Expected breach disclosure mandates will test government-industry cooperation

During congressional hearings about the breach involving SolarWinds, lawmakers have emphasized the fact a private cybersecurity firm both detected and voluntarily alerted the government to the flaw that led to breaches at nine federal agencies.

Sen. Rob Portman (R-Ohio) said that was the case "despite all of the increased funding that has been appropriated for cybersecurity" through legislation from the Senate Homeland Security and Governmental Affairs Committee, which oversees multiple cybersecurity programs defending federal networks.

In addition to the anticipated executive order, Sen. Angus King (I-Maine) and Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Texas) said they intend to introduce bills to make breach notification requirements standard in government and in the private sector.

Why has government not institute breach notification through contract requirements already, given the number of high profile breaches and leaks over the last decade? According to experts interviewed by FCW, a big issue is that each agency has its own contracting rules and culture.

"Who would do it? There is no central directive to do it. So that leaves it up to each agency and each agency's contracting officer, and sometimes they think about it, and sometimes they don't," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.

The Defense Department for example does impose notification requirements on contracts that involve classified networks, according to Andrew Hunter, also an expert at CSIS focused on the defense industry, but for unclassified data the Pentagon's requirements are less stringent and focused around aligning with industry best practices.

"This issue of notifying information about cybersecurity breaches has been an incredibly contentious one with industry," Hunter said.

At the core of that contention are questions about industry's legal liabilities, concerns about who in the government will get access to trade secrets and proprietary information, and what constitutes an adverse cybersecurity event requiring notification?

"I think the biggest challenge for industry is going to be what is shared? With whom? And then what's going to be done with whatever is shared," said one former government official who spoke anonymously to be candid about why companies may challenge an executive order.

This official said the government has not provided clear definitions for what information should be shared in case of a breach or any guidelines for what department or agency should receive that information. The individual predicted the White House may look to the Cybersecurity and Infrastructure Security Agency, or an interagency panel chaired by CISA, as the central gathering point.

"You can't have all of these various definitions for what may or may not need to be shared in hundreds of different contracts that only goes to these agencies that can't really do anything about it," the former official continued.

Like governments, major corporations have their networks pinged by hostile actors thousands of times a day, even if none are successful. Companies don't want to be on the hook for reporting to the government every time a phishing message is intercepted or every time a hacker is probing network defense.

"One thing to think about in either legislation or an EO is if you put in a threshold, you're not going to learn everything. And it's because the companies will say, 'Well, I get lots of breaches all the time.' I think that's good to report because it would hint that there's a problem," Lewis said.

He said government contractors could provide monthly or quarterly reports summarizing the number of attempted penetrations but only provide specific details if an attempt succeeds or data is exfiltrated.

Lewis also said the potential for an industry challenge to the executive order's legality is why legislation is more preferrable. But congressional action comes with its own set of challenges, starting with committee jurisdiction.

"Commerce, Homeland, Judiciary, Intelligence -- [they] all have sweat equity in a data breach and incident reporting," said Mark Montgomery, a senior advisor to the Cyberspace Solarium Commission that recommended more than a dozen cybersecurity provisions included in the Fiscal Year 2021 National Defense Authorization Act.

Montgomery said the commission has worked on developing specific thresholds for when compromises need to be reported. He also distinguished between "breach reporting" and "incident reporting."

The former being when a company must notify their customers promptly if personally identifiable information is compromised. The latter being an additional provision that requires federal authorities to be alerted if a database containing sensitive information is breached.

"We're trying to put the two of them together and get it through because this has struggled in the House and Senate over the last year. There's been three or four bills in both chambers that have petered out," Montgomery said.