U.S. regulators would be wise to avoid legal action against U.S. companies who suffer data breaches because of the precedent such cases can set, former U.S. intelligence leaders said at a recent cybersecurity summit in Washington, D.C.
“[I do think] there is a whiff of activity here … our government is unable to punish the criminals but then spends a great deal of time beating up the victim when these sorts of things happen,” said former NSA Director Gen. Michael Hayden at a U.S. Chamber of Commerce event Tuesday.
Hayden’s comments come one day after Sen. Mark Warner, D-Va., released a statement calling on the Securities and Exchange Commission to “investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed.”
Warner claims that Yahoo did not comply with established federal laws that require companies to notify shareholders of “material events” within four days of an incident.
Additionally, a Senate cohort, including Sen. Patrick Leahy, D-VT, Ron Wyden, D-Or., and Elizabeth Warren, D-Mass., asked a number of questions related to the breach, including if Yahoo had ever been warned by government officials of “possible hacking attempt[s] by state-sponsored hackers.” The company has attributed the loss of 500 million user records to a state-sponsored attack.
It remains unclear whether the FBI or a private forensic team is responsible for Yahoo’s claim that a nation-state actor is behind the breach. A former U.S. official with knowledge of the case tells Cyberscoop the Department of Homeland Security did not reach out to Yahoo to inform them of a potential state-sponsored cyberattack.
Hayden, former Congressman Mike Rogers and former NSA Deputy Director Chris Inglis cautioned Tuesday that decisive legal action against victimized companies may send mixed signals; potentially discouraging other private firms from sharing threat intelligence and data breach information with law enforcement and the intelligence community.
“You get ripped off by a nation state, you report through the SEC, it becomes public, and you now have lost company value as a result. Who wins? I’ll tell you who wins. It’s the nation state who went and did it in the first place,” said Rogers, who previously served as Chairman of the Permanent Select Committee on Intelligence.
Currently a CNN national security commentator and radio show host, Rogers said he opposes when companies keep breach incidents secret from customers — especially when confidential information may have been stolen.
Though a fine line may exist, today, between purposeful nondisclosure and negligence, Inglis believes a divide must certainly exist when reviewing data breach cases of the future.
“I don’t think there’s one lane here,” Inglis said, who is now a venture capitalist with D.C.-based Paladin Capital Group. “In the airline transportation industry, there’s this practice of if there’s an accident whether it’s attributable to human error or material failure … You don’t try to find attributable fault, you just try to find out what happened and get it out to everyone so we can make the airplane safer or to stop that dangerous procedure. But that doesn’t stop the criminal or liability proceedings occurring in a different lane,” said Inglis, “I think we can bring something like that into this domain as well.”
Inglis’ offhand suggestion may hold water as breach disclosure regulation remains a nascent and convoluted process, with conflicting equities always at play, Chris Roberts, a former security consultant and now chief security architect at Acalvio, described to TheStreet.
Secretary of Commerce Penny Pritzker said at the same conference Tuesday that the government and private sector have a ways to go in the exchange of cyber threat information.
“Even as companies and agencies begin to speak the same language of cyber risk management, we are not yet having a truly candid, actionable conversation because we lack the legal support structure necessary to do so,” Pritzker said Tuesday. “The problem is that the relationships between regulators and the businesses they regulate are inherently adversarial.”
Standard breach disclosure policy varies greatly dependent on individual state laws that oversee a victim company’s activities, said Ari Schwartz, a former senior director for cybersecurity on the National Security Council. Typically, an affected business will need to ask law enforcement if they can notify customers.
“Except in extreme circumstances, law enforcement usually says that it is okay to do so,” explained Schwartz, currently a managing director of cybersecurity services for D.C.-based law firm Venable LLP.
It can also be challenging for lawyers to accurately define what exactly constitutes lost or compromised data in such cases due to an absence of common policy and lack of technical understanding between the court and defendant.There are cases, for example, in which private sector companies decline to report ransomware attacks because they believe that paying a hacker’s ransom puts them on par with deflecting a breach in its entirety, experts say.
“We have discovered that the majority of our private partners do not turn to law enforcement when they face an intrusion,” FBI Director James Comey said during a speech last month. “We know your primary concern is getting back to normal when you run any type of enterprise, especially a for-profit business. But we need to figure out who is behind that attack.”