WHAT COMES NEXT : CYBERSECURITYlevel Office of the National Cyber Director and grants
new private-sector threat-response powers to the federal
Cybersecurity and Infrastructure Security Agency—signif-
icant changes that commission members hope will prompt
closer collaboration between government and industry on
security standards. “A lot of the recommendations, some
of us have been making for years,” says Cilluffo, who’s also
a commissioner. “But the political will was not where it
needed to be. Now, we don’t need any reminders.”
Solarium’s mandate has been extended for at least
another year, and its next round of advocacy and recom-
mendations will focus more squarely on the private sector.
The goal: creating better incentives for building secure
software and sharing intelligence about cyberthreats.
On the engineering side, Solarium is pushing for a
national cybersecurity certification authority—something
like a Better Business Bureau that would grant its seal of
approval to safer software. Such certification would likely
involve tracking software manufacturers’ defenses against
well-known attacks, which make up a growing share of
breaches. Increasingly, rank-and-file cybercriminals barely
code at all, and instead use prepackaged tools sold by
more skilled malefactors. Standardized defenses against
this sort of simple, repetitive attack, Cilluffo says, could
help free up cyberdefense teams to focus on fighting more
subtle, innovative, and dangerous attacks, such as those
from state-backed adversaries.
Other reformers back a so-called Software Bill of
Materials: Such a bill would require U.S. tech companies
to catalog the various third-party modules, open-source
components, and library code they used to build a piece of
software—addressing the industry’s transparency prob-
lem. Such an inventory would make it easier to alert devel-
opers and customers to software in which security flaws
were discovered, just as an auto manufacturer can issue a
recall if, say, a brake shoe turns out to be defective.
The more urgent advocacy will be around the sharing of
information about cyberassaults. Spaulding says that new
rules could include enhanced threat reporting require-
ments for “critical infrastructure companies”—a category
that might include private cybersecurity firms.
Proposals like these elicit understandable wariness from
industry. Complying with a Software Bill of Materials, for
instance, could be cost- and labor-intensive for companies,
and could even create new risks by providing detailed
information to attackers. Intelligence-sharing mandates,
too, face opposition from many cybersecurity firms, which
see them as eroding their competitive advantages. Cisco’s
Wenger worries, for example, that such rules could deter
investment in cybersecurity, by reducing how much private
firms can benefit financially from their research.
The question ultimately may be whether the cost of
cooperation is greater than the cost of the next Solar-
Winds—or the one after that.
IN THE U.S. at present,
companies have to disclose
breaches only when they
compromise certain types
of data, like people’s
personal information. Most
electronic break-ins—
including ones featuring
high-stakes stolen trade
secrets, financial losses, or
worse outcomes— therefore
go unreported.
That’s got to change,
cybersecurity experts say,
and the bar for public dis-
closure must be lowered.
A national data breach
disclosure law, akin to what
Europe requires, would
force companies to report
any significant network
intrusions to the govern-
ment. If CISA can get a
clearer picture of wide-
spread hacking campaigns,
it can better help coor-
dinate responses. Down
the line, obliging publicly
traded companies to file
cybersecurity- related met-
rics to the Securities and
Exchange Commission, as
they already do in account-
ing, will let stakeholders
better assess risk.
If there’s “less of a scar-
let letter around a breach
and a greater willingness to
talk about them,” says Amit
Yoran, CEO of cybersecu-
rity firm Tenable Networks
and former president of
RSA, then “you’ll have more
informed investors, and,
as a nation, we’ll have a bet-
ter understanding of how
many of these breaches
are actually occurring and
what the cost is.”
“It’s too easy for com-
panies to argue their way
out of disclosures underSEC guidance now, and
the cottage legal industry
that’s formed around it is
doing nobody any good,”
says Robert Knake, an ex–
National Security Council
member.
The trick is to make
sure stronger disclosure
requirements don’t stop
companies from rooting
out intrusions in the first
place, a possible negative
outcome Knake says is like
taking “an ostrichlike ap-
proach.” Companies might
prefer to stick their heads in
the proverbial sand rather
than spend money looking
for hacks they’ll have to tell
the world about.
Companies that special-
ize in cyber “threat intel”
are also wary about rules
that might require them
to disclose the hacks they
unearth—in part because
their business models are
often based on selling
warnings exclusively to
clients. Suzanne Spaulding,
a cybersecurity expert and
a member of the Solarium
Commission who supports
such rules, says, “The con-
cern over the years from
companies has been, if I’m
a good actor, and I disclose,
but my competitor finds a
way to hide it, that’s a com-
petitive disadvantage.”
For the broader busi-
ness community, stronger
disclosure rules might have
to go hand in hand with for-
malized audit and pene-
tration-testing guidelines.
Because if more hackings,
like SolarWinds, can be
brought out of the shadows,
then sunlight can work its
disinfecting magic.- FEWER SECRETS:
PASSING ADATA B R E AC HNOTIFICATION LAW