreasonable delay and in no case later than 30 days.” So you can see there's a lot going on in this space and the cyber incident reporting council that Congress set up at DHS to look at these issues about different incident reporting obligations they issued a report in 2023, that hopefully we can have in the resources with this podcast, it identified 45 different federal incident reporting requirements administered by 22 federal agencies, and that's just the federal ones. Other countries are also adopting some pretty aggressive and unrealistic time frames that affect critical infrastructure, and some of those are less than 24-hours, and that's really hard for companies that are multinational. The challenge, as you've alluded to, is at 72-hours after you've decided that an incident has happened, you have spun up an incident response team, Drew does this regularly with his clients, you are probably still in the very early stages of figuring out what happened, trying to figure out what your recovery plan looks like. Do you have backups? Are they accessible? Have you figured out where they are in your system if there's persistent activity? You might not have even started to think about kind of root cause analysis. From my personal experience, 72-hours is very fast because there's a lot of unknowns, and you're going to be expecting companies to tell the government things. People care deeply about being accurate when they're speaking to the government. So, it means that you are involving lawyers, and you are taking some time away from your incident responders to validate what you're going to tell the government, and that's just a real challenge. So, from my perspective, 72-hours is real fast, but that's what we're going to be stuck with for certain reporting regimes. And I really hope the government calibrates their – I guess, the government will need to have some recognition of tradeoffs. Drew, what do you think?

Drew Bagley

I completely agree. I mean, in those immediate hours, the priority is always going to be to mitigate the risk, whatever it is, just like with any other risk

mitigation practice. And so with a cyber incident, part of that is determining whether or not you actually have full visibility into the incident. Oftentimes you might have some indication that there was some sort of infiltration into a computer, but you might not know right away, and for a bit of time, where else on the network the adversary may be.

And, I think that's really important to remember. A lot of these cyber incident reporting requirements are predicated on the notion that a cyber incident is a single moment in time. If we look at some of the more modern trends like data leak extortion, that's certainly not the case, right? Where a victim can be revictimized over and over again. And so, what I think is much more important than even nailing down a particular time window, is making sure that the threshold is right. In other words, 72-hours might not be an impossible standard to meet if that 72-hour clock does not begin until you actually have a hold of the cyber incident itself, you've mitigated the risk, and then can spend those resources on getting a timely report. Whereas that the 72-hours can be very disruptive if the threshold for reporting, and when the clock starts is much more vague and broad, something that's intended to ensure that the victim has to report while they're still putting out the fire. I think that's a good way of thinking about it. Your building was on fire, you'd want to put out the fire first, then write up the report on how the fire happened. I think that should really be the intention here, is focusing on that. So, if we look – historically at HIPAA, there's a 60-day reporting timeline, and the HIPAA security rule has been in place for 20 years, and I don't know that we can say, that obviously, that hospitals are no longer under attack or hospitals are more secure because we have that reporting rule in place or that the cause of why the health sector is still under attack, is because the reporting requirement is 60 days instead of 72. Right? I don't think either is true.

Sasha O’Connell

It makes sense, and it really speaks to my last question for both of you. On behalf of the listener, I was new to this, there's so much to think about, right? We have the history, the definitions, we have this patchwork, context, efforts that kind of reconciliation and alignment, and then all of these sub issues to any of the individual policies. In the end, if I was new to this, I'd be wondering, do we know what works? To your point, Drew, right? Are there cost benefit analysis that have come out? Do we have data on kind of what works given the different policy objectives. Megan, you do this all the time. Is there a place to go to figure out what works? What did Congress use when they were deciding these things for CIRCIA, for example?

Megan Brown

Well, one thing that I think people should stop and sort of scratch their heads about is, the lack of data about the effectiveness of some of the prior reporting regimes or analysis of the uses of that data in the utility. I don't believe there has been an overarching review of what is good and bad in existing reporting. We have not just HIPAA, that Drew mentioned, we've had several years of Department of Defense mandatory reporting under some clauses there, that are fast, it's one of the places the 72-hours came from. And I don't know that folks have looked back and said, has good information come from that? Has DOD been able to help the private sector with that information? Likewise, the 2015 law Drew mentioned, which was about voluntary sharing of cyber threat indicators, a recent report came out from the intelligence community that suggested that – that's good stuff, it's effective. But Congress, I don't think looked at those precedents to say, how can we build on what has worked and improve what hasn't. They kind of move to this CIRCIA law assuming that reporting will be beneficial. I think that's a policy blind spot for some people to really think about what is the past experience with these regimes? What can we learn from that? Because I don't know that the data would support a 72-hour threshold as being particularly beneficial, but that's what we've got in the law.

Sasha O’Connell

Perhaps a great project for any researchers and academics in our listening community to take on and help our policymakers with. Drew, any thoughts on that before we wrap?

Drew Bagley

Sure. I think with some of these reporting requirements, in modern times, we've seen that some regulators somewhere, so 72-hours for example, GDPR, looks to the European Union, some regulators somewhere came up with a theory behind a number or picked an arbitrary number, and then others, for purposes of pure consistency have it piled on, without going back to ask those very questions that Megan has pointed out, as to whether or not that number makes sense to begin with or whether we should all have a new standard. I think that's really important. I think the other thing is, some of the information that's out there and been reported, it might be that that information could be really useful, if certain actions were taken with that information. So, for example when the private sector is voluntarily sharing information with the government, it might be that the government could use that information in actionable ways to disrupt e-crime actors and their infrastructure. And so, for some of these, we might think of the reporting, and we might not think of an equivalent sort of action that could be taken, and for others, we might say, oh, actually, the part that's missing here is the impetus to use this data in this sort of way that would benefit victims as a whole. So, I always think that's really important is to ask, where is there a

realm where the government is uniquely situated to do something in cyber versus where is it that victims need to improve their own defenses, get better about protecting data, be better about transparency, about how they're protecting that data? So, I think that we should never assume that there's any sort of single silver bullet solution for any of this.

