As the Federal government works through the rulemaking process for the recently signed Incident Reporting legislation that originated in the Senate Homeland Security and Governmental Affairs Committee, witnesses for that same committee today stressed the need for unity among both reporting avenues and standardization of data to help operationalize the data.
The hearing came shortly after the committee released a report that the Federal government has insufficient data on ransomware attacks. Witnesses before the committee emphasized that even once the reporting legislation is implemented, it will not be of the most benefit
“Ransomware is a symptom of a broader problem,” Megan Strifel, chief strategy officer for the Institute for Security and Technology said at the hearing. “And that problem originated decades ago through a confluence of factors each of which must be addressed to put a significant dent in the ransomware related cybercrime, but also in all aspects of cybersecurity risk and resulting cybercrime.”
“Ransomware is 21st-century extortion but extortion is not a 21st-century invention,” Strifel continued. “Today, however, there are only partial views spread across many stakeholders without a common process or pathway to stitch the pieces together.”
Strifel said that coordination among reporting avenues for victims would increase visibility and cut down on confusion and allow for a streamlining of information.
“Ultimately, there should be harmony among government reporting avenues,” Strifel said. “This would ease confusion among victims and streamline the collection of an analysis of attack information. The recently passed reporting legislation will address aspects of this challenge. However, the need for consistency across reporting pathways is more immediate. It is especially critical while the rulemaking process is underway.”
The Cybersecurity and Infrastructure Security Agency’s (CISA) Executive Director Brandon Wales said he is looking at an “aggressive pace” on the rulemaking process earlier this month, but also indicated that the rule for the incident reporting legislation could still be a few years away.
Strifel said that regardless of the rulemaking process, it is important to have that harmonization due to the scope of organizations that will likely have to report both mandatorily and voluntarily. The law requires critical infrastructure owners and operators to report certain incidents to CISA within 72 hours and any ransomware payments within 24 hours.
As the rulemaking process continues, Bill Seigel, the chief executive officer at Coveware, said agencies should look to standardize the practices by which they collect attack information by using resources like the National Institute for Standards and Technology (NIST) cybersecurity framework, so unstructured data does not burden them.
“These frameworks come with standard hierarchies, standard names, standard codes; ransomware attacks are incredibly repetitive,” Siegel said. “The value of collecting the bottom end of the unstructured log data – which could be hundreds of gigabytes or terabytes for a single attack – is very minimal.”
“But the value in abstracting that up a couple layers of altitude to just the tactics, techniques, and procedures so that CISA could very quickly say, ‘Okay, we’ve got 10 reports that happened last week. They all use the same tactics. These are tactics that we haven’t seen before. Let’s get a timely warning out,’” Siegel added.
“Conversely, if they were to collect the unstructured data, it could require an army of individuals to perform weeks of forensic analysis before those same conclusions could be reached,” he concluded.
Jacqueline Koven, head of cyber threat intelligence at Chainalysis, also agreed with the importance of having that data come in a standardized manner. Koven pointed to its importance in not only being able to operationalize the data to prevent further attacks but also in being able to potentially subpoena cryptocurrency companies to follow the money.
“The standardization is incredibly, extremely important to be able to operationalize that information swiftly so that they can be used to subpoena cryptocurrency businesses and used for attribution and accountability of these threat actors,” Koven said. “Being able to operationalize and share these at scale can lead to further successes.”