By: David Murdter, JD ‘19
American businesses publicly reported over 800 cyberattacks affecting upwards of 1.3 billion customer records in 2018 alone. Such attacks not only threaten the integrity of sensitive customer data, but also may pose serious national security risks, particularly when the targets are companies responsible for managing critical infrastructure. Despite the frequency and severity of these cyberattacks, some of which have resulted in massive and widely publicized data breaches, the regulatory regime governing how companies report and respond to cyberattacks is in many ways underdeveloped.
At the 2019 Yale Cyber Leadership Forum, leading representatives from both the private and public sectors came together to engage in a wide-ranging discussion over how the government and industry might collaborate in ameliorating this growing threat. A common refrain that emerged from the dialogue was the need for more well-established lines of communication between private and public actors, particularly in the early stages of a cyberattack. Because private actors are often unable to offensively respond to cyberattacks without themselves violating the law, numerous attendees from private companies expressed a desire for the government to do so on their behalf. But without a mechanism through which to rapidly escalate information about an attack to the appropriate authorities, industry representatives feared that any government response would be too little, too late.
“It’s not as if we have 1-800-Cyber-Com,” one attendee remarked. “But maybe that’s what we need.”
A unified framework of both permissive and mandatory reporting of incipient cyberattacks, coupled with an effective response mechanism to defend reporting entities, could aid in the prevention of serious security breaches while also facilitating a constructive working relationship between private and public actors. Such a framework might be likened to a “Cyber 911” — an emergency hotline that provides the government with valuable information about attacks in their initial stages, and private entities with an additional line of defense should they be unable to meaningfully protect themselves.
The Existing Framework for Data Breach Notifications
Currently, a company’s obligation to report a cyberattack in the United States typically turns on whether or not the attack was successful in exfiltrating sensitive customer data. All 50 states, for instance, have enacted legislation requiring companies to report breaches of customer data. The purpose of these laws, generally speaking, is to ensure that customers affected by data breaches are notified of what transpired, and provided with the information and tools needed to protect themselves from the harms associated with identity theft.
No cross-sectoral federal data breach notification law has been enacted, although there is an emerging consensus that one might be needed. In the absence of omnibus legislation, some agencies have taken to regulating cyber incident reporting requirements. The Securities and Exchange Commission, for instance, issued guidance requiring publicly traded companies to disclose material cybersecurity risks in their quarterly and annual reports, and also mandated that companies disclose when they have been the victims of a material cybersecurity incident. But the paucity of reports made under the new framework suggests that companies have taken a liberal review of what constitutes a “material” event. The Federal Energy Regulatory Commission, in July 2018, also promulgated a rule requiring utilities to report cyberattacks that “compromise, or attempt to compromise” certain critical infrastructure. But the rule only covers utility companies, and although covered entities are required to report even unsuccessful breach attempts, it is not clear what expertise or assistance FERC might be able to offer when notified.
A common thread among the existing reporting requirements, then, is that they: 1) typically only mandate or encourage reporting ex post, and 2) are typically designed for the benefit of affected persons. Such reporting requirements are an important part of cyber incident responses, but their purpose is meaningfully distinct from what conference attendees expressed is needed: namely, a centralized authority to whom targets of cyberattacks could appeal for technical support, guidance, and possibly the deployment of offensive measures against their attackers. Such a system, properly constituted, might aid in stopping an attack before any damage results, something no ex post data breach notification law could accomplish.
Though federal law enforcement agencies have urged companies to report cybersecurity threats as soon as they become known, such reporting is not mandatory. The federal government does not maintain a centralized reporting hotline specifically for cybersecurity threats; rather, there are any number of agencies to which a report could be made, such as the local FBI field office or the agency responsible for regulating the victim company’s industry. A company calling to report an incipient cyberattack might have a difficult time accessing the level of expertise needed to make a meaningful difference in their defensive efforts. Moreover, where attacks involve sensitive customer data, companies may also be wary of reporting or otherwise making public the fact of an attack for fear of harming their customers’ privacy interests. Some conference attendees also remarked that unless the government offensively targets the belligerents responsible for the cyberattack, defensive assistance would do little more than delay an inevitable subsequent attack.
Instituting a Cyber Hotline
To alleviate these concerns, the federal government might consider instituting a cyberattack hotline through which companies could report incipient cyberattacks, receive expert assistance, and possibly benefit from government countermeasures taken on their behalf. A centralized reporting authority of this nature would not be far-fetched. Israel, for instance, recently launched a cyber hotline offering real-time support and solutions to those experiencing a cyberattack. The cyber hotline, called the Computer Emergency Response Centre or CERT, is staffed largely by veterans of the country’s military computing units. The hotline not only provides assistance to civilians experiencing cyber threats, but also provides the government with meaningful insight and intelligence about burgeoning cybersecurity threats.
The private sector representatives at the Yale conference appeared supportive of the possibility of a similar system being instituted in the United States. Although the reporting requirements were not discussed in detail, one could envision a system made even more rigorous than Israel’s by requiring that companies report cyber threats if they appear to surpass a particular risk threshold. In return, companies who do contact the hotline within a prescribed period of time might potentially gain safe harbor from certain forms of liability emanating from the breach. Incentivizing companies to report incipient attacks could help stop attacks before they escalate into data catastrophes.
This is not to suggest that stronger reporting requirements would be a panacea. To begin with, the ability to report a cyber incident requires that the victim be aware of the incident in the first place. But often, the “dwell time” between when an intruder first infiltrates an environment and when the victim becomes aware can span weeks if not months, at which point the bulk of the damage is done. Second, even if companies were able to report attacks in real time, enabling meaningful assistance might be technically difficult. Without access to a company’s internal IT infrastructure — something many private sector actors would likely be loath to give to a government agency — an agency officer might be powerless to diagnose the problem. Third, the distinction between mandatory and permissive reporting would need to be carefully and appropriately drawn to avoid either under- or over-reporting incidents to the responsible agency. And even if the line is carefully drawn, private actors might not know on which side a particular incident falls. After all, an apparent phishing attempt could be little more than unsophisticated spam, or an attempt to destabilize an election.
These difficulties, however, are not insurmountable, and at a minimum it is clear that more communication is desired from both industries and agencies alike. Sophisticated private sector actors might benefit from targeted government intervention on their behalf, while unsophisticated actors could benefit from technical expertise not otherwise at their disposal. A cyber hotline that allows companies to report incipient cyberattacks — just as any other crime would be reported to 911 dispatch — could be an effective means of improving cybersecurity that also enjoys support from the business community.