Sasha O’Connell

Perfect. I think with that, just about sums up or lay down on incident reporting. Right? The complexities, the history, and certainly the activity that's ongoing here makes it super relevant. So, with that we're going to wrap our episode. We hope everybody both visits us on the Start Here website, and the link will be in the show notes to see additional resources and have availability to the transcript to this episode for reference. We hope to see you next time where we are going to tackle ransomware and other extortion challenges. So, Drew, Megan, thanks so much for joining me, and we'll see you next time.

Key questions:

• What is ransomware?
• What is operational technology and how is it affected by ransomware attacks?
• What goes into the decision to pay ransoms?
• What was the attack on Colonial Pipeline? What can we learn from it?

Extra Resources: 

• CISA: The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years
• Crowdstrike: Ransomware Examples

Transcript: 

Sasha O’Connell

Welcome back to Start Here. In this series of podcasts, we are working to give you, our audience, a framework for analyzing foundational cyber policy questions. In our previous episode, we looked at the policy context, history, and choices surrounding the potential to mandate cyber incident reporting. I'm joined today to follow-up on that conversation by Drew Bagley, Vice President and Counsel, Privacy and Cyber Policy at CrowdStrike, and Megan Brown, partner at Wiley and co-chair of the firm's Privacy, Cyber and Data Governance practice to take on our next topic, that is to break down and explore ransomware and other extortion challenges. Before we start, or maybe actually, this is a great starting place for providing context for a discussion about ransomware and extortion schemes. Let's talk briefly about how you both think about how cyber policy makers should prioritize issues when the underlying technology or adversarial tactics change so quickly?

Megan, what do you think?

Megan Brown

So I really think this is an important topic that highlights that fundamental question for policymakers, and it applies not just to ransomware and extortion threats, but other questions across the cyber landscape, across the privacy landscape and others, which is, you know, how should policymakers think about particular types of threats when we see over and over, in the past two decades at least, that threats and tactics change? So, I think about it from should Congress or federal agencies be kind of running after specific threats that might be in the news, or should they instead focus on some fundamental principles that might have wider applicability and might be more durable and don't become quickly obsolete?

Sasha O’Connell

Drew?

Drew Bagley

Ransomware is a great example of Megan's point about policymakers sometimes chasing either a bespoke problem or a timely problem of today, but not necessarily one that's going to be a problem that we still need solved the same way in three years or that the way we're solving today's problem is going to solve the future problems. So, when you think about ransomware, it's obviously been all over the front pages for the past several years. However, even when we look at that phenomenon, adversaries have actually changed their tactics in recent years. For example, data leak extortion is now becoming much more of a threat than ransomware in and of itself. By analogy, if you think about it, malware was the hot topic a decade and a half ago, and, therefore, there were a lot of efforts that were spent trying to solve the malware problem, both from a technology standpoint and from a policy standpoint. You fast forward to today, there are still certain standards that were designed to address malware, whether or not a file on a computer is malicious or not, something binary and yet today, what we see is that actually 71 percent of attacks don't use malware, and even with the data we've seen at CrowdStrike, 80 percent of attacks are actually using legitimate real credentials. And so just with that example alone, tactics have changed, and therefore, the policy means to address them needs to change too.

Sasha O’Connell

That makes sense. So just to summarize, the context that perhaps ransomware is a version of something that continues to evolve and, thus, for policymakers, the important thing is to focus on key principles is what you guys are saying, not so much specific to this kind of implementation or specific threat activity of the day and tailoring interventions more broadly and less specifically makes a lot of sense. With that context in mind, and you started this, Drew, can I ask you, let's start on ransomware. What is it?

Drew Bagley

The system and the FBI's joint ransomware task force has a great definition for ransomware. They define it as a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable, and the reason why I like that definition is that the definition is not specific to what an adversary might do after encrypting the files. So in other words, an adversary may use ransomware for its namesake, locking up files and offering to release them for a ransom or conversely, the adversary can use ransomware for pure destructive purposes, and we've certainly seen that before. Not necessarily asking for something monetary in return. This is helpful in understanding that ransomware is only one form of a broader trend of extortion. For example, in today's trend of data leak extortion, ransomware may be used in addition to file exfiltration, or pure file exfiltration may take place without the use of ransomware. In other words, use of ransomware is no longer as simple as an adversary locking up files and asking for payment and then potentially unlocking those files in exchange for payment. This means ransomware may be tied to double extortion, asking for a payment to unlock files, and subsequently asking for a payment not to leak or further disclose information. So, I believe the ransomware definition is very helpful, but it's also important to remember that extortion is actually the broad policy problem that we're trying to solve, and ransomware is just one part of it.

Sasha O’Connell

Megan, from the kind of victim perspective, can you talk us through what people see? I assume we're still not in this era of ransomware as a service, we're not still seeing requests to mail checks to PO boxes. Can you talk a little bit about what it looks like on the receiving end - I know you've worked with clients in that situation.

