15 April 2018

Amend the SAFETY Act to cover state actor cyberattacks

BY ADAM ISLES

U.S. companies increasingly find themselves on the front lines of geopolitical conflicts waged in cyberspace by foreign actors. And yet, unlike the physical domain, there is no Customs & Border Protection, no Coast Guard or Air Force, to screen for bad actors seeking to come to this country to do harm. Rather, the role of detecting and responding to unauthorized cyber intrusions is left largely to overworked security teams across U.S. industry.

Cyber risk is not a new issue, and mechanisms to validate that companies have implemented relevant information security controls — such as Payment Card Industry Data Security Standards, processes for certifying compliance with ISO information security standards, and other standards — have been in place for years. Still, we continue to see large American companies, many of whom maintain these certifications, victimized by cyberattacks.

The nature of these attacks now extends beyond theft of personal data to disruption and destruction, as witnessed by last summer’s NotPetya ransomware attacks, which incapacitated production, logistics and shipping systems across the globe. A number of these attacks are carried out by foreign state actors. 

And the damage is real. FedEx reported a cumulative $400 million impact to 2017 earnings “primarily from loss of revenue due to decreased shipments” as well as associated remediation costs. Merck reported a cumulative $590 million 2017 loss (before insurance) based on impacts to its manufacturing, research and sales operations. Production shutdown caused the company to borrow from CDC’s vaccine stockpile. 

It’s tempting to say that defenses against state actors should be left to the U.S. government, but this ignores the very real operational business disruption that can occur in these attacks. We have seen a similar dynamic in the context of terrorism, whereby airlines, entertainment companies and other private-sector firms are basically pawns targeted by terrorist groups to achieve geopolitical objectives.

While there is no such thing as risk elimination, the federal government can provide incentives to bolster defenses — the topic of a congressional hearing on Wednesday. One such incentive is the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which was passed by Congress to encourage the development of anti-terrorism “technologies” — this term has been interpreted to include products, services and programs — by limiting liability related to the deployment of capabilities that could pass a meaningful government vetting process.

Over the years, proposals have been made to extend the SAFETY Act beyond terrorism to cyber incidents, most recently by Sen. Steve Daines(R-Mont.). These proposals have, in turn, been met with criticism that such an extension could distort market-driven solutions as well as the role of litigation in ensuring companies take reasonable steps to mitigate risks of reasonably foreseeable harms. There is a middle way forward: Extend the SAFETY Act to cover cyber incidents attributed by the U.S. government to a foreign state actor.

There is precedent for attribution to state actors: The U.S. government has formally attributed NotPetya to a state actor — Russia — as it did its earlier cousin, WannaCry, in that case to North Korea.

Defending against such attacks is possible; state actors often use commercially available hacking tools and expertise. Yet, existing information security standards — PCI, HITRUST, ISO — are not thought of as tools to address destructive cyberattack threat scenarios.

The vetting process at DHS is real: Applicants must prove to the SAFETY Act office that the capability in question offers substantial utility and effectiveness and is immediately available for use, among other factors.

In 2017, the U.S. Director of National Intelligence warned that destruction of critically important civilian infrastructure would become an increasing facet of modern warfare. We need investment from private-sector organizations in defending their own systems against these sorts of attacks. Amending the SAFETY Act to cover state actor-initiated cyberattacks would be a key mechanism for incentivizing that investment.

Adam Isles is a principal at The Chertoff Group, a security and risk-management advisory firm, and previously served as deputy chief of staff at the Department of Homeland Security (DHS), where he worked daily with the DHS secretary to coordinate department-wide operations. Before joining DHS, he worked in the Department of Justice, starting his legal career there as a trial attorney in its Criminal Division in 1997.

No comments: