True to the discussion in our last MMG article, “A New Year for Cybersecurity: What to Expect in 2016,” new federal regulations governing cybersecurity are already taking shape. The Cybersecurity Act of 2015 was passed in late December as part of the 2016 omnibus spending package; it signals the government’s intent to crack down on cybercrime. We’ll take a look at some of the areas where this law will impact small and midsize U.S. businesses.
First, we should stipulate that no one knows with certainty the consequences of the new regulations because the details of implementation and enforcement have yet to be tested in the field, including in the government and private sectors, and eventually, the courts.
We examined the law in great detail as part of a private sector Enterprise Risk Management Council that we organized during the fourth quarter of 2015. It included general counsel, CEO advisers, former members of the Public Accounting Oversight Board (SEC enforcement), private sector executives, academic experts, former intelligence officers and prosecutors, and others aiming to develop a balanced approach to the implementation of cybersecurity requirements for the private sector. We drafted the first critical path document based on the deadlines and deliverables in the new government bill and in February reviewed our thoughts and observations with the Department of Homeland Security. There is a lot to be digested and implemented this year. It is clear that DHS, which has been tasked with implementing the new law, has targeted specific milestones. U.S. businesses of all sizes will begin to feel the shift.
The Cybersecurity Act of 2015 is divided into four major sections. This article will focus on Title I, Cybersecurity Information Sharing. Most of the considerations for small to medium-sized businesses are contained here. In effect, the act establishes rules for a digital neighborhood watch program that assigns all parties in business a moral responsibility to report how, when and even why cybercriminals are digitally breaking into our cyberhomes. It’s basically saying, “If you see something, say something, and the government will provide liability protection for reporting the information.” Here are some important takeaways:
1.DHS is holding the bag. Prior to the new law, experiencing a cybercompromise was akin to having your house broken into and finding city, state, county and federal law enforcement collecting information to help you without necessarily coordinating with each other through one responsible party. Now the Department of Homeland Security is in charge of collecting, protecting and distributing relevant cyberinformation; that’s an important first step toward achieving accountability. The law stipulates that DHS is responsible for collecting and sharing cyberinformation with other agencies as well as “good neighbors” in the private sector. One downside is that today there is a method for reporting known cybervulnerabilities to a national database, Common Vulnerabilities and Exposures. Because it’s a public source, bad actors can also access it and then exploit the newfound information.
2.Cyber jargon is defined. Terms ranging from “cybersecurity threat” to “threat indicators,” “defensive measures” and “responses” are explained. These definitions are still not perfect, but they do provide a baseline for cybersecurity providers, managed services and consultants who had struggled with subtle differences in the meanings of these terms and their legal implications. The definitions also help organizations manage priorities at an enterprise risk management level, ensuring that everyone is on the same page.
3.The observation tables are turned. Title I of the Cybersecurity Act appears to grant network operators greater rights in monitoring, defending and sharing information beyond “provider exceptions,” offering a tricky balance on a sticky privacy issue. In effect, within limits, the private sector and government can monitor hacker communication if there are “reasonable grounds” to assume those parties are at risk. This helps to level the playing field for the private sector so the good guys can call for backup when they see suspicious activity. In the past, the good guys might have received the equivalent of a ticket or a reprimand for watching the bad actor’s activity in the first place, even on public property networks. We see cybersecurity providers and ISPs extending protection with this provision, but we have a long way to go to before such measures will be effective.
4.The government wants you to tell it like it is. One of the greatest barriers to companies sharing cyberthreat information is the perceived liability associated with reporting. Although actual liability is a rare occurrence, technology conferences abound with horror stories about the unintended consequences of information sharing, not to mention general counsel’s recommendations to “keep a lid on it.” The Cybersecurity Act of 2015 appears to provide for exemption of liability if companies are reporting cyberthreats in good faith to DHS or to organizations reporting on their behalf to DHS. By doing so, the government is taking the pressure off small and midsize companies to enable reporting. Bottom line: If you don’t report, your company may be at risk when and if the hard questions are litigated in court.
Now is the time to start sharing your known compromises or breaches with DHS through its partner, the Multi-State Information Sharing & Analysis Center. Cyberthreat as an enterprise risk is clearly becoming an enforceable fiduciary responsibility companies must manage.
Israel Martinez is president and CEO of Axon Global, a cyber-counterintelligence company recognized by the Department of Homeland Security as a leader in its field. He is certified by the DHS in cyber-counterterrorism and defense, and has more than 20 years of experience in enterprise risk management and governance.
Richard Schroth, Ph.D., is managing director for the The Newport Board Group’s global cyberpractice. He actively leads world-class teams of cyberprofessionals and board-level advisers seeking to minimize cyberrisk with public boards and private equity firms. Additionally, Schroth is a senior adviser to the CEO of ACG for cybersecurity and serves as the executive director of The American University’s Kogod School of Business Cyber Governance Center in Washington, D.C.