Site icon IT World Canada

Infosec expert says mandatory cyber incident reporting is worth considering in Canada

Hand picking up telephone

Photo by PeopleImages via GettyImages.ca

A Canadian cybersecurity expert says Canadian organizations should report cyber incident breaches to a federal authority to develop nation-wide threat intelligence.

“Canada absolutely needs mandatory full incident reporting,” said Brett Callow, a British Columbia-based threat analyst for Emsisoft. “Understanding how and why attacks happen is a key element in stopping them. As it is, [public] disclosures tend to be short on facts — if they’re made at all, that is — which means law enforcement agencies and securities have only limited insight into the threat landscape. And, of course, this is compounded by the fact that cybercrime is under-reported.”

Other cyber experts have called for a global standard for reporting cyberattacks, Callow noted. “Until we have a platform for reporting and sharing information, more attacks will succeed than they should.”

On the other hand David Swan, Alberta-based director of the Centre for Strategic Cyberspace and International Studies, is skeptical of reporting to a government body. “As it stands mandatory reporting has no ‘up side’ and major down sides,” he said in an email. “This will only work if there is an infrastructure that supports recovery and resilience. Increasing penalties for not reporting will not change much if anything. Even the limited liability protection for reporting third parties would be an improvement – if not an incentive, to improve reporting.”

He point out that the U.S. already has an industry-based network for sharing cybersecurity information called Intelligence Sharing and Analysis Centres (ISACs). “I’ll admit I am prejudiced, I worked for a firm that was part of the Financial Services ISAC (FS_ISAC). Their capabilities were impressive then and have steadily improved since I worked there.”

There is some information sharing between government and industry already through ISACs. On the other hand, he said, there are a lot of ISAC, some with more resources than others.  “ISACs are an infrastructure that exists, is trusted and could meet both reporting and support requirements,” he said.

A Canadian version of the ISACs is the Canadian Cyber Threat Exchange, (CCTX), a membership-only group that shares threat information.

Dave Masson, Canadian-based director of enterprise security for Darktrace said he looks forward to seeing what the combined powers of the private sector and public sector can accomplish in the future. “We are only going to see both sectors increasingly targeted by nation states and cybercriminals, so it’s so important that, right now, all organizations wake up to the dangers of cyber-attacks and prepare to defend themselves from innovative adversaries.

“Mandatory breach reporting to a U.S. agency that would be responsible for spreading threat intelligence is absolutely a step in the right direction – and the private sector is actually requesting this process as well.”

There is mandatory data breach reporting in Canada to the OPC, he said, but only if there is real harm to an individual. “If Canada can strengthen this law, to ensure more reporting of massive breaches such as the SolarWinds compromise, we will be in a better place for progress. More collaboration and communication are absolutely key when it comes to cyber: transparency is integral.”

Their comments come after Tuesday’s U.S. Senate hearing for federal mandatory incident breach reporting in the wake of the 2020 attack on the SolarWinds Orion network management platform. Support came from executives of SolarWinds, Microsoft, FireEye and Crowdstrike, although the details were vague.

Intelligence committee chair Senator Mark Warner wondered if firms should report breaches to an independent agency similar to the U.S. National Transportation Safety Board. The agency would be empowered to launch investigations into whether the factors behind a breach or breaches are evidence of a systemic vulnerability, he said. Perhaps, Warner added, firms would need some limited liability protection for divulging information about third parties.

Others who spoke at the hearing suggested that instead of victim companies reporting it should be up to “first responders” such as technology firms or firms doing incident response. It was also suggested reporting should only be done in confidence.

The SolarWinds Orion attackers, believed by the U.S. to be from Russia, compromised the Orion software update build process to insert a backdoor. After some 18,000 organizations downloaded that update, the attackers infiltrated about 100 American organizations and nine government departments to gathered intelligence and steal data.

One of those victim organizations is FireEye. After realizing the source of its attack was Orion, it warned SolarWinds and both spread the word to customers, the public and U.S. agencies. However, neither firm was obliged to tell Washington. That was one central issue at the hearing: Had it not been for FireEye, no one would have known how widespread the attack was. That’s why Warner and other senators wanted to know if it was time for mandatory breach notification to the government.

Is it time to notify the government about breaches?

Yes, according to Microsoft president Brad Smith.

He said many cybersecurity vendors and U.S. agencies have “slices” of information on breaches of security controls. “We need to enhance the sharing of threat intelligence. It is time to impose in an appropriate manner some kind of notification obligation on entities in the private sector … It’s the only way we’re going to protect the country, to protect the world.”

Smith even predicted the country would find a “way forward” when it comes to breach reporting “this year.”

He also stressed there should be incident “notification” and not detailed disclosure. “We should notify someone. We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure that it is put to good use.”

He also said it was time for the U.S. and like-minded allies to say to other countries that attacks on security update mechanisms are “off-limits.”

How would this work in Canada?

While many firms in Canada have to report data breaches to the federal Office of the Privacy Commissioner (the OPC), especially when it involves stolen personally identifiable data, there’s plenty of ways to sidestep reporting.  If a breach of security controls doesn’t involve personal information, such as the attack on SolarWinds’ Orion network monitoring software, a firm isn’t obliged to report the incident to anyone, and when they do they only have to do so if the firm believes there’s a real risk of serious harm to victims.

Some organizations voluntarily report to the Canadian Centre for Cyber Security, which distributes alerts from vendors such as the latest available patches and mitigations. However, the centre doesn’t have the power to launch investigations of companies’ behaviours to detect wider patterns. The OPC does.

Other Senate session highlights

(This story has been updated from the original with comments from David Swan and Dave Masson)

Exit mobile version