Reporting rules for cyberattacks must consider incident responders

Incidents like the ransomware attack on the Los Angeles Unified School District or the recent series of high-profile attacks by the Lapsus$ group on companies such as Nvidia, Ubisoft, and Samsung can last for weeks and are often extremely stressful for students. people working behind the scenes to regain control and investigate the problem.

An incident signifies a crisis mode. Incident responders work around the clock to investigate the issue, while sensitively managing communications with stakeholders. “Easy” is not a word you will find in an incident responder job description. Their job is anything but easy and the pressure is only mounting. In fact, a recent IBM Security study of 1,100 incident responders worldwide found that 68% of incident responders were assigned to two or more overlapping incidents at a time. and, unsurprisingly, 67% report feeling stress and anxiety.

There is an increasing volume of threats and only a limited number of incident responders; from 2020 to 2021 alone, IBM’s X-Force incident response team reported an almost 25% increase in the number of reported incidents. It’s clear that cyber incident responders — the professionals who are integral to the security of businesses, federal agencies, consumers, and our nation — are under pressure, and it’s not going to stop any time soon.

This is precisely why we need to support the humans behind the investigation – the people on the digital frontlines tasked with stopping cyberattacks before they spiral out of control and cause harm to the public. One way to do this is to consider incident responders when creating cyber incident reporting rules.

The need for cybersecurity incident reporting rules is indisputable. The Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), for example, is a big step forward for information sharing and better visibility into the true impact of ransomware. We don’t know enough about our ransomware adversaries and the true extent of their impact. Reporting rules can help solve this problem.

But we cannot ignore the impact that incident reporting legislation will have on responders. There are several global regimes already in place, including India’s CERT-In incident reporting requirements and Australian Cyber ​​Security Center incident reporting rules and pending CIRCIA rules in the US.

Responding to a cybersecurity incident is already extremely stressful. How will responders deal with increasing pressure to find answers in time to report to the relevant authorities? Federal reporting rules should be as simple as possible. Rules that are too prescriptive or too rigid will lead to confusion or delays in reporting. Harmonization is the key here. We need to make it as simple as possible for defenders investigating and resolving an incident.

I think we can all agree that the job of an incident responder is anything but “easy”, so let’s not add to their difficulties. By keeping incident responders in mind when planning for potential incidents and legislation, we can help reduce the stress of an incident on frontline responders in today’s digital world. today.

Charles Henderson is the global head of IBM X-Force, where he leads a global team of hackers, researchers, investigators and incident responders.

Leave a Reply