NTSC Blog

Privacy and Posture Pressures for CISOs: A Recap of the NTSC Southeast Regional CISO Policy Roundtable

Privacy and Posture Pressures for CISOs: A Recap of the NTSC Southeast Regional CISO Policy Roundtable

In the wake of GDPR and the California Consumer Privacy Act, many CISOs have grown especially concerned about a wave of privacy regulations that may impact their businesses. GDPR has already affected global data privacy standards, and California may encourage other states to enact similar laws. If absent of deliberation, forethought, and input from CISOs, this privacy legislation wave may stumble and fail to protect consumers despite good intentions from lawmakers.

Also, “hacking back” seems to currently enjoy greater support among businesses and legislators who may not understand its negative implications or consider a wider strategy of active cyber defense. But as the federal government takes steps to create a more aggressive security posture toward nation state adversaries in cyberspace, many CISOs have questions about the advantages and risks of active cyber defense.

These issues were discussed at the most recent Southeast Regional CISO Policy Roundtable (hosted by NTSC Board Member Bob Varnadoe, Chief Information Security Officer of NCR) that featured two presentations:

  • Cybersecurity and Data Protection Privacy Trends” presented by Alexander M. White, Deputy Chief Privacy Officer for the state of South Carolina and Robert Ball, Chief Privacy Officer at Ionic Security
  • Active Cyber Defense for Private Sector CISOs” presented by Geoff Hancock, CEO of the Advanced Cybersecurity Group and Chad Hunt, Supervisory Special Agent from the Atlanta office of the FBI

Cybersecurity and Data Protection Privacy Trends

White and Ball started off the discussion by outlining trends with GDPR and the California Consumer Privacy Act. While GDPR was thought out over many years, the speed of the California Consumer Privacy Act’s passage concerned many attendees who feel that federal and state laws are seeking to punish rather than help businesses.

For example, attendees talked about the statutory damages associated with the California Consumer Privacy Act. Unlike data breach laws that require a demonstration of “harm,” companies can get sued for $7,500 per violation. What if a company has 130 million customers and suffers a data breach? The California law could easily put them out of business. Attendees discussed some fairer legal requirements such as complying to a national set of cybersecurity standards (such as NIST standards), undergoing audits, and receiving safe harbor if they pass those audits—similar to how doctors receive legal protection for demonstrating a specific standard of care.

CISOs were concerned about scaling privacy protection alongside higher enforcement standards. Laws and regulations often focus too much on compliance without understanding a CISO’s operational burdens. Attendees said businesses are getting “crushed” operationally while also seeing higher compliance costs. Data privacy enforcement seems to focus on crushing financial and legal punishments for businesses instead of asking, “How can we help businesses be successful?”

New privacy laws and regulations are also causing businesses to clarify the roles of teams. What parts of privacy do business, legal, and IT teams own? What is the role of the CIO, CISO, and Chief Risk Officer? How do you demonstrate that you’re securing your company?

Many privacy bills and regulatory efforts go nowhere each year, but success now seems more likely. Unfortunately, legislators are not often fully informed about privacy and they are not usually receiving briefings from CISOs. This is where the NTSC can help educate lawmakers about the concerns of businesses and offer some alternatives to a punishment mindset.

Attendees noted it’s also important for CISOs to step in and offer some sensible laws and regulations. Otherwise, lawmakers often support a punishment mindset because they believe businesses won’t act until they feel pain. A perception exists that if stocks are not affected and companies don’t feel financial pain, then they won’t be incentivized to protect information.

Active Cyber Defense for Private Sector CISOs

Expanding upon discussion at the NTSC National CISO Policy Conference, Hancock and Hunt noted how hacking back becomes more popular while businesses lack an understanding about the more nuanced strategy of active cyber defense. This frustration from businesses is real considering the severity of many recent data breaches. Attendees pointed out several areas where businesses become frustrated:

  • Knowing what they can and can’t do. Even the Active Cyber Defense Certainty Act, which was introduced by Congressman Tom Graves (R-GA) and calls for a revision to the Computer Fraud and Abuse Act to allow for a more aggressive response by CISOs towards cyber adversaries, does not provide a clear definition of hacking back. Significant legal risks emerge if an incident happens because of hacking back.
  • Getting the right information to help them act. Attendees pointed out the historical problems of public-private threat intelligence sharing that we’ve detailed in many past posts.
  • Working through the legality of accessing information. If a company is in dialogue with the FBI, general counsel needs to become involved—slowing down the process of responding to a threat actor. Legal issues also grow complicated with areas such as decoy data, unauthorized access to data (which is a crime), and introducing evidence received from a third party through a hack back.

Hacking back also becomes dangerous when companies probe the dark web trying to find information or criminals. On the dark web, criminals are often only accessed by reputation. Creating fake personas to infiltrate their world must be handled with expertise that companies may lack. And just finding your stolen data on the dark web doesn’t tell you much—similar to a pawn shop presenting stolen wares.

Rather than focus on hacking back, active cyber defense is a strategy that helps an organization become more proactive in combatting cyber threat actors and involves a strong public-private sector partnership. The amount of data needed to identity threat actors can grow voluminous and take unexpected left turns the more you analyze it. Very large companies often have the expertise to analyze this data, but it’s good—no matter a company’s size—to work with the FBI as part of an active cyber defense strategy. Many attendees asked about the kinds of incidents they should report to the FBI, and how.

It’s important for companies to develop an active cyber defense program because hackers have no constraints. They will try and try and try until they succeed. As a result, the public and private sector need to share information more quickly. Hackers are even targeting boards and CEOs with more frequency.

Looking at the wider issue of national cyber deterrence, attendees asked, “If a nation state attacks a business, will the government defend it? At what point is a private sector intrusion an attack on the United States? Does trolling critical infrastructure count as such an attack?” Some attendees predicted that we’re going to see more connections between cyber and kinetic events in the future. From a policy perspective, getting legal authority from the FBI takes a long time. That tempts companies to speed up the process of retaliation by hacking back. The NTSC can help argue for legislation that promotes the principles of active cyber defense, offers definitions and legal boundaries, and encourages a stronger, more supportive public-private sector partnership.

---

The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, sponsor, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.