Barracuda CTO Fleming Shi on mandatory reporting of cybersecurity incidents
World history is packed with tales of espionage and stolen secrets. Sun Tzu discussed the value and application of spycraft in-depth in his classic military treatise The Art of War. Stealing enemy secrets, infiltrating enemy leadership, and feeding disinformation to the enemy are all identified as critical military operations. We also see evidence of espionage and subversion in the ancient Greek, Roman, Egyptian, and Aztec empires.
Government espionage reached cyberspace (as we know it) as early as 1982 when the CIA allegedly inserted a trojan horse into the systems of a Siberian gas pipeline. The code caused the explosion of the pipeline by resetting pumps and valves to create enough pressure to explode. In 1985 Chinese hackers allegedly breached the US Office of Personnel Management, stealing sensitive data on millions of employees.
Modern IT systems are much more connected than those of the 1980s, and everything on the Internet is an attack surface. Espionage and subversion no longer require direct access to the enemy. One of the key challenges for the US government is the fact that so many important functions of the government rely on systems privately owned by a third party. The same is true for state and local governments, healthcare networks, and schools. All of this connectivity makes it more difficult for the federal government to protect the public because information and systems are potentially exposed to unknown security gaps that are beyond its control.
We’ve seen a handful of such attacks over the last few years. The Colonial Pipeline incident may not have been espionage, but it revealed an unacceptable risk posed by our growing system of systems. Attacks on hospitals, water systems, and research universities are all examples of cyber incidents that could be nation-state espionage or could be isolated threat actors looking for a payday. It often looks the same from the outside.
Making things more difficult is a state-level patchwork of data breach notification laws that are difficult to enforce. Many private entities do not want to disclose cybersecurity accidents because they do not want to suffer the embarrassment and potential repercussions from investors and the public. Most will not disclose this information unless they are compelled to do so. This is especially true when the effects of the attack are not visible to the public. There was no hiding the Colonial Pipeline attack, but the 2016 Uber data breach that compromised over 57 million accounts was not disclosed for a year. Although Uber may not be an active player in spy games, the personal data exposed in that breach can be used in identity theft crimes or combined with other data in order to access sensitive accounts. It only takes one hacked account to compromise national security.
Many third parties do not want to disclose cybersecurity accidents because they do not want to suffer the embarrassment and potential economic repercussions. World governments are attempting to centralize the information around cybersecurity incidents by rolling out initiatives and mandates. Several technology leaders have commented on governments should go about ensuring that information about cybersecurity incidents is shared. Barracuda CTO Fleming Shi is quoted in Protocol as saying he is a “firm believer that that cyber incident reporting should become the norm and that government intervention is key to making this happen.” He also discussed the importance of disrupting the transfer of wealth as a means to reduce the attacks. You can read his commentary here, and connect with him on LinkedIn here.
With more systems coming online every day, threat actors have more opportunities to steal information. A smart camera can lead to a city government network, leading to a state network, leading to a federal network. A smart ticketing terminal can expose information on public transportation infrastructure and potentially disrupt a large city. There are several initiatives underway to create universal standards for security and reporting. How we enforce those standards and collect information on attacks are questions that we’re still trying to answer.