Megan Brown

You know, the paradigm example is an employee tries to log on to their account or workstation and a banner pops up. “Hi. Your network has been penetrated and your files have been encrypted. To recover your files, send a hundred thousand dollars in Bitcoin to the following address.” Or, you know, the security team gets reports that databases just aren't available and when they start investigating, they might find a ransom note embedded in other systems. We've seen artifacts like that in the past or you could have a note sent to executives that says we have encrypted your files - here's a screenshot of a file tree and to get the keys to unlock your data or your system, you have to go to this website, which is on the dark web on, like, Tor and prepare to pay us $10,000,000 dollars in digital currency. Drew's team at CrowdStrike had put together some examples that they make available on the website, so in our resources page, maybe you can look at some of those. Some of them are very sophisticated. Some of them are full of typos and sort of seem like something Saturday Night Live would put out or The Onion. It varies, but that's kind of the game, and then that sets off a whole array of choices and things and playbooks that have to get executed.

Sasha O’Connell

And what are organizations thinking about? What does this mean in those playbooks? What are people balancing and thinking about when that goes down in an organization?

Megan Brown

Well, I've seen an array of reactions and challenges, and Drew's probably seen it far more, but every hour that your system is inaccessible, you either can't conduct a part of your business or you can't provide some service, hopefully, not all of your service, or you're wondering about what data has potentially been exfiltrated and this happens to retailers, hospitals, small businesses. If you're a medical facility or a doctor's office, for example, you might have to try and work with backup systems or figure out what paper records you have. If the incident is affecting your operational technology, maybe a factory has to shut down or critical services have to be paused because the security team doesn't know the extent of the intrusion and so they're trying to triage, how do we contain the damage and then think about remediation or getting backups restored.

Sasha O’Connell

Megan, let me actually ask you to just pause for a second. Can you say a little bit more about what you mean by operational technology in this context?

Megan Brown

Yeah, sure. Great point. Operational technology is different from information technology and as government regulators are thinking about regulation here, they're sometimes distinguishing between operational technology, OT, and IT. OT is and there's not clean definitions that are universal, but you can generally think of it as operational technology makes a service operate or go. In the Colonial Pipeline example, it was making sure that oil could get where it needed to go. It makes trains run on time; cranes operate. By contrast, IT is more about the business systems in the back end, email and billing. Sometimes, you need to consider whether you have to pay folks who claim they have your info so that you can actually determine what data has been accessed. The example I mentioned of, like, a screenshot of a file tree, you might not know what is in all of those files, and so you might need to buy some data back to figure out, you know, have I triggered my state data breach notification laws? Do I have to call so and so? Like, a whole bunch of things and, fundamentally, the threat actors here are making money from that uncertainty that is forcing victims to feel like they have to pay either to restore service, to examine the damage, or to be able to function and run their business.

Sasha O’Connell

Thanks, Megan. That is so interesting. I never really thought about the assessment piece, the need to potentially pay to even know what was lost, taken, or frozen. Drew, I'm going ask you about the payments piece and how that works functionally; but before we get there, can you say more on this need to assess or pay to even know what was taken? Are there other implications for that or considerations?

Drew Bagley

Absolutely, Sasha, and actually for listeners of this episode, this actually touches upon a lot of the topics we discussed in the incident notification episode because whether it's a cybersecurity mandate or a privacy law mandate, a lot of these breach notification laws actually require notification to a regulator or even individuals if the impact is great enough. So in other words, a victim really needs to have enough information about what that impact is. There are going to be situations in which a victim does have visibility into their systems, so even if they had some sort of ransomware incident or data extortion, they might actually know what was exfiltrated. But in other cases, to Megan's point, a victim might not actually have any of that information. In other words, they might not have any endpoint detection and response data, any log data, or anything, and therefore, they might need to actually know a bit about what the adversary may have. Similarly, a victim may need to know which type of adversary this is and what they traditionally do, and that's where a victim may want to analyze some sort of threat intelligence to understand who they're dealing with and what that impact may be. Sometimes ransomware might use other methods. So, for example a payment in gift cards and even other types of payment providers like MoneyPak, Paysafecard, and whatnot. But, traditionally, cryptocurrency is the preferred method of payment by adversaries, and the way in which that works when a victim organization does indeed want to pay or have the option of payment is they need a Bitcoin wallet. And so that's something where in recent years, what you've seen is that rather than victims going and setting up their own Bitcoin wallet or other cryptocurrency wallet and transferring funds to it, they might go through a third party company that specializes in doing those types of payments and that would hold wallets in a variety of different cryptocurrencies, and then, also, that company usually would be the intermediary that would help negotiate. Whereas on the back end, the victim organization would be working with their outside counsel in weighing their different options and, also in checking to make sure that they have some sort of information to make a valid judgment about whether or not their payment would likely violate any sort of sanctions law; because even if you are a victim of ransomware, you're still subject to different considerations, such as with regard to money laundering or terrorist financing, for example. So the AMLCFT restrictions, and so you have to ensure that you're not inadvertently paying money that would go on to finance terrorism or to facilitate the laundering of money, and you have to watch out for bans on payments to certain sanctioned entities. So that's an important consideration in the payment process, but the way that it works in practice is that there will usually be some sort of communications portal set up by the adversary. So the adversary will provide a URL that the victim can navigate to, and that's where there will be some sort of online chat, and that's where back and forth, the victim or the entity negotiating on behalf of the victim, will be interacting with the adversary and then also that's where they'll get the information about which wallet to send money to. Now anytime you're doing that, what you're doing is, of course, weighing that risk against the risk that you never get your files unencrypted because there's certainly no guarantee that an adversary is going to decrypt your files just because you paid them. And in fact, you might be opening the door to be revictimized. On the other hand, sometimes that is the only option for a victim. And interestingly enough, another thing that's happened as data has grown more and more, is that the process for decrypting files actually now takes a lot longer. So oftentimes, the victim's also weighing how long would it take to decrypt their files versus how long would it take to recover from a backup, because recovering from a backup may take a long time. Decrypting files may take a long time. So those are sometimes considerations being weighed too in these situations.

