Why Many Cyberattacks are Never Reported
One might assume that all cyberattacks are documented, categorized, archived and otherwise maintained in some record for posterity. Given that there seems to be at least one in the news most weeks, it certainly would seem reasonable that there is a rigorous and public reporting process of some type.
But as the Wall Street Journal pointed out in an article this week titled “Why Some of the Worst Cyberattacks in Health Care Go Unreported”, not all cyber compromises are reported, even in healthcare where there is a regulatory framework and public website for reporting in place by the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights (OCR).
So why is that the case? And why does it matter?
The Art of War: Using Economics to Defeat Cyber Crime
It appears that at least part of the reason that cyber incidents have been going unreported is because of a trend this past year or so towards incidents that are perpetrated using ransomware. Ransomware is a “type of software that locks away data until victims pay a ransom” according to the Wall Street Journal.
In such cases, it would seem that organizations that are targeted in these attacks are coming to a determination, presumably based on the facts and on legal advice, that these incidents do not represent a data breach and therefore do not require the same type of notification of individuals and regulators that is required in the case of a data breach.
This highlights a very important fact in the cyber incident realm, which is that while there are many cyber incidents that occur, where an organization’s systems may be attacked by malicious actors virtually anywhere in the world, that it is only those incidents that meet specific criteria that are then considered data breaches. This “incident” vs. “breach” dichotomy may seem like splitting hairs, but it is very important in that it is the basis for whether a cyberattack will become public, or not.
And so then, why does this matter? Lawmakers are arguing that greater disclosure is needed to ultimately find ways to better protect individuals. In the case of health systems targeted by ransomware attacks, Congressman Ted Lieu of California argues that “regulators can’t protect patient safety if they are unaware when hospital medical records are held for ransom.” And oddly enough, it is specifically in healthcare where the most rigorous and well defined cyber incident reporting standards are now in place. In other industries, a much larger proportion of attacks stay under the radar because they are subject to state laws rather than an all-encompassing federal law and regulatory authority.
Privacy attorneys are much well versed in the details of how and why cyber incidents using ransomware may in some cases be considered a data breach, and in other cases, not. But while organizations may be following the laws and regulations relative to their reporting of cyber incidents that become classified as data breaches, the level of underreporting remains high just because there is no requirement to report cyberattacks.
As noted in the Wall Street Journal article, “WannaCry [a recent strain of ransomware malware] ‘highlighted the disturbing reality that the true state of cybersecurity risk in this section [healthcare] is underreported by order of magnitude,’ Leo Scanlon, deputy chief information security officer for HHS, said during a U.S. House hearing on cybersecurity this month.”
With luck, this emerging dialog on the underreporting of cyber incidents will continue and lead to a way to ensure more consistent and complete reporting standards for attacks. It would seem that we’re still in the early innings of what is increasingly described as a cyberwar, one where many of the bad actors can be anywhere in the world and outside the reach of our justice system, so we better hunker down for a long drawn out ballgame.
The Art of War: Using Economics to Defeat Cyber Crime