While many have long viewed the digital space as a Wild West, cybersecurity and data breach regulations have existed for more than 15 years. Today, a host of new regulations, standards and frameworks is becoming the norm for organizations big and small, meaning that the pixelated sun is slowly setting on the old idea of a cyber Wild West. A new era has long been developing; one with greater legal and regulatory requirements, such as the General Data Protection Regulation (GDPR), which governs access to data and the rights of users and is changing the way the world views data privacy.
In addition to the laws and regulations already in place, new policies are helping to build a law enforcement foundation that can mature the world’s ability to fight and deter cybercrime, protect data privacy and create transparency in data use. But this changing landscape also has security implications, including how security teams respond to data breaches, the potential cost of a data breach and the increasing complexity of compliance across different parts of the world.
IBM X-Force Incident Response and Intelligence Services (IRIS), a team of global responders, has been observing the implications of the evolving regulatory landscape firsthand as it works to help organizations respond and recover from cyberattacks. Let’s dive deeper into some of the issues and look at what organizations can do to remain compliant in an ever-evolving regulatory landscape.
When the West Was Won
For many years now, state, federal, and international laws and regulations have been rolling into town, bringing new standards for handling, processing and safely storing consumer data. Meanwhile, back at the ranch, nation-states have been defining their own meaning of sovereignty over data and how the internet is accessed from their respective lands. Carving up the old open net, some have chosen to corral their citizens through seemingly independent yet locally controlled internets, fenced behind Great Firewalls and National Information Networks.
For those wearing the proverbial white hat — security practitioners, net defenders and threat hunters — the challenge of defending the homestead as threats rise in scale and sophistication requires an evolution in tactics as new data privacy considerations, such as the right to be forgotten, initiate changes to the ways threat intelligence is gathered and analyzed — e.g., changes to the WHOIS database.
Industries cannot afford to close the shutters and wait until the shootout has passed. As policymakers continue to introduce legislation to build confidence and create accountability through enforceable, rule-based norms, organizations must identify methods to achieve compliance and new ways to respond to the ever-increasing number of threats.
So Far, So Good…
From plane tickets and appliances to potstickers, posters and insurance plans, consumers are increasingly adopting e-commerce as the platform of choice for conducting everyday transactions. As vendors look to increase sales, personalize user experiences and reduce costs, processing power and connectivity are expanding. Online retail sales will account for 13 percent of global retail by 2020, or $3.8 trillion out of a global retail market of nearly $30 trillion, according to Juniper Research. Even the industrial sector is undergoing its third revolution, digitizing and connecting its processes, which can open up the floodgates to a trillion dollar opportunity for industrial organizations.
To capture the value of this gold rush, organizations must have access to a seamless, stable and redundant internet-connected environment. But with errant bullets such as NotPetya piercing civilian targets to the tune of $11 billion worth of damage, state-sponsored threat actors jacking up banks, and international criminals silently sneaking off with hundreds of thousands of transaction records at the checkout page, the information security industry must be equipped to help fortify digital wagon trains by prioritizing risk readiness.
While the costs may vary by scale, scope and geography, no matter where the local sheriff gets shot within the cybersphere, the event can trigger a cascade of global consequences within a complex regulatory framework that may span a number of different jurisdictions. The proliferation of independent and divergent approaches to cybersecurity can easily present multiple hurdles when the time comes for incident response.
Bushwhacked and Breached
To illustrate the potential impact of an environment where regulatory, legal and security policy frameworks differ, let’s consider the case of a hypothetical corporation called RangerTech Solutions Inc.
Headquartered on the corner of Texas and Norris Streets in New York City, RangerTech’s premier smart mobility application, RoundHaus, currently supports several major smart cities far east and west of the Mississippi. The application is currently part of a potential $70 billion internet of things (IoT) opportunity.
Users of RoundHaus must provide identity and payment card data to use the application, and the data is then stored on RangerTech’s on-premises servers. The vast amount of personally identifiable information (PII) and financial data collected using RoundHaus makes the company a highly lucrative target to cybercriminals aiming to steal and sell the stolen data on illegal marketplaces. State-sponsored adversaries are also interested in RangerTech and might be hoping to potentially monitor them as a strategic rival and/or gain a foothold that could grant them a competitive advantage or even give them access to RangerTech’s proprietary information.
