There is a common assumption in the infosec community that enormous breaches like those at Equifax, Anthem, and Target are the new norm. That the next mega breach is simply a matter of time. This is because large companies loathe spending money on things that are not directly profitable like secure infrastructure or quality training for employees. Further, there isn’t really any external pressure on corporations to do better—so they won’t.
Some countries have recognized that these sorts of negative externalities cause significant public harm, and have sought to get ahead of the threat curve with cybersecurity legislation. Singapore currently has a comprehensive cybersecurity bill under consideration that is trying very hard to bring a bit of order to the wild west of technology threats. The bill is exhaustive in covering management of cyberthreats, so let's look at what it does well and what it does not do well.
- Appoints a national CISO. US cyberdefenses frequently suffer from an unclear chain of command, as well as competing for agency priorities. The buck needs to stop somewhere to mount an effective defense.
- Designates critical infrastructure. You cannot prioritize defenses for systems you aren’t looking at.
- Duty to report. This is a big one. Often fearful of liability, stock impact, or impact to reputation, corporations will often sit on cyberattack disclosure for months—sometimes until an executive can sell his company’s stock. Removing any ambiguity on when and how to report breaches gets everyone on the same page.
- Designates best standards and obliges companies to follow them. There's currently no consistent, agreed-upon best cybersecurity practices for companies to follow.
- Power to investigate and force remediation. In contrast to US defense contractors who handle critical infrastructure, were not obligated to report breaches until 2015, and to date have not lost any contracts due to loss of classified data, Singapore’s draft bill grants the authority for a cybersecurity officer to both investigate a critical infrastructure breach, and compel remediation along industry best practices.
- Licenses infosec corps. While this could be a little iffy in the implementation, holding companies that audit critical infrastructure to an agreed-upon standard benefits everyone. Infrastructure owners know precisely what services they are paying for, cybersecurity officials can judge the impact of standardized services more accurately, and no one has to deal with a Norse Corp.
The not so good
- Criminal sanctions for offenses. While seemingly a no-brainer, breaches are rarely due to a single individual’s malfeasance, and much more often the end result of a sick corporate process. A more effective deterrent would be fines leveled at the corporate level, and large enough to hurt. While an ineffective company can lose a handful of employees quite easily, they would feel the loss of a profit percentage much more acutely.
- Secrecy. Many sections within the bill contain provisions for non-disclosure and corresponding fines and imprisonment for anyone speaking out about a breach in a non-approved way. From a governance perspective, this makes sense. Singapore is deriving their authority to monitor critical infrastructure by classifying breaches as a security threat, and a classic belief of governments is that one does not speak publicly of security threats. Network threats are different. Configurations and applications used by a shipping company can have significant overlap with those used at non-critical corporations. Transparency and information sharing not only pressure a breached company to demonstrate an adequate remediation but also offer lessons learned that can keep hundreds of less critical organizations safe. Sunlight and sharing are proven methods for defenders to propagate best solutions to everyone.
What does it mean?Traditionally, information security has been viewed as the responsibility of individual companies, and not a particularly important one at that. Efforts of countries like Singapore to centralize cyberthreat defense and vulnerability remediation are an attempt to acknowledge the reality that breached infrastructure affects everyone. A hack might stay within an offshore drilling company, but the knock-on effects to shipping, trade, and the environment can create an impact on millions of citizens.
While the law has not traditionally been responsive to technology needs, that is gradually changing. With input from industry leaders and privacy advocates, technology law has the potential to change for our benefit.
Check out the full text of the bill here.