Data Breaches Are A Huge Problem

Published Date: 02 Nov 2017

Why More Legislation is Required

John Fulton

Utica College

Abstract

Cyber attacks on public and private information systems are a major problem for information security and the legal system. While federal organizations and certain federal vendors are now required to report data breaches, no equivalent law exists to cover other private organizations. The complete and timely reporting of breaches is widely viewed as an important tool in protection and enforcement, but companies are often reluctant to reveal such information for a number of reasons. A legal "duty to report" should be created through legislation with the requirement to share details with law enforcement and also to share information that is not personally identifiable information (PII) and not proprietary with other users. While such new legislation will impose burdens on users of information technology and does have privacy concerns, these issues are outweighed by the value in alerting, mitigating, and prosecuting cyber intrusions.

Keywords: cyber intrusions, sharing reports, legal issues

Sharing Reports of Cyber Intrusions:

Why More Legislation is Required

Importance of Sharing

Why is sharing details about cyber intrusions important? Most intrusions occur outside of government networks and most do not affect critical infrastructure. What would be gained if details of intrusions were shared?

Data breaches are a huge problem

The Privacy Rights Clearinghouse (2013) has tracked over 3,600 separate reported breaches exposing over 600 million records containing PII since 2005. There are no good metrics for the number of cyber intrusions that happen today. That’s not to say there are not lots of numbers (Verizon, 2012) (Fung, 2013), but they are gathered in different ways, report different levels of intrusion and are seldom related to the "success" of the intrusion. It is clear that the numbers are very large (from millions per year to millions per day) and growing

Sharing provides information on ongoing threats. Because threats evolve and change over time and because they tend to come in clusters (Symantec, 2013) the sharing of threat information would have the effect of making it possible for others to more easily defend themselves against the threat thus decreasing or eliminating their loss. Because of the high rate of change of the nature of attacks and the details of attacks, traditional paths of discovering criminal methods (journals, informal contacts and conferences, classes and workshops, bulletins from law enforcement organizations, etc.) are too slow and may not provide the level of technical detail to act on a reported threat.

Sharing allows the wider community to act on and deter threats. If the wider information technology community is made aware of a specific threat, then the threat is less effective for the criminal using it and is less likely to be used. To be useful, a threat has to be effective on a large number of computers. A threat that is only effective on a few computers is much less effective. Even if a cyber criminal is intent on a single target, if a fix has been applied widely for a specific exploit, then the exploit is less likely to be effective on that specific target.

Sharing is perceived as a public good. To be a good corporate citizen and to defeat the cyber criminals, information security professionals are schooled that sharing information about breaches, the nature of attacks and successful strategies for dealing with attacks is something that good corporate citizens should do. However, since most information resources and the business functions that they support are in private hands, information security professionals are governed by the corporate culture, local data governance, laws applying to business activities and the competitive pressures that exist with the business environment.

Sharing deters criminal activity. Although there is little research concerning the deterrence value of sharing information about cyber crime, other research shows that some activities on the part of victims, like the reporting of crime, actually has the effect of reducing rates of crime in the future (Goldberg & Gold, 1980). It is argued that reporting cyber crime, whether to industry groups or to the authorities would have the effect of decreasing criminal activity. The secrecy surrounding cyber intrusions and the low probability of being discovered or prosecuted is almost certainly a factor in this type of crime.

What to Share

There are many different types of information available that could be productively shared after a cyber security incident and the different types of information have different types of value. There are also risks in sharing each of the different types of data.

Sharing the methods used to take the data. The type of attack and the path used to carry out the attack are the most commonly disclosed information about cyber attack. Media reports of attacks often contain buzz words (worm, distributed denial of service attack, brute force password attack, social engineering, zero day exploit, etc.) that describe the methods used to carry it out. What is less frequently provided and what proactive information security professionals are left scrambling for is the next layer of detail, the specific identifier of the worm that was used, the nature of the social engineering attack and the configuration shortcoming that allowed the thumb-drive to automatically execute a Trojan that dropped it’s load.

Sharing the methods used to detect the attack. What’s reported even less frequently are the methods used to identify and verify the attack. Because there are no controls in place over the distribution of reported attack information today, information security professionals are hesitant to talk about methods, lest they expose themselves to attacks that attempt to avoid the tools they disclose. The tools, techniques, monitoring, and reporting mechanisms that discovered breaches are shared infrequently. And yet this sharing has remarkable values, since the real-world experiences would help to focus attention on the most productive tools and lower the rates of false positives (reporting a breach when there is none) and false negatives (not reporting a actual breach).

Sharing the methods used to mitigate the attack. Mitigation methods, whether they block or misdirect or eliminate the threat are often shared, but in the absence of the information about how the threat was detected, such information is less useful. Knowing how a threat was detected reveals when to use the method described to mitigate the attack. Mitigation knowledge without knowledge of when to use it is much less useful.

Sharing the inventory of what was taken. Sharing the details of the information exposed or stolen would provide the ability to trace its use and determine who purchased it and is making it available, enabling investigators to "follow the money." The difficulty in exposing Personally Identifiable Information (PII) is a compounding of the breach, making the PII even more widely available. Each of the 50 states and the District of Columbia have laws dealing with the responsibilities of organizations in the case of a data breach. Many of the laws require the organization to report details to the state for breaches that expose the PII of more than a threshold number of individuals (CLLA, 2011). Details that are reported are used for state law enforcement purposes, but are not otherwise consolidated.

Many states also require that the individuals affected by a data breach be contacted and informed (CLLA, 2011) and many of those individuals contact the three national credit reporting bureaus, but there is no requirement to report compromised accounts to the credit reporting bureaus and no uniform way in which the accounts affected are marked, many merely being marked as "closed at customer request.".

The Social Security Administration has no mechanism to accept reports of social security numbers exposed in a data breach or used fraudulently (USSSA, 2013).

While it is possible to anonymize the PII in the details of the breach, doing so removes its values in being able to match the material stolen in one breach with the material being offered for sale by a hacker or broker of stolen information

How to Share

What definitions exist to structure information about breaches? Many organizations that accept information about intrusions accept it in a web-based form (US-CERT, 2013) or as exposition in an email (Forensic Examiner, 2008). Several proposed standards exist or are under development to provide information about the details of cyber intrusions in a formal, open, repeatable way (Hartman et. al., 2012) (Verizon, 2012). The focus of most of the standards is the ability to achieve consistency in descriptions and the ability to communicate information about and descriptions of cyber intrusions.

Incident Object Description Exchange Form (IODEF). Defined in RFC 5070, IODEF is a common data representation and XML schema for communicating information about computer security incidents (IETF, 2007). IODEF is a proposed standard.

Real-time Internetwork Defense (RID). RFC 6545, the proposed standard for RID, defines the communication methods for sharing incident data and integrating other aspects of working with service providers or computer security incident response teams. The proposed standard provides a secure mechanism for the exchange of IODEF documents. (IETF, 2012)

Malware Attribute Enumeration and Classification (MAEC). MAEC is a publically available language to classify and identify malware by its behavior. The open-source project is an effort by the Mitre Corporation, the Department of Homeland Security (DHS) and other volunteer participants. The language is in its fourth version.

Common Attack Pattern Enumeration and Classification (CAPE). Using the design pattern metaphor from programming, CAPE defines attack patterns for common types of computer security intrusions and provides a comprehensive schema and taxonomy for defining attacks. CAPE is free for public use and is sponsored by the Mitre Corporation and DHS.

Cyber Observable eXpression (CybOX). CybOX is a free software schema for capturing, describing and communicating the events or states of a computer system, especially focusing on the artifacts lefts behind by a cyber intrusion (Mitre, 2013a). CybOX overlaps with the functionality of IODEF (Mitre, 2013b). It was developed by Mitre with support from DHS.

Advanced Forensics Framework 4 (AFF4). AFF4 is an extensible, open source format to provide for the storage and communication of disk images in a forensically sound manner (Cohen, Garfinkel & Schatz, 2009). A wide variety of tools support and make use of this or closely related formats. Such tools make possible the safe storage and sharing of images of systems that have been compromised by intrusions.

Security Content Automation Protocol (SCAP). The National Institute of Standards and Technology (NIST) has developed a set of specifications for the formatting and naming of descriptions of security configurations and software flaws. This work was done with extensive public input and published by NIST as a part of their Special Publication series in computer security. SCAP data streams consist of information formatted using a dozen other standards that deal with the details of the information transmitted from producers to consumers about the configuration and security set-up, patch level, and software vulnerability for human and automated use. (Waltermire, Quinn, Scarfone & Halbardier, 2011).

Traffic Light Protocol (TLP). The traffic light protocol (US-CERT, 2013a) is an early effort to identity the sensitivity to disclosure of commercial materials, following the hierarchical portion of the military’s information classification system. The white, green, yellow, and red colors roughly correspond to unclassified, confidential, secret, and top secret (Paige, 1997). This is an advisory standard; there are no civil or criminal sanctions for disclosure of information in violation of the standard in the absence of a separate binding agreement between the parties sharing information.

What Sharing is Done Today?

Information sharing organizations

In the past, given the high value assigned to sharing information about cybersecurity breaches, many organizations have arisen as ways to share information about breaches among participants (Gordon, Loeb & Lucyshyn, 2003).

US-CERT Incident Reporting System (IRS). The U.S. Computer Emergency Readiness Team (US-CERT) provides an incident reporting mechanism to report cyber security breaches for analysis. Incidents accepted for reporting fall into four calories: attempts to gain unauthorized access to systems, unauthorized disruption or denial of service, unauthorized use of a system for storing or processing data, or changes to an owners computer system (hardware, firmware or software) without the owners knowledge or consent (US-CERT, 2013). US-CERT also accepts reports of Phishing attacks. Reports of software vulnerabilities are referred to the Vulnerability Notes Database at the Carnegie Mellon Software Engineering Institute. Reports are evaluated, digested and communicated to the community in the form of online incident reports and email notifications.

The US-CERT IRS also accepts report for Information Sharing and Analysis Centers (see below)

Information Sharing and Analysis Centers. Information Sharing and Analysis Centers (ISACs) were proposed and strongly encouraged in May of 1998 by Presidential Decision Directive 63 (PDD 63) as part of a public/private partnership to provide for critical infrastructure protection. Each of the named critical infrastructure sectors (transportation, electrical power, telecommunications, etc.) was charged with creating and encouraging participation in industry specific ISACs. The directive mandated studies to deal with liability issues concerning the sharing of information by private entities, legal implications of information sharing, the necessity of information and document classification in such systems along with the impact on sharing of such classification.

15 sector-specific ISACs exist for the purpose of developing standards for the protection of critical infrastructure against all threats, including cyber threats (NCI, 2013) and to assist with best practices, threat assessment tools and information about current threats.

Within some of the ISACs, the participant organizations have elected to begin sharing intrusion incident reports with member organizations, some going so far as to share automated reports generated by incident management systems with the other ISAC members. There remain the legal and procedural issues of managing trust and privacy across institutions (Hartman et. al., 2012).

Threat and breach information for the ISACs is also gathered though the US-CERT reporting system.

FBI/IC3. The Internet Crime Complain Center (IC3), a partnership between the FBI and the National White Collar Crime Center, gathers report of suspected Internet crimes or crimes where the Internet was an instrument of the crime (IC3, 2013). Reports to the IC3 focus on economic crime, not cybersecurity beaches. Information provided to the IC3 may or may not remain confidential, depending on state laws. Information provided is used for law enforcement purposes only.

InfraGard. InfraGard is a partnership between the FBI and the private sector, providing information sharing and analysis on a non-disclosure basis. Created in 1996 at the Cleveland FBI field office, the program was adopted by headquarters as a response to PDD 63 with local chapters associated with every FBI field office. The program has the goal of more directly involving the FBI in the protection of critical national infrastructure.

InfraGard provides a secure mechanism for member to report incidents and provides sanitized information about the incident to other InfraGard members. The FBI provides analysis and opens cases as needed (Forensic Examiner, 2008).

Secret Service Electronic Crimes Task Force. The USA Patriot Act (2001) mandated that the Secret Service create a nationwide series of Electronic Crime Task Forces (ECTFs) for the prevention, detection, mitigation and investigation of attacks to the nation’s critical infrastructure with particular focus on the financial infrastructure.

The ECTFs are economic crime units, focusing on crimes of significant economic impact, involving organized crime, or making use of new technology. There is no separate reporting mechanism for incidents to the Secret Service’s EFCTs. (U. S. Secret Service, 2012).

Proprietary environments

Leading organizations providing information security services have long seen the need for better sharing of cyber intrusion information and have begun to test and deploy systems that ease the burden of sharing intrusion information, even if only in closed environments (business user to cyber security consultant, for example) (Hartman et. al., 2012) (Verizon, 2012). Many issues concerning exposure of proprietary information remain unaddressed in these solutions, depending on mutual non-disclosure agreements in a contracting relationship.

Why Organizations Don’t Report Breaches

Although there have been some notable exceptions recently (Perlroth, 2013) public companies and organizations have been very resistant to the disclosing cyber attacks despite repeated industry and government encouragements to do so (Menn, 2012).

One multi-year survey of information security professionals reports that organizations are actually submitting fewer reports of breaches as time goes on (Richardson, 2008).

