cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Should software breaches have mandatory reporting?

Hi All

 

Interesting piece from Crowdstrike advocating that software breaches should have mandatory disclosure and reporting.  And what do you say?

 

https://redmondmag.com/articles/2021/02/26/crowdstrike-active-directory-structural-problems.aspx

 

Regards

 

Caute_cautim

 

 

2 Replies
denbesten
Community Champion

Re: Should software breaches have mandatory reporting?

In much of the world we already have mandatory reporting if a breach results in disclosure of private information.  I think the more focused question is if other scenarios are "important" enough to justify additional laws.  In the Solar Winds disclosure, (which inspired the article), I saw two "important" bits -- a captivating story with politics, intrigue, and drama; and also an urgency to mitigate.  Of these, I feel "mitigation" probably ought to be legally mandated, but "outing the story" is probably better left to other venues (e.g. the news media).  

 

Thinking about how to leverage our legal systems, I would probably extend product recall laws to include PII.  And just like the physical-world, neither "agreements" nor "product lifecycle" should shield applicability.  The prototypical example being Takata, whose airbags were spraying shrapnel. Even my 12 year old car got a  "no-cost-to-me" replacement.  Same should apply to a software defect that poses a significant risk to life, safety or PII. 

 

 

tmekelburg1
Contributor III

Re: Should software breaches have mandatory reporting?

I think most people would agree with mandatory reporting and with what @denbesten said about a lot of organizations are already under mandatory reporting requirements. I'm assuming the intent of the new law would be for better insight into the overall threat landscape and would require reporting of almost every security incident to be effective, not just regulated data being breached.

 

It would certainly be good business for Cybersecurity firms and anyone working in Cyber for the foreseeable future. I'm a little skeptical about the job skills shortage for SOC Analysts and Engineers but I have no doubt we would have a massive shortage in more specialized roles such as Incident Responders/Handlers, Forensic Analysts, and Cyber Intel Analysts to put it all together if we were to implement sweeping mandatory reporting regulations.

 

The better question might be how that would work if your organization didn't fall in the mandatory reporting bucket. 

 

U.S. Senate Select Committee on Intelligence