IT Organizations Feeling Increased Pressure to Disclose Cyberattacks
Federal officials are attempting different methods to incentivize companies and organizations to disclose cyber-intrusions.
It was an unusual FBI press conference. FBI director Christopher Wray was standing at the podium of the Boston Conference on Cyber Security at Boston College to discuss something that, in the end, didn’t happen.
According to Wray, hackers sponsored by the Iranian government had been attempting a series of cyberattacks on the systems at Boston Children’s Hospital. The attack was ultimately stopped by the FBI in 2021, but Wray painted a dire picture of what may have happened if the hackers had been successful, according to a Boston Globe report. A successful attack ultimately could have locked the hospital staff out of its own systems and the hackers could have demanded a ransom for access to be restored. Or the hacker group could have attempted to control critical systems, including the hospital’s HVAC system, which had been compromised by the attack.
Such a press conference could be seen as an attempt for the FBI to publicly celebrate a win, or an attempt to cast the Iranian government in a bad light for harboring such bad cyber actors.
However, there may have been an additional motive behind Wray’s decision to talk in specifics for the first time about this thwarted attack - and that is to get more businesses and organizations to come forward when targeted or infiltrated by hackers. Wray mentioned that the state of Massachusetts had lost $150 million to cyberattacks in 2021, and he made sure to emphasize that the FBI stands ready to help organizations head off cyberattacks.
“Almost every week, we’re rushing cyber agents out to help companies figure out what they’ve got on their systems, how to disrupt it, how to interrupt it, how to mitigate, and how to prevent this from becoming something much worse,” he said, according to the Globe report.
The FBI has good reason to trumpet the value of cooperating early and often with law enforcement when hackers strike. Wray’s speech is some two years removed from the start of one of the largest hacks discovered to happen to a U.S. company or organization - the SolarWinds hack of 2020.
In that hack, SolarWinds, a popular software company that helps companies manage networks, systems, and IT infrastructure, was tricked into sending out malicious code as part of a routine software update. Once the update was downloaded, it allowed hackers to gain access to an estimated hundred companies and about a dozen government agencies. The entities affected included Microsoft, Intel, Cisco, and even The Department of Homeland Security, according to an NPR report. Cybersecurity experts marveled at the sophistication of the SolarWinds attack, and how long it took for the attack to be exposed. There still is no full accounting of how many companies were affected, and that may be because companies have a financial incentive to hide that user data or system security had been compromised.
At least as far back as a decade ago, the U.S. Securities and Exchange Commision, or SEC, has been warning that companies are failing to disclose cyberattacks to the public.
Federal regulators want to put an end to this practice and create more sunshine around the impact of cyberattacks. In the aftermath of the SolarWinds attack, the SEC opened an investigation into whether some companies failed to fully disclose that they had been affected by the hack, according to a Reuters report. While companies may fear a drop in stock price or loss of business if they disclose the attack, law enforcement officials contend that they can only provide cyberdefense if they know an attack is happening.
Also, new federal regulations are attempting to encourage, and in some cases mandate, companies to come forward if a cyberintrusion occurs. This spring, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act as part of a large budget bill, and President Joe Biden signed it into law. This act requires owners and operators of critical infrastructure to report some cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours. This comes after President Joe Biden signed an executive order in 2021 that, among other things, requires IT service providers to share certain information about breaches in cybersecurity.
The SEC investigation and the new federal regulations may be seen as the stick part of the equation for encouraging better cooperation with law enforcement in the event of a cyberattack. That would make Wray’s speech highlighting the economic and PR value of such cooperation the carrot. Both will be needed to ensure that companies feel properly incentivized to reveal that they may have lost control of their systems or their data during an attack.