There are many issues that limit the real or perceived ability of companies to share the details of any beach to their computer system, except as required by law (Phneah, 2012). Public policy issues related to cyber security threat information sharing are seen as a major issue limiting the ability to find, track and react to cyber security threats (Liu et. al., 2013)

Legal restraints

Many possible Federal legal restraints would face any sharing scheme by organizations to share cyber threat information with other organizations (Fischer, 2012) (Liu et. al., 2013)

Anti-Trust. A number of federal laws constrain the information that may be shared between companies to prevent anti-competitive practices. These include the Sherman Antitrust Act, the Wilson Tariff Act, the Clayton Act, and Section 5 of the Federal Trade Commission Act (Fischer, 2012). Sharing information between companies in the same field always raise concerns about collusion between competitors. Several commercial sectors have been granted anti-trust exemptions (AAI, 2010) and such an exemption for sharing information related to cyber security breaches would be an approach to overcome this issue. Individual information sharing plans can be granted an exemption from the enforcement of anti-trust provisions (Klein, 2000) but a broad exemption is viewed as important step in such sharing. Such an exemption has been previously proposed in federal legislation, (Fischer, 2012).but not enacted.

Freedom of Information Act (FOIA). Although FOIA provides specific limitations on several types of information that are exempt from disclosure (DHS, 2013), many organizations are reluctant to disclose sensitive information to the federal government because of concerns about privacy, trade secrets and competitive information. There also exists a growing and pervasive mistrust of government and its motives, ascribing efforts to gather and share information about cyber breaches as just another example of "big brother" trying to invade our privacy (Gallup, 2013).

There exists here a two-edge sword, neither of which cuts in favor of information sharing. On the one hand, businesses will be unlikely to share details in any voluntary program of information sharing about breaches without specific exemption for FOIA requirements for later releasing that information. Without such an exemption, they argue, customer data, trade secrets, and other proprietary information could be made available to competitors, the public, and the media.

On the other hand, privacy advocates have and will be very vocal in opposition to what they would consider as weakening of FOIA provisions, allowing the government to collect information that individuals have no right to access to because of proposed FOIA limitations. These arguments will be made in spite of the fact that the information provided in such an arrangement has already been exposed in a cyber intrusion incident.

These concerns were responsible, in part, for the defeat of substantial cybersecurity legislation in 2012 and may do the same in 2013.

Federal Advisory Committee Act (FACA) The FACA governs the activities of federal advisory boards and required that all meeting have advance public notice and that papers and other materials of the board are subject to FOIA provisions (GSA, 2013). Under many proposals for the sharing of information about cyber intrusions, an exchange for providing the sharing of intrusions could be classified as falling under the provisions of FACA and therefore required all information gathered to be available under FOIA. This could, of course, be remedied through appropriate legislation to enable incident sharing.

Privacy Act of 1974. The Privacy Act limits the way in which federal agencies can share or disclose PII and would potentially limit the ability of the government to share information about cyber breaches between agencies and from agencies to private organizations. Exemptions to the act exist for law enforcement, but changes to legislation seem necessary to provide for sharing of detailed breach information to participants in a sharing program.

Exemptions to the notification and reporting requirements of the Privacy Act would likely create substantial concerns among the same groups opposed to exemption to FOIA provisions for cyber security sharing.

Other concerns

Privacy concerns. Most organizations operate under a privacy policy to comply with state and federal requirements and provide information to consumers about how they make use of the PII that they collect (Connelly, 2010). American consumers received many of these privacy policy notices on a regular basis. Organizations would have to disclose to customers any use of the information that was shared as a part of any threat sharing program.

Loss of confidence. Individuals are increasing reluctant to share PII with organizations, even with the legal protections in place and the news that a breach of that data has occurred is perceived as a major potential loss of confidence by individuals in that organization.

Federal Legislative and Executive efforts to Encourage/Require Sharing

Even with the large number a variety of tools and mechanisms in place, there seems to be little movement towards voluntary sharing of information about cyber intrusions. What legislative actions have or can be taken?

Current Laws and Executive Actions

Several current and in force executive and legislative actions provides encouragement for organizations, particularly those in the critical infrastructure areas, to share information with the federal government (Gordon, Loeb & Lucyshyn, 2003)

Presidential Decision Directive (PDD) 63 (1998). Focused on the protection of critical national infrastructure, this PDD "strongly encourages" the creation of Information Sharing and Analysis Centers (ISACs). The directive also mandates studies to examine the legal difficulties and liability issues involved in sharing cyber intrusion information (Clinton, 1998). ISACs were eventually formed for all of the critical infrastructure areas.

Executive Order 13231 (2001). Titled "Critical Infrastructure Protection in the Information Age", this Executive Order further encouraged the sharing of threat information between federal departments and agencies and with local, state and tribal entities along with the voluntary industry-based ISACs (Bush, 2001).