Sasha O’Connell

Thanks. That's super helpful in thinking about how this plays out. Before we pivot to thinking about policy intervention options for this persistent challenge, Megan, can you talk a little bit about Colonial Pipeline? It's probably one of the most high-profile examples people are familiar with and what the decisions were and how they played out for that organization as far as we know.

Megan Brown

Sure. I'm happy to, and, of course, there's tons of publicly reported stuff. The CEO has been really transparent. But back in 2021, some bad guys, some hackers that I believe the government is confident are associated with the Russian Federation, infiltrated the computer networks of Colonial Pipeline. They demanded more than $4,000,000 dollars in ransom. The company shut down the pipeline operations, which I would consider to be the operational technology side of things as opposed to the IT side of things, and that's a technical concept that policymakers struggle with drawing those distinctions, but hackers didn't get in and shut down the pipeline operations. So, it's really interesting how in the heat of an unfolding attack, you can see the decisions that have to be made against a backdrop of significant uncertainty in the Colonial Pipeline situation. The CEO has described the decision process and the timing both to Congress and to the press and based on that public sourcing, they detected the attack just before 5 am on a Friday, when an employee found a ransom note on a system in their IT network and as we discussed a moment ago, IT is the information technology side, billing systems, back end stuff, not the pipeline operations. That employee notified the operations supervisor who is in sort of the pipeline control center, and the CEO has described sort of a broad stop work authority that allows the pipelines to be shut down quickly if there's concern about safety; and here, they didn't know. They didn't know what was really happening and they were worried that there had been access to or there could be future access to their operational technology, their actual pipelines. So they put in a stop work order to halt those operations. That was done to contain the attack and help ensure that any malware didn't get into their OT systems if it hadn't already and that happened as I understand it, within an hour, employees began the shutdown process and then within 15 minutes, over 5,000 miles of pipelines had been shut down and the CEO, even though he faced some criticism for it, you know, he has said that it was an extremely tough decision, but he made that decision. They made that decision and then as folks know, they've paid the ransom. It took them, I think, around 6 days to get back online and so you can see there both the important differences between sort of that IT, OT issue, but really this broader uncertainty that decisions in a rapidly unfolding ransomware attack have to be made with really imperfect information.

Sasha O’Connell

Well, we've certainly covered some ground here in terms of the context, sort of depth and degrees, and implications of both ransomware and other associated extortion schemes and, using examples like Colonial Pipeline, it's easy to see these complexities in action and certainly relevant to our day to day.

We're going to pause here and regroup for our next episode where we're going to talk more about what policymakers can and are doing about this challenging issue. Thank you for joining us, and we look forward to seeing you on that next episode; and in the meantime, please don't forget to check out our associated resources in our Pause Here section of our website, where the link is, of course, available in the show notes. We'll see you next time.

Resources

• Washington Post article: ‘NOBODY KNOWS YOU’RE A DOG’: As iconic Internet cartoon turns 20, creator Peter Steiner knows the joke rings as relevant as ever
• FTC Safeguards Rule
• CISA - Multifactor Authentication

Transcript

Sasha O’Connell

Welcome back to Start Here. In this series of podcast episodes, we provide a framework for analyzing foundational cyber public policy questions. In our previous episode, we looked at the international flow of data and how governments are looking at changing rules that apply to that data. Today we're on to the next not so simple challenge, digital identity. To work through the ins and outs with me on this topic, I am again joined by Drew Bagley, Vice President and Counsel for Privacy and Cyber Policy at CrowdStrike and Megan Brown, a partner at Wiley and Co-Chair of the firm's Privacy, Cyber and Data Governance Practice. We are going to take on this next topic and break it down.

So with that, let's get to it. There is a famous 1993 New Yorker cartoon by Peter Steiner. Now, somewhat ironically, also an internet meme, I believe, which has a dog sort of typing on the computer quote unquote, talking with another in-real-life dog at his feet and the caption reads “On the Internet nobody knows you’re a dog.” That pretty much seems like a great place to start this episode, because the ability to at least appear or feel anonymous online is one of those fundamental features of the internet and is also something that has both benefits and costs, frankly that the policy community continues to grapple with. In terms of what the right balance is and digit identity in particular wrestling with some of these challenges as it presents itself in the specific context of cyber security is a huge issue while maintaining obviously benefits where possible.

So with that, we want to get into it, and Drew, why should we even talk about digital identity? Doesn't everyone know what that means, and it's crystal clear in the policy community and we can move on or what?

Drew Bagley

Everyone knows what that means, and everyone has a different understanding of what it means, I would say. Identity is something where when we think about it in the context of information about ourselves, we think we know what that is. It's our PII or maybe it's even our actual identity card or whatnot; but then in other contexts, identity is actually dealing with the authentication protocols through which either we, as individuals sign into computers and devices, or that software actually authenticates itself and is able to interact through APIs through different web platforms and whatnot. And you know, a good illustration of this is actually recently, I was involved in a conversation between two people where one person was talking about identity and they were thinking more about identity in the context of authentication and trying to protect that from adversaries and threat groups and another person was thinking about identity more in the context of a digital identity and kind of like a digital passport and thinking about that. Another person was thinking about it more in the context of PII, and I think that's a great illustration of how identity can mean different things in the cyber context and yet, each aspect of identity is very important when it comes to understanding cyber policy and what we can do about protecting various forms of identity. 

