Respond to the following Two peer Discussion posts with a minimum of 100 words each.
1. Yes, I think separating “cyber incidents” from “significant cyber incidents” is a good idea. Furthermore, there is a clear, tangible distinction between the two.
A “cyber incident” might be one that results in the loss of data, such as a breach that results in the theft of employee PII. Yes, employees will be inconvenienced and they will need to enable credit or identity monitoring, maybe change some passwords, etc., but there has not been a significant impact on society or national security. I feel for the employee(s), but that’s a narrow impact.
A “significant cyber incident”, however, has a tangible, realized effect on society. As I write this post on May 12, 2021, the United States is currently undergoing a crisis due to a ransomware attack on Colonial Pipeline (I also posted in the Article Blogs about this). I would classify this as a significant cyber incident. This digital attack is impacting our way of life and the economy; if citizens are unable to get to work or military forces are unable to mobilize due to a shortage of fuel, then this attack has had both a digital and kinetic effect on life, and should be handled accordingly.
Due to their impact, reach, and involvement of multiple agencies, I think it’s appropriate that significant incidents are handled differently with a coordinated response and agencies in charge of the various elements of incident response. There could certainly be an alternate argument that “too many chefs in the kitchen” may not yield success, but due to the way government functions, this is a necessity for effective federal incident response.
2. I can speak from both personal and theoretical experience on this topic. In years past, many private entities have developed a “sour taste” about the federal government and law enforcement regarding cybersecurity and cyber incidents. The government has often been regarded as slow to assist, likely because they are overburdened with ongoing cases. For example, I have worked on incidents that when notifying the local FBI office, an agent came to talk to the organization the following week – this is often perceived as too slow a timeframe, as many incident responses occur over a matter of days. In that same case, by the time the FBI met with us, the organization already initiated remediation and had kicked out the attacker.
Another reason is that the federal government is often (and correctly, I might add!) perceived as a “one-way” information street. Law enforcement agencies are happy to collect data and intelligence, but they seldom provide back as much as they receive due to confidentiality reasons. In many cases, it is completely unidirectional. While this data collection helps law enforcement build massive, long-term cases and issue indictments, it does little to ease the pains of a private entity currently undergoing a cyber incident.
Finally, and this is more theoretical than personal, some organizations do not want to involve the government as they fear that news of the breach will leak or lose the ability to control the narrative. The most important part of managing a public data breach is managing the story. While I disagree with this, some organizations feel it is best to provide as little information as possible. This means keeping the investigation as limited to a few parties as possible and attempting to sweep findings under the rug. Again, I am afraid I disagree with this, but it is a mindset that I have observed before. I hope this perception disappears as the federal government and law enforcement agencies are significantly more useful than not.