In our tale, the worst happens. Using a web server vulnerability, a malicious actor gains access to RangerTech systems and, ultimately, to RangerTech data. While RangerTech is an American company, it also supports customers in Europe and collects the data of European Union (EU) citizens. Per Article 94 of the General Data Protection Regulation (GDPR), this means that RangerTech may be required to notify the regulatory authority of an incident affecting European residents’ data within 72 hours. Also, if following an investigation RangerTech is found to have failed to have enacted article 25 — “Data protection by design and by default” — the company could be subject to a penalty of up to 20 million euros or 4 percent of its global turnover.
Eager to get back in the saddle, RangerTech prudently kept an incident response team on retainer, which could save it an estimated $14 per compromised record, according to the “2018 Cost of a Data Breach Report,” adjusted from $170 per record within the information technology sector. Unfortunately, the IR team is based in North America, while the affected servers are based in the U.K. As the data controller, RangerTech has established procedures for notifying the users from which it collects data. However, the company has not established binding corporate rules (BCRs) or any other valid transfer mechanisms that would allow it to transfer personal information (PI) outside of the EU for analysis by the IR team. Without a valid transfer mechanism, RangerTech and its subprocessors, such as White Hat Remediation, are all bound by the GDPR requirement to keep EU PI and sensitive PI (SPI) within the EU.
Data Transfer Gone South
Data transfers come in many forms, including something as simple as pulling up PI or SPI to view on a screen. PI and SPI data may even be included in data sets gathered by common monitoring and threat detection tools. This can create potential issues for incident response teams looking to review and/or transfer this type of data without an exact understanding of the types of data included in any particular data set. Without a valid transfer mechanism in place, a non-EU IR team cannot transfer or view the potentially impacted data within the limited conditions needed to conduct the investigation. Establishing a transfer mechanism then becomes a top priority to send images and conduct remote forensics on affected company assets, since those assets likely contain PI and SPI.
Even once a valid mechanism is found to transfer the data outside the EU for analysis, there is another burr in the saddle with regards to the data. Current guidance from the EU indicates that even such common information as hostnames and IP addresses qualifies as PI and must be protected accordingly.
The RangerTech breach data almost certainly contains the PI of EU customers. Before parties from other parts of the globe (such as incident responders from North America) can even take a gander at the problem and begin to remediate, operations rein in to ensure the out-of-towners (anyone outside of the EU) are authorized to review the impacted data. While RangerTech wrestles with these issues, malicious actors continue to access and reside on RangerTech’s compromised systems, much to the detriment of the organization.
Hear Ye, Hear Ye
Amid the hurried talks and negotiations, ten-gallon hat in hand, the honest and unstudied RangerTech leadership goes on air to give a statement on the status of the breach. The next day after news of the breach is made public, the brand takes a hit. RangerTech’s stock price plummets, and its board of directors is flooded with questions from investors and shareholders.
If, as in the “Cost of a Data Breach” study, as much as 4 percent of RangerTech’s consumer base takes their business elsewhere, the company could lose up to $6 million due to reputational damage and potentially experience more losses down the line due to customer churn and lost business.
The Dust Settles
The whirlwind dies down, and RangerTech’s leadership looks deeper into its strategic plan to see how to cowboy up and move the company through remediation and forward. With their recent experience in hand, RangerTech’s lawyers carefully review the long list of regulations the company must follow, both in general and as a result of this breach.
In the U.S., all 50 states have now passed data breach notification laws. With RangerTech’s customers spread out across the country, the company must review the data breach notification statutes and policy regulations in every jurisdiction and examine the potentially disparate legal obligations. RangerTech must also consider any industry-specific regulations, such as the New York Department of Financial Services (NYDFS)’s Cybersecurity Regulation, which regulates financial institutions, the Department of Homeland Security (DHS)’s National Critical Functions list, and California’s Senate Bill No. 327.