Sasha O’Connell

All right, perfect. So, Megan, in that context, when you think about cybersecurity in particular, how do you think about digital identity, or which of those aspects that you just mentioned are most important?

Megan Brown

Well, I think both of them are in different ways. So many of the legal frameworks around cybersecurity and the expectations for companies and organizations depend on this concept of authorized or unauthorized access. And so that kind of means for someone, either a person or a device or a software system, like Drew just mentioned, to be authorized, the system owner has to know what it is, who the person is, are they who they say they are, or is the device who they say it is. And the ways in which we know and verify who someone is online is sort of one of those key foundational pieces of connected services and networks and information systems. It affects who's allowed to buy and pay things, send an email, make a medical appointment and organizations have to have processes and technologies to validate who the people are, and who the entities are that are connecting to their systems, whether it's a large enterprise network, or, your son's school portal to be able to log in. For a lot of the privacy and cyber incident reporting requirements, they turn on whether something is authorized or unauthorized. So you have to be able to tell whether the access you've seen was authorized or unauthorized, but then there's sort of core cyber expectations, which is, you will build systems, and regulate how systems access data based on access, based on digital identity, based on who's allowed to do what; and so it really is a foundational piece of doing cyber security right, and about what the government's looking at when it thinks about, how companies need to be doing cyber security.

Sasha O’Connell

That makes sense. So, in that context, it's obviously critically important that we have the capacity to identify people in a secure way. Drew, in that context, obviously, identity online, digital identity is extraordinarily important in cyber security as Megan just outlined. Can you talk about how it's handled? Break it down, how do we know who's a dog and not a dog as it were on the internet?

Drew Bagley

Yeah, as Megan noted at the end of the day, whether we're talking about the first example I was giving about identity when we're thinking about PII, or we're talking about the authentication piece, it's still all focused on validation. So traditionally, when we think about validation in terms of authentication, of course, we've had usernames and passwords going back decades, as one way to authenticate us, and then you know, in recent years, multi-factor authentication has become a lot more common where it's not just something you know, your username and your password, but it's also something you have, which could be in the form in modern times of your mobile device and being able to authenticate either with a code or a push notification that you are who you say you are by having those two things. There is, of course, verification that in the physical world, we think about with regard to having our passport on us, and maybe even multiple forms of ID and whatnot; and so, even though they're different context, we're still in the digital space, thinking of different ways to really confirm that somebody is who they say they are and that their credentials were not just co-opted by somebody who shouldn't have them. That's one of the fundamental problems of just having merely a username and password and in addition to multi-factor authentication, biometrics has increasingly become more popular, even on our mobile devices, with either fingerprint or face ID and then there's also a notion of even browser fingerprinting and other aspects of identity where there can be a composite made of different factors in addition to your username and password to have some high degree of confidence that the person logging in is the person who really does own those credentials or should own those credentials. But then, that's all really pretty much on the front end. On the back end, it's not going to scale for a machine to be logging into a machine each time, or for a user to say, okay, I need access to this computer and my computer needs access to these three service for information and these five web services and whatnot. So a user is not just logging in at each layer of the internet.

Sasha O’Connell

Got it Drew. So that all sounds like front end or kind of user forward ways to do it. What's happening on the back end? Is there other things going on there we need to understand?

Drew Bagley

Sure, on the back end, we fortunately, generally speaking, don't have a universe in which users in modern times have to manually authenticate themselves for each individual system, themselves with their username and password and multi-factor authentication. So instead, what happens is once that initial front-end authentication occurs, then there are what are called tokens on the back end and that's how machines are able to talk to machines using a secret that is known to be associated with that user who has logged in. So, if there is that validation of the user, then after that, the machines are talking to machines based on that initial validation. That's something that in purposes of scaling in modern times, has really benefited the user experience. But in terms of security vulnerabilities, there have been lots of problems with the way in which this authentication architecture has been built and it actually goes back a quarter century. So, some of the flaws that were initially in the on premise versions of older authentication protocols have now made their way into the cloud era.

Sasha O’Connell

So, I know we're sort of heading toward, the classic question of trade offs, and you already mentioned between kind of user efficiency, user access, and user ease and then security on the other side of these systems to make sure things are locked down as appropriate and I know we're heading to sort of think about the policy of balancing those two things. Before we get to the more on the user experience with Megan, Drew, can you say any more about how adversaries take advantage of these systems are kind of what the risk is around digital identity and how adversaries are targeting that very specific element with cyber-attacks.

Drew Bagley

Absolutely. Digital identities in the form of credentials, as well as tokens, have become immensely valuable in recent years. So, for example, on the dark web, there are a lot of marketplaces that have digital identities for sale. So credentials are for sale and that allows would be threat actors to buy access to a victim organization. Similarly, because those credentials are so valuable, what you see is that adversaries are very focused on trying to obtain those credentials and those credentials could come from previous data breaches, but they can also just come from basic phishing attempts. So, in fact, we've seen, especially over the past year, a group known as Scattered Spider, using all sorts of phishing techniques to do even very sophisticated organizations into turning over their credentials and then also basically finding ways to co-opt MFA processes. In other words, by transferring sims from an individual's phone that has their mobile phone set up for two-factor authentication to the threat actor’s device. So that way the threat actor can even handle the multi-factor authentication once they steal the credentials. So there's been a lot of that going on. And what adversaries want to do when they're breaking in on the front end, or logging in as is more common now, is get in, and then quickly escalate their privileges. So the credentials they might get might be for an individual that doesn't have access to a lot of things on that victim network, and so what the adversary is going to move to do is to try to find ways to escalate those privileges to be administrative privileges. Sometimes, even if the user might not on their face, have access to different things, they might actually be in some sort of user group, that's part of another user group, that's part of another user group, going on and on and on that does have access to different things, or has full administrative credentials and that can be incredibly valuable. But other times we've actually even seen threat actors call the help desks at victim organizations to try to complain that “Oh, I'm logged in, but I just can't seem to access this one folder. I'm supposed to have access to it” and then even getting help desks to actually escalate those privileges once they have them. So, in other words, the social engineering doesn't just stop at getting the credentials to begin with, but the social engineering can even be used to make those credentials more powerful. But then again, as I mentioned a moment ago, as the CSRB report pointed out, there are inherent flaws and certain authentication protocols that have it so that tokens aren't expiring when they should expire, or that tokens could actually be generated by somebody that's not the authentication provider. If the threat actor can generate their own tokens then they don't even necessarily need to worry about getting credentials to begin with and then it's game on for getting access.

