Skip to main content

Featured

Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

Should a Company Retaliate Against Cyberattacks?



Organizations who consider retaliating against attackers is an on-going debate that always pops up whenever a major breach occurs such as the Sony breach and WannaCry ransomware among others. In these incidences, many called for hitting back since they seem to perceive only the technology industry has the means to go after them doing a better job than the overburdened government agencies. 

Legal Considerations

Today, organizations are not allowed to perform retaliation against the perpetrators, unleashing the so-called offensive security measures can trigger international incidences as acts of war if state actors are involved.  Actions like these invite counter-retaliation by the adversaries that will spiral out of control with devastating consequences. The Computer Fraud and Abuse Act (CFAA) in the United States and similar legislation in other nations make such actions illegal for individuals and organizations to access computer systems they do not own.

The Chief Information Security Officer and senior management should be well aware that attacking anyone in reprisal with relative impunity no longer exists.  We now face a proliferation of cyberweaponry, and it is Congress that has the constitutional authority to declare war be it kinetic or cyber.  Numerous countries have invested in offensive cyber weapons with impressive results. 


For instance, the Russians and Chinese are masters of cyber attacks, regularly penetrating critical infrastructure both public and private.  North Korea has significant cyber capabilities, as demonstrated by several Pyongyang-launched attacks that caused significant disruptions to the South Korean economy as well as orchestrating the Sony breach. Iran and their proxies launched perhaps the most striking example of the ability of a hostile government to strike at the United States military. These actors were able to penetrate into the Marine Corps and Navy intranet system via an unsecured public portal taking several months to eradicate the malware.


Companies should never consider going beyond their own network boundaries to attack perpetrators crashing their servers or by breaching and deleting the stolen data. Most cybersecurity and legal experts will advise against it, but individual lawmakers have differing opinions on the restrictiveness on current regulations.  For example, Georgia Congressman Tom Graves introduced the Active Cyber Defense Certainty Act (ACDS) that would allow victims of cyber attacks to infiltrate the perpetrators to gather intelligence to share with law enforcement and disrupt their activities. This bill is a terrible idea as it allows companies to retaliate against an adversary without government direction and it is no different from what the Russians are doing.



The Road Ahead

Currently, most security executives are concerned with trying to reduce cyberattack risks, proposals to legalize retaliation by hacking back will encourage escalating cyber conflict.  Executives with the implicit assumption that an offense is the best defense see offensive tactics different from defensive measures. However, they are the same since the tools used in a cyber attack like encryption and network monitoring bear almost no resemblance to the tools used to attack computers, such as botnets and phishing. While hackers use these tools for malicious reasons, cybersecurity professionals use them to find vulnerabilities. Legalizing hacking back would conflate those two domains and, in doing so, likely make it that much harder to distinguish between the good and bad actors.

The Chief information security officers have, for decades, played defensive security and protection. But in the world of risk management, the CISO’s role is evolving from security expert to business strategist as new technologies and threats are changing the risk landscape daily. They can no longer hide behind technology, and those who can ally security efforts with the business strategy and articulate the business justifications will be successful.


Organizations are now turning to a more holistic risk management-based approach to privacy and security, and security executives are expected to lead in these new directions. Changes in the CISO’s reporting structure is changing where several now report both to the CIO and the Chief Risk Officer or the Chief Compliance Officer. Some expect that in the future they may not report up through the CIO at all.


The shift from guardianship to governance creates tensions with legal teams concerned with decisions addressing known risks can remove plausible deniability in cases where security incidents do occur. Absolute security is not a compliance requirement where specific regulations require organizations to assess risk and document the rationale behind their responses. Most legal teams consider unaddressed risk leaves the organization open to liability in case of an incident. Addressing the legal dangers requires communication and close collaboration between the CISO’s team and the legal team to determine that risk documentation is appropriate and adequate to protect the organization.

Comments

  1. Martin Murhammer, murhammer@at.ibm.comAugust 15, 2018

    The question whether or not to retaliate against cyber attackers arises only once organizations are capable of detecting cyber attacks in the first place. I would argue that most organizations today still have difficulty in that department so retaliation is not on their agenda for a while.
    To draw a legal analogy, going after a burglar or thief amounts to taking the law into one's own hands which is not acceptable to modern codes of law. Why should cyber crime be treated differently? I agree that this would lead to uncontrollable escalations and a dangerous blur between being a victim of real attacks or collateral damage of sprawling retaliation.
    Collecting evidence to aid law enforcement can be achieved using active defenses such as honey pots. One can learn a great deal about attackers and their methods that way without the need to retaliate. But again, this is considered an advanced capability that not many organizations are equipped with.
    On the other hand, if society contemplates abolishing government control over the monetary system via crypto currencies, would it not amount to thinking along the same lines if organizations no longer wish to hide behind the government to protect and defend them from cyber attacks? I guess we need to look at this from a wider angle and should be careful what we are wishing for.

    ReplyDelete
  2. Thanks for sharing this post.Keep sharing more like this.

    securityguardpedia
    Technology

    ReplyDelete

Post a Comment