Further Up Yonder
On a global level, RangerTech has been eyeing the Japanese market and hoping to be part of the multiple infrastructure projects associated with the upcoming 2020 Olympic and Paralympic Games being held in Tokyo. RangerTech knows that if it were to be chosen as a provider, it has a responsibility to not only ensure the “confidentiality, integrity, availability and safety of data,” but also guarantee the “swift restoration of service” in the event of a cyberattack. The Board starts to wonder: If RoundHaus did get hit by the likes of a new variant of the Mirai botnet, could it get back online in a “swift” manner? What would that incident response scenario look like as the team considers what would be required to comply with the Japanese Cybersecurity Policy for Critical Infrastructure Protection?
Multiple nations, including Russia and China, have also enacted national cybersecurity laws requiring practices such as data localization and mandatory access to company source code. These governments see these requirements as part of ensuring national security as an extension to state sovereignty. If RangerTech is currently looking or might someday want to expand into markets that have national cybersecurity laws in place, it will need to implement mechanisms to help it comply with the laws in these markets.
What Can You Do to Protect Your Range?
The winds of regulatory and legal requirements blow swift and dry as RangerTech navigates its compliance, incident response and disaster recovery plans as part of its business continuity and overall business goals both now and in the future.
What steps can organizations take to get this right? Below are some tips from the X-Force IRIS team.
1. Keep Your Eyes on the Horizon
Context is everything. Among the most important best practices is to incorporate an intelligence element into your company’s risk evaluation and readiness program. All threats have an origin, motives and capabilities. Your team’s intel element should be set to track the most relevant active threats to the organization and command an actionable knowledge of the tools, tactics and particular proclivities of an adversarial actors who would typically use them. Those that burglarize banks have a different planning process and kill kit than those who rob trains. This practice applies the current contextual operation space to cyber events and enables decision-makers to see what risks and opportunities may be around the next bend — and prepare to meet them.
2. Rough-Ride on the Range
There is no greater preparation for an emergency — short of the fires of trial itself — than a scenario-driven experience. From war games to fire drills, real-world immersive simulations that walk through each stage of a crisis are invaluable to executives and personnel who must appropriately react and respond when it counts. Each decision made during a cyber emergency, from tactical response down to strategic communication, has a very real impact on what’s left standing at the end of the day. Rough-ride on the cyber range or ride it out in real life — it’s your choice.
3. Review the Language
In addition to existing laws and regulations, new rules are rolling in like tumbleweeds. There needs to be a sustained conversation between the privacy folks, security teams and legal counsel about cybersecurity and risk. Ask yourself:
- Does existing contract language provide adequate coverage for the current operational environment?
- Is there a clause addressing user disclosure notification on data transfer, or does one need to be added?
- If a breach happens tomorrow, is the IR team poised to respond?
- Are there opportunities available for threat intelligence sharing that could make a difference in the big picture during and beyond this breach?
Security needs to be baked into the everyday workflow. Do you want your employees to react appropriately without hesitation when an incident occurs? Create a cybersecurity incident response plan (CSIRP) and give your employees a chance to practice. Drill regularly, and double on holidays. Employees need to know what to do next and who to contact if trouble comes knocking, and employers need a clear and referenceable plan and the opportunity to run it before a reality-forced response.
5. Consider Automation
According to the Ponemon Institute’s “Fourth Annual Study on the Cyber Resilient Organization,” in the last year, the adoption of automation and orchestration improved resilience by substantially increasing a company’s ability to detect (23 percent), prevent (16 percent), respond to (15 percent) and contain (25 percent) a cyberattack.
Blaze New Data Privacy Trails for Your Business
Regulators across the globe are focusing on the rapidly changing digital landscape and implementing laws and regulations designed to fence off predators and competitors. The old perception of the digital world as a place of free-range business practices is rapidly disappearing with the introduction of barbed wire to the formerly unregulated or lesser-regulated spaces, and we must all find new ways to safely traverse the altered environment.
By paying close attention to ever-changing threats and increasing regulation, conducting regular incident response drills, involving the legal and privacy teams in the day-to-day operations of the business, and implementing best practices and automation, you can help your organization address the changing cybersphere, survive hostile attacks and safely navigate new regulatory frameworks.