Sasha O’Connell

So, what's the - it seems clear then, right? So what's wrong? We need to lock all this stuff down to the max possible. That should be the goal of all policy, Megan. Now can we just lock this down and stop this nefarious activity?

Megan Brown

No!

Sasha O’Connell

Why not? Come on. 

Megan Brown

Stop it, Sasha! Yeah, if we just unplug all of our computers you won't have cyber-attacks and networking, then we'll all be fine. We can just go back to pen and paper. Oh, but there’s still fraud then too.

No. it's the processes that these threat actors are exploiting have really important business purposes. Legitimate business purposes, and I think it is this balance that folks are trying to strike and we've seen token issues create and contribute to security incidents, regulators are looking at digital identity, they're looking at multi-factor, but I think folks have to keep in mind that, when credentials are stolen, the systems that they go to don't exist in a vacuum. They're not built just to be secure. They're not only being built to resist criminal activities. They are being built to facilitate the business. They're being built to enable customers to log into their accounts. They're being built to enable fast payments, mobile activities. So, it's about seamless or near seamless transactions with the minimum amount of friction and so these solutions that, we all depend on, yes they can be exploited by bad guys, but the organizations that manage them and are being held responsible for them also have to ensure that they work effectively for the customers that they're trying to serve. The government faces this problem too. You want to log on to various government sites, you need to authenticate yourself. So just to keep that in mind, you can over correct if you want to lock things down too much, but these systems have really important business purposes and companies are trying to manage these issues of if you want people to be able to access your services, you want it to be fast, but you have to take certain steps to try and make sure that only the right people are doing it and that's not going to be perfect every time.

Sasha O’Connell

Absolutely right and I think in terms of foundations on these issues, like many things that there's no such thing as perfect security even if we locked it all the way down, things continue to evolve and there's always threat risk. And then on the other hand, I always talk with my students, as security goes up, efficiency tends to go down. The friction is created when you're building those security features in and so for policymakers, just to have that as a foundational construct and to acknowledge that from the jump, I think is an important place to start. What is the government's role here, Megan? Who's active in this space and how do they think about trying to strike this balance or guide this balance in the private sector that owns many of these systems?

Megan Brown

Well, I think it's a really fragmented space. There's a lot of private sector companies who are out there trying to develop solutions for digital identity and selling those solutions, both to the government and to the private sector. There are standards groups that are out there that are trying to build consensus about interoperability and how you want to do various kinds of authentication. Obviously, in terms of our personal and financial identities, there's the bedrock foundational documents that are, the government runs those, your social security number, your passport, your driver's license but as we transition to digital identity, the question is how do you prove that? How do you take what we all rely on at the airport? I was just at the airport yesterday. TSA is looking at my passport, this is looking at things like mobile driver's license, but the security challenge is, how can system owners build a system that they can reliably use to determine who can have access and what they can access. I don't know that we're going to get into it on this session, but at least privilege principles, the core parts of sort of zero trust. How much do you put on your users to prove themselves? And so, moving to the agencies that actually have been active. There's the National Institute of Standards and Technology, or NIST, which we've talked about many times before. They have digital identity guidelines. It's special Publication 863, and that sets some pretty darn specific standards for how federal networks are supposed to do digital identity. Biden had an executive order on cyber security not long ago. It mandates that federal agencies use multi-factor authentication. We see some regulators starting to look at pieces of this, trying to nudge companies along or force companies to go along with using multi-factor authentication. Examples of that are the New York Department of Financial Services, which has cyber security regulations. They require multi-factor for a variety of things. The Federal Trade Commission's safeguards rule under the Gramm Leach Bliley Act has expectations for multi-factor, and so you see this move to try and get companies to do more to move away from passwords to multi-factor and then we can talk a little bit in the future about better multi-factor, phishing resistant multi-factor, but there is this move to push people along this spectrum of authentication, making it harder, making it more rigorous to prove your digital identity.

Sasha O’Connell

Awesome. Drew, how do you see those work streams? I know we'll talk about some of the specific policy proposals in a second, and some of the trade-offs inherent in those, but how do you see those work streams and how do you see this globally? Where's the U.S. in comparison to some of our international partners in terms of the government thinking about this issue?

Drew Bagley

Well, I think Megan's proposal for us to go back to pen and paper is probably the most extreme that has been proposed so far.

Sasha O’Connell

You’re right, there's a perfect security, but Megan doesn't like that either for fraud. I get it. I get it.