Homeland Security Act of 2002 (HSA). Subtitle B of the HSA identifies the "Critical Infrastructure Information Act of 2002". It protects information about critical infrastructure that is submitted to federal agencies from disclosure under the Freedom of Information Act (FOIA), exempts the information from consideration as ex parte communications, does not waive any rights or protections such as trade secrets, and makes it exempt from the terms of the Federal Advisory Committee Act. The HSA also provides criminal penalties for violations of these protections (DHS, 2002).

National Strategy to Secure Cyberspace (2003). Created by the Department of Homeland Security in response to the September 11 attacks, this document provides recommendations (not mandates), and lists improving the public-private sharing of information concerning cyber threats as one of it’s eight major goals. (DNS, 2003)

Executive Order 13636 Improving Critical Infrastructure Cybersecurity (2013). This executive order requires that federal agencies with breach or attempted breach information must share the information with participating critical infrastructure organizations (Choney, 2013). Previously such sharing was encouraged, but the executive order makes the sharing mandatory. There is no provision for requiring the companies to share breach or attack information with the federal agencies although agencies are encouraged to come up with incentives for companies to share information. (Tehan, 2013).

Legislative and Executive proposals

Several legislative actions have been undertake within recent sessions that would have provided the beginning of a mechanism for sharing reports of cyber intrusions (Fischer, 2012) (Tehan, 2013) During the 112th congress at least 5 different bills (H.R. 3523, S. 2102, S. 2105, S. 2151, and S. 3342) were introduced in the Senate or House that would have permitted the sharing of information between private organizations or with a sharing center and eliminated many of the previously discussed legal limitations on the sharing of such information. One of the bills (H.R. 3523) proposed the sharing of classified information from national security organizations to properly cleared individuals in private industry where such disclosure would aid in the investigation or mitigation of cyber intrusion incidents.

Cyber Intelligence Sharing and Protection Act (CISPA). In the current (113th) congressional session, much attention has been focused on CISPA (CRS, 2013). As this paper is written, CISPA has been passed by the House and awaits Senate action. The current bill sets up a voluntary information sharing arrangement between private industry and the federal government, in exchange for liability protections. The bill also allows properly cleared individual in organizations to receive security information about cyber intrusions that had previously only been available to those inside of security agencies. (Benson, 2013). The voluntary program outlined in the bill has removed some provisions of most concern to privacy advocates, but the bill still has substantial opposition and faces presidential pressure for further privacy-based modifications (Zetter, 2013) (McMillin, 2013).

Summary and Recommendations

Were all the legal and administrative restrictions to be swept aside, there remains a strong culture of secrecy surrounding the weaknesses of private industry in the realm of cyber intrusions. No one wants to be the bank or medical care facility that is reported as having their recodes exposed by a hacker. Everyone fears reporting an intrusion for fear that the news of the intrusion will be on the local news at 6 PM.

In the absence of a legal duty to report the theft of PII to a central authority in the same fashion as is required in most state laws, breaches will continue to be reported and summarized in a piece-meal fashion.

The mechanisms exist to provide machine-readable records of cyber intrusions and many organizations have automated systems in place to monitor and report on their infrastructure. Large organizations already share reports of intrusions with third parties on a non-disclosure basis for assistance with cyber intrusions investigation and for cyber intrusion testing and consulting.

The legal issues and liabilities are well understood.

The continued integrity and usefulness of the Internet-based economy depends on having more, better, and faster information about the threat that cyber intrusions present.

A federal requirement to report cyber intrusions with details provided to other organizations, paralleling the state requirement in most states to report access to PII, would cause two remarkable changes in the behavior of organizations with respect to cyber security.

Firstly, with actual numbers for the scope of intrusions and the person-hours already being spent dealing with them, there will arise pressure to provide a more secure Internet which will allow ISPs to block spam and bot-nets and to take down access to criminal web sites.

Secondly, if organizations know they will have to report breaches, they will focus on preventing breaches, rather than reacting to them. Organizations will have to focus resources on training users to avoid dangerous practices, securing systems, and putting monitoring and response systems in place.

The privacy concerns of critics of a mandatory reporting system are very real and such a system must have safeguards, independent oversight, and meaningful criminal and civil penalties for misuse of the information collected.

If the Internet is to continue to be a useful place to do business and research, we must protect it. To protect it, we must know how criminals are trying to attack it. Today, it is not in any of the participant’s self-interest to report when they are attacked. For the good of the Internet, we must require such reporting.