Cybersecurity and Deterrence

The Equifax Breach: Getting From Talk to Organized Response

By Rebekah Lewis
Friday, September 29, 2017, 9:03 AM

Lawmakers and cybersecurity experts weighing in on the Equifax breach face several important jobs: figuring out not only what went wrong and how to fix it but also talking about the problem in a more consistent, accessible and productive way. Tech experts and government officials have long stressed the need to discuss cybersecurity in a common language, one that can be understood by people with different perspectives and vastly different levels of familiarity with “cyber” issues. Many have pointed to the Cybersecurity Framework, developed by the National Institute of Standards and Technology, as a largely untapped potential foundation for such a common language. But most still fail to speak in those terms when discussing high-profile incidents.

The Equifax breach presents a significant opportunity to use the structure provided by the Cybersecurity Framework. To start, lawmakers and experts should frame official statements and calls to action in terms of the framework. Doing so could galvanize efforts around specific areas of improvement while simultaneously providing a more accessible and organized way for citizens to understand the issues and potential paths to solutions. In contrast, failure to find and use a common language is likely to perpetuate the duplicative, inefficient and largely uncoordinated efforts to improve cybersecurity on a broad scale that exist today.

The Cybersecurity Framework was first published in 2014, and a proposed revision was made available for public comment early this year. It represents a broad consensus, based on input from thousands of practitioners, academics, government representatives and private citizens, around five focus areas—or core functions—for managing cybersecurity risk:

  • Identify (understand your own organization and the relevant threats);
  • Protect (implement appropriate safeguards);
  • Detect (implement ways to discover an event);
  • Respond (take action regarding a detected event); and
  • Recover (plan for resilience and restoration).

The framework breaks those five functions into detailed categories and subcategories, linking each subcategory to specific standards, guidelines and practices that help organizations understand how they might achieve certain outcomes. The full version of the Cybersecurity Framework is available here.

So what would it mean to use the framework as a common language? For one, when lawmakers call for investigations and inquiries, they should pose their questions in terms of the framework.

For example, Democrats on the House Energy and Commerce Committee recently asked Equifax a variety of questions regarding the breach. The queries revealed alarming facts, and they ranged widely, touching on website application vulnerabilities and even the arbitration clause in Equifax’s terms of use.

Without changing the substance of these inquiries, lawmakers could significantly increase their potential impact by organizing them in terms of the framework’s key elements. Consider this example from the committee letter:

3. Why were the Equifax network operations and security staff unaware that volumes of data involving 143 million U.S. consumers had been exfiltrated from the Equifax network for so long? Does Equifax regularly monitor for intrusions into its network? Was it conducting regular monitoring during the time of the breach?

That would read far more effectively if it said:

The Cybersecurity Framework’s Detect (DE) function relates to the implementation of appropriate activities to enable the timely discovery of cybersecurity events. Within it are three relevant categories: Anomalies and Events (DE.AE), Security Continuous Monitoring (DE.CM) and Detection Processes (DE.DP).

In this case, Equifax network operations and security staff were reportedly unaware for months that volumes of data involving 143 million U.S. consumers had been exfiltrated from the Equifax network.

  1. Anomalies and Events:
    • What actions does Equifax take to detect abnormal behavior on its networks in a timely manner?
  2. Security Continuous Monitoring:
    • Does Equifax regularly monitor its networks for anomalies and intrusions?
    • Was Equifax conducting regular monitoring during the time of the breach?
    • Are Equifax’s monitoring capabilities designed to ensure the detection of malicious code?
    • How often does Equifax scan for vulnerabilities?
  3. Detection Processes:
    • What processes has Equifax established to maintain and test its detection capabilities?
    • Has Equifax established clear roles and responsibilities to ensure accountability for detection of incidents?

The framework could be cited in commentaries, interviews, roundtables and panels that cover related issues: Did Equifax wait too long to notify the public? This might fall under the Respond or Recover functions and the category of Communications within each. If the issue is training, then frame questions by referencing the Protect function’s Awareness and Training subsets: Did Equifax properly train all of its employees? Did senior executives and information security personnel understand their roles and responsibilities?

Organizing discussion this way has several potential benefits. More conversation in the framework terms would help educate the public that such a consensus-based structure exists and highlight the common language it facilitates. Greater awareness and adoption of that common language, in turn, increases the benefit of having the framework, and it also makes demands made in that context more accessible and potentially impactful.

Using the functions, categories and subcategories of the framework as tags would help flag and aggregate questions and solutions related to specific areas of inquiry. Using these tags could facilitate more focused and productive follow-on discussions and investigations that can home in on narrow and common issues, rather than repeating a broad range of idiosyncratic questions every time there is a high-profile incident.

These issue-specific discussions could draw upon documents and commentaries that have been similarly tagged or compare and contrast various calls for action. Being able to aggregate, compare and contrast at a more granular level would empower the public and its leaders to make determinations about which key functions, categories, subcategories and references require additional research, incentives, regulation or coordination.

Another benefit of using the framework is that use improves it. Aligning questions and issues with specific framework functions and categories is more art than science and could be the subject of considerable debate. The flexibility that makes the framework appealing is also cited as one of its greatest shortcomings—it does not provide sufficient detail and practical guidance to facilitate universal implementation. By using the framework in the context of actual incidents, lawmakers and experts can directly contribute to refinements that could make the framework even more actionable. Society would reap the benefits the framework offers in its current form while helping it become a more practical and effective tool for the future. This refinement can happen only if the framework is used—especially when the stakes are high. The investigation of a major cybersecurity incident affecting millions of Americans and foreign citizens is such a time.

For lawmakers looking to satisfy panicked and frustrated constituents, casting their calls for action in framework terms would illustrate that their demands are focused on finding solutions to specific problems. And educating the public about the common framework—its five functions, categories and subcategories—may help reduce reflexive panic when cyber issues arise.

For cybersecurity experts, using the framework as a common language and organizer would focus the cacophony of opinions and recommendations on specific topics of inquiry, research and improvement. In addition to bolstering the framework’s credibility, it could also increase the credibility of those that use it. Experts who ignore or downplay this tool may look like they’re more interested in profiting from the frenzy of cyber breaches; perpetuating an alarmist and disorganized discussion about cybersecurity could border on a certain willful negligence. People serious about devising improvements and solutions should be interested in empowering the general public through education, including by speaking in terms of a common framework.

In addition, using the Cybersecurity Framework as a common language will serve the interests of both sides of the regulation debate – those who believe more and better regulation is needed to improve cybersecurity, and those who favor a more market-based approach. For those in favor of regulation, more use of the framework may help to provide the basis of a regulatory standard by further developing and refining it as well as by promoting wider adoption; a variety of organizations from the tech industry, to academia and government, are already using the framework and President Trump made framework adoption mandatory for executive agencies in an executive order earlier this year. For those concerned about the prospect of additional regulation, the framework may present one of the final opportunities for industry to engage in meaningful self-policing. Actually using the framework to help demonstrate sufficient progress toward practical solutions would build the case against government interference. For either side of this debate, widespread adoption and support of the framework is an important step in testing the theory that the market can or cannot provide a workable solution.

Using the Cybersecurity Framework as context for discussion of major breaches and other incidents may seem like a small step. It’s not sexy, and it won’t enrich any particular group or industry. But it is a step that can be taken collectively, right now, to leverage the collaborative work that has been done and focus attention on specific issues in a more coherent way.

Given that there is no “silver bullet” when it comes to cybersecurity issues and protections, perhaps the best path forward involves shifting some attention away from the search for “right” answers and toward executing a common plan.