Drew Bagley

If we can't do that then, I think that as Megan noted, there's been a very big push with all things for multi-factor authentication, even at the state level, if we look at the New York Department of Financial Services, their cybersecurity requirements now require that much more explicitly. But, we are in an era in which even MFA is being co-opted and so that's where there's a lot of push to make sure that organizations are actually monitoring the identity plane in the same way they've traditionally monitored the network plane, the end point plane, and in more recent years, the cloud plane, to look for things like impossible travel and if somebody is trying to log in from one geolocation and then a minute later, they accept a push notification from the other side of the world, then maybe that doesn't make sense. So, in other words, multi-factor authentications certainly part of basic security hygiene now, but that's not necessarily even the end goal anymore and so that's where you see a lot of movement in the space of identity, threat detection and response.

On the digital identity side, you really have the full gamut. If you look at countries like Estonia, for example, they embraced a full digital identity and digital identity in the context of individuals being able to have full validation for basic government services for voting, for everything else. They embraced that well over a decade ago. Then you have other places around the globe where digital identities being embraced just for specific government services, specific things but this notion of authentication nobody's solved it to find the perfect authentication model that does not create a whole bunch of friction for the user to where it's miserable to do and then is also completely secure. So, I think, we see, a whole marketplace of ideas, but there have been, there's been a lot more interest in recent years for governments to even get more involved in the protocols themselves related to identity. I think we've seen less of that in the States, but in the European Union for example, there's been movement because of this notion of some sort of electronic identity that at the European Union level, there's been guidelines issued on what the protocol should be for digital identities to interact with one another and then who the validator of that identity should be and whatnot. Whereas traditionally with all things with authentication on identity, authenticating your driver's license and validating that, that's the government's role. Authenticating all things online traditionally have been the private sector when we've thought about the domain name system and now with some of these recent proposals, we're kind of seeing a merger of the two.

Sasha O’Connell

It's so interesting again, a place inside our policy where there really is a patchwork of things kind of going on, and nothing's entirely figured out. Again, I know both of you mentioned the Department of Financial Services in New York. Are there other policy proposals? What's CISA up to in this regard? FTC FCC, what else is on the table these days?

Megan Brown

Yeah, so the Department of Homeland Security says Cyber Infrastructure Security Agency has been using its sort of bully pulpit. They do not have plenary regulatory authority other than the incident reporting stuff we've talked about separately, but they've been just churning on performance goals and guidance documents, and they're more than a password program; and so they're really pushing MFA and stronger MFA. One example of their work is their cyber cross sector, cybersecurity performance goals. They lay out use of a fifteen or more character password and phishing proof multi-factor authentication is the new emerging standard. They promote MFA on their website as a best practice and so they're definitely leaning into that the use of biometrics, etc. The FCC, the Federal Communications Commission, is starting to play in this space as well. They have long required telecom carriers to authenticate their customers before they give them access to certain data. Now, if you've tried to call your wireless carrier, sometimes that can be frustrating because you have to go through all these hurdles to prove you are who you say you are, but the FCC wants to safeguard that information and make sure you are who you are. Now the FCC is requiring providers, wireless providers, to do more authentication before SIM swaps. And because they're worried, about the downstream effects of fraudulent SIM swaps, which can lead to other fraud and other problems. So now they have new rules that carriers have to use quote, “secure methods”, to authenticate customers that seek a SIM swap. What I thought was interesting was that they declined to provide regulatory certainty about what it considers adequately secure. So, people were saying, “Well there's all these different ways to do secure authentication. Tell us what is adequate.” And they said, “No, no, no, you guys figure it out because it may evolve over time.” Which, personally, I thought that was a frustrating approach, but New York DFS, as we mentioned several times, they really are into MFA and I've certainly been on the phone with some of their investigators when they really are concerned about the lack of MFA in certain places. Their rules aren't all that specific or haven't been to date about precisely what systems and networks have to have MFA, but they've broadened that and it's much more broadly required. And then, as we mentioned, the FTC safeguards rule, if you're going to get into financial information, they're requiring MFA for access to that protected, that sort of subset of protected information. So, most of these, I will say, have exceptions. They don't require MFA for everything all intense. They have an exception process where you can show there's an equivalent or more secure alternative, which is a nice flexibility piece there but lots of agencies are now in the space, and I think you'll see some enforcement actions that, wrap people on the knuckles for not doing enough in the government's eyes to authenticate and to have tools that are secure.

Sasha O’Connell

Interesting, and Drew how do you see where the private sector is today on this? Are they waiting for clear guidance from government or waiting to be regulated or waiting for enforcement actions or what's the stance in the private sector? Or how do you guys see that today?

Drew Bagley

So on protecting identity in terms of protecting credentials as we were discussing a moment ago, there are MFA requirements that are sector specific popping up and I think MFA is becoming much more mainstream and I think we will, as we even see, enforcement related to cyber incidents and data breaches going forward. I think more and more, especially litigation, you're going to see whether or not MFA was enabled being a factor in terms of whether or not an organization was negligent, whether they were compliant with various regimes, etc. So I think that's going to become mainstream and already is becoming mainstream. Whereas I think it really depends on the maturity of the organization in the sector as to where you see identity threat detection and response being used or some form of actually monitoring that the MFA and the credentials are being used by the people who should be using them and getting to that point where you're challenging, who's logging in over and over again from a technical basis, making sure tokens don't expire things like that. You see that's really all over the place in the private sector right now, where you definitely, you have some places and some protocols that really have are inherent with vulnerabilities, once you're in, you're in, and you can walk around. You're not just in the apartment building, you can then walk around, unlock every apartment in the building and that's what we see on the back end with again, the way lots of this architecture set up and whatnot. So it's all over the place, but there's a long way to go to getting credentials protected and getting that more secure. Whereas I don't think, as a society with every data breach we see, we ever figured out how to protect PII. So, we've got to solve that one too.

