Robert Knake

Rob Knake is a senior fellow at the Council on Foreign Relations and a non-resident fellow at Harvard’s Belfer Center for Science and International Affairs. He is also an advisor to SecurityScorecard. Knake served from 2011 to 2015 as Director for Cybersecurity Policy at the National Security Council.

EXPERT PERSPECTIVE – Senator Mark Warner, the Chairman of the Senate Select Committee on Intelligence, told The Cipher Brief’s Cybersecurity Summit on Wednesday that more needs to be done to ensure that companies that find themselves the victims of a cyberattack disclose the information quickly in order to head off a potentially wider breach. I have a suggestion: don’t encourage; mandate.

We are well past the time where voluntary measures by private companies can be relied upon for the security of our nation. As well intentioned as most Americans are on an individual basis, corporate interests reasonably and justifiably run counter to publicly or privately shedding light on negative information about them.

In 2015, Congress passed the Cybersecurity Information Sharing Act to remove fears that sharing information on cyber threats and incidents could lead to liability. Thanks to that legislation, no company today should have any concern that sharing information on cyber threats with another company or a government agency will result in legal peril. And yet, despite these protections, there has been no flood of sharing pouring out of the private sector.

That’s because legal liability was never a barrier to disclosure. Now, many in the policy community are focused on how to provide “incentives” to share. The big one the lawyers want is some form of immunity – albeit vague – wherein sharing details on a cyber incident would somehow absolve companies of any responsibility. That might incentivize sharing but would disincentivize investment to prevent incidents.

Instead, the Securities & Exchange Commission (SEC) should take the initiative to tighten requirements for disclosures so that they are made routinely and without a slow and cumbersome legal review. If the SEC fails to act, Congress should mandate that they do so.

Disclosure requirements should be tightened with the intent of providing investors a useful understanding of the cyber risks public companies face and what companies are doing to manage that risk. A new report commissioned by the ratings firm SecurityScorecard (where I am an advisor) and the National Association of Corporate Directors, found that public company cyber disclosures are failing to do that.

The report found that most disclosures were both vague on risks and on protective measures. One of the better disclosures the report highlighted was that a company, operating in the technology industry must “… provide security tools such as firewalls and anti-virus software…” If there are any publicly traded companies that are not deploying firewalls and anti-virus, our state of cyber insecurity is worse than anyone imagined. This level of detail does not provide meaningful information to investors.

Meaningful disclosures would involve tightening requirements on what type of incidents must be disclosed, the investments made to prevent them, and the overall success of the security program.

First, it should require that any loss of intellectual property be disclosed. Today, companies go to great lengths to conclude that the loss of intellectual property to cyber thieves was not material in order to avoid disclosure. Thus, we are left with the seeming incongruity of being told that cyber theft of economic espionage represents the greatest wealth transfer in history, and yet there are very few publicly known instances where companies have divulged that IP theft actually had a material impact on their business.

Instead of allowing companies to decide what is and is not material, the SEC should create rules that would mandate disclosure of these losses and then let investors decide what is material and what isn’t, to the company’s future prospects.

Recognizing that even the best protected companies may fall victim to persistent adversaries, the SEC should also mandate annual reporting in a separate stand-alone report on a set of metrics on company cybersecurity programs.