Sasha O’Connell

Yeah, so in solving, whether it's from an internal policy perspective, from a company's perspective, or even one of the federal agencies working on their own data, or from a public policy perspective, in terms of what's, either required or recommended. We've talked about some of the trade-offs here about increasing friction in the system with the increase in security that makes sense. Clearly, there's this idea of customization versus uniformity on definitions or what's required. How do you guys see, what else? What are at its heart is that issue in terms of policy tradeoffs when we think about this space? Megan, you want to go first before we wrap?

Megan Brown

Maybe two things for instance, the first is the risk based approach, like it sometimes it seems like regulators just want to say, just do MFA, do MFA for everything and that sort of sounds okay at a surface level, but I think it's important to take a step back and I could cite you a bunch of NIST documents that would back me up on this that you take a step back and have to consider what the use case is, what the risks are that you're trying to address. What is the sensitivity of the data or the information or the service you're trying to protect? And so I don't think people should look at MFA, for example, as this panacea that you just throw on everything because, that might be prudent in many cases, but there may be reasons why there's a compensating control or something else.

The other pieces, anything that is human facing has to have this balance. We talked about a few minutes ago, about making things easy for the customer, while achieving some degree of reasonable security, but remembering that customers come in all different levels of knowledge and capability, especially with security. And so I don't think, it's fair to consumers to just say, everyone has to use token based MFA for the majority of online services. There's a lot of stuff that may not need that. You may not need MFA to access Facebook, but maybe you should have MFA to get into your bank account. So I think that's an important thing for trade-offs as well. One example that I point back to is I remember speaking with NIST, ten years ago when they were updating their digital identity documents, they really wanted to tell everyone to stop using text messaging for MFA. And there's trade-offs with the use of SMS for MFA, I use it a lot, a lot of people use it, maybe it's not the best thing for banks to use or for your crypto wallet, but we discussed with them the trade-offs for your average consumer that needs to log on to their social security account and would my grandma be able to handle token based MFA, or put an app on their smartphone, footnote, not everybody has a smartphone. So I do wonder in Estonia, how all the people that Drew mentioned with their online everything, if there are people who are kind of being left behind on the government services side. So it's just that trade off that remembering the customer behavior has to be taken into account. People, are human, and you want to set up protections for their mistakes, but also not set up a system that's too onerous, especially in light of whatever the risk is and the sensitivity of the data or system.

Sasha O’Connell

It's so interesting and when we think about those different populations, we tend to think about, maybe a more senior population having difficulty with that functionality, but I'll tell you, working with young people at the university do their patience for time. Their expectations in terms of instantaneous services and their lack of patience for friction in the system is pretty real and so their willingness to, and I'm not saying all but move away from products that require more friction in the system. It is another thing just to consider. Drew, other thoughts on trade-offs before we wrap up on this one?

Drew Bagley

Megan hit it spot on with the digital divide. We've been talking about the digital divide for thirty years in other contexts. Oftentimes with just getting folks access to broadband internet, which is still something that we, as a country are working on and there is absolutely also a digital literacy component that goes into this. And so even if we know what the best practices are trying to figure out ways to get those into the hands of the people who are potentially the most vulnerable and need the most is not trivial at all, and, at the end of the day, we should get to a place in which the person using the service can just focus on using the service and not be over rotating on what are the fifteen different things they have to do from security standpoint to use the service. And so I think part of that then means it kind of goes into the secure by design movement, which is the entity best suited to provide security, and bring security to the table should be doing that. So I think that starts in the identity ecosystem with authentication providers ensuring that their code is secure to begin with, and ensuring that there's interoperability for other security to be layered on top of that. When we think about these systems that are driving things like, going to update your voter registration online, going to update your driver's license online. That entire burden shouldn't be shifted to the individual to the perspective victim. A lot of that should be on the entity providing the actual service, but there are also that even when we're talking about the operators of technology that are very tricky in modern times, if we look at a lot of critical infrastructure entities. So, where you have operational technology systems that can be very old or even internet of things systems that may have been designed in a way where it's not easy to layer security on top. That's certainly challenging and so I think that's where it's incumbent upon the government to provide the right incentives to make sure that entities that are cybersecurity have nots are able to get cybersecurity, even if that means they have to first modernize their stack to do so, but I think, like Megan said, though, there's certainly is a lens of risk you have to view all of this through. Or you have to consider that layering MFA and all these things is necessary in every application, or realistic in every application; it would be great in every application. Is it realistic or are there other ways to, wall off certain types of access from other types of access? Because that's the other problem is that over the past several decades the way access has been architected; once you have access to one service, it's not hard for an adversary to get in and get access to other things. So I think there's a lot more thinking that can be done on the back end there too.

Sasha O’Connell

All right, with that, as usual, I don't think we solved any of the policy issues, but we certainly framed them up and offered great-

Drew Bagley

Megan did. I think. 

Sasha O’Connell

Megan does as she does but thank you both for joining me. And thanks to our listeners. We are going to wrap it here. I hope everybody visits us at the Start Here website and that is, as always in the show notes, where there will be additional resources on digital identity and also a transcript from this episode for reference. We also look forward to having you join us next time where we're going to kick off our series on who's who in U.S. cyber policy, starting with a bit of a deep dive into the players at the White House who work on cyber policy and how they rack and stack up, which actually might be a little less intuitive than one might think. There's kind of an interesting story there. So we look forward to getting back together soon to share on that. So, Drew, Megan, thanks again for joining me and we'll see everyone next time.