The TechnologIST: March 2023

Welcome back to the TechnologIST, IST's monthly newsletter highlighting major issues at the intersection of technology and security. I'm Sophia Mauro, Deputy Director of Strategic Communications and in this month's edition, I'll be interviewing Elizabeth Posegate Vish, Senior Advisor for International Cyber Engagement, on the Cyber Incident Reporting Framework: Global Edition, exploring the latest news in cyber and defense, and sharing reading recommendations. 

The following is a preview of our latest newsletter. To subscribe and make sure you don't miss the full story, click the link below: 

Cyber Incident Reporting Framework: Global Edition

Picture this: you’re a small or medium-sized enterprise. Your servers shut down, and suddenly you can’t get access to your systems; you’ve been hit by a ransomware attack. Do you report it? Are you required to report it? Even if not, would you consider doing so voluntarily?

In the immediate aftermath of a ransomware attack, some victims may be reluctant to report the attack to government cybersecurity authorities, in some cases because of bandwidth difficulties, or in other cases because they don't anticipate receiving meaningful assistance or are concerned that the government will take punitive actions. Yet as the Ransomware Task Force emphasized in its inaugural report, it’s crucial to do so. In an op-ed for The Hill, IST's Chief Strategy Officer Megan Stifel and Cyber Threat Alliance's President & CEO Michael Daniel make the case: “Absent broad, consistent data across many sectors from a wide variety of companies, neither the government nor the private sector can identify trends, understand the true impact of the problem, or develop effective policies.

As part of IST’s work within its Future of Digital Security pillar, we not only recommended incident reporting, but also produced a framework to do so. The Cyber Incident Reporting Framework, released in November 2022, lays out a set of model reporting formats the Cybersecurity and Infrastructure Security Agency (CISA) could use as the foundation for cyber incident reporting.

Now, alongside partners across the globe, we are releasing a Cyber Incident Reporting Framework: Global Edition. To learn more, I sat down with Elizabeth Vish, IST’s Senior Advisor for International Cyber Engagement, who was a major force behind adapting this framework for a global audience.

Q: IST published a Cyber Incident Reporting Framework last November. What’s new in the Cyber Incident Reporting Framework: Global Edition? 

A: “The original Cyber Incident Reporting Framework (CIRF), which we released in November of last year, was drafted in response to a specific request from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. CISA sought input on how they could most effectively implement reporting requirements outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The November CIRF focused on the specific elements of how to transform those legislative requirements into practical and effective reporting practices. 

After we published the U.S.-focused CIRF, we heard from partners abroad, including the Global Forum for Cyber Expertise, that similar guidance could be useful for governments and the multistakeholder community around the globe. In response, we took our original draft and asked what global audiences would find most useful. 

I want to thank the members of the RTF, particularly those in the Ransomware Incident Response and International Engagement working groups, for their incredibly helpful input. They highlighted questions that global audiences would likely have and helped to place the framework into a broader context. As a result, the Cyber Incident Reporting Framework: Global Edition caters to a global audience, including by answering questions about what conditions should be in place to make a reporting mandate effective and by harmonizing suggested definitions with existing global regulations." 

Q: There’s a lot of debate out there about voluntary vs. mandatory reporting. What does the Framework have to say about this? 

A: “This is definitely a hot debate; depending on their unique contexts, different stakeholders and governments have a variety of views. In the CIRF: Global Edition, we talk about some of the reasons why voluntary reporting is usually a good place to start. We also highlight the fact that mandatory reporting will only be helpful in contexts where the government has the bandwidth, technical expertise, and team in place ready to take the information reported and use it to enhance both private and public cybersecurity practices. 

Some governments may want to start by using the principles in the reporting framework to enhance voluntary reporting. They could then build towards the trust and capacity that either makes mandatory reporting unnecessary, or towards a mandatory model once they’ve built the muscle memory to do incident response in a productive and collaborative way. As governments are thinking about their reporting structures, it is critical to engage in open and honest consultations with the entire multistakeholder community, from private industry and civil society to the technical and academic community."

Q: Let’s imagine for a moment that this framework is adopted across the world, that all cyber incidents are reported to the correct authorities, and that we finally have a complete picture of the nature, scope, and frequency of cyber incidents globally. What changes? What are we able to do?

A: “Effective reporting gives network defenders and national cyber authorities a more complete picture of the threats faced by our digital systems. As a result, governments can use this data—once it’s anonymized—to share information with the cybersecurity technical community and network defenders of our most critical infrastructure. Working with strong information sharing ecosystems (e.g. national and sectoral CSIRTs), cybersecurity authorities and private industry are able to share information about threats within and between sectors and help network defenders to take the right mitigating actions.

Ultimately, we can use this data to address vulnerabilities at lightning speed, so that specific vulnerabilities or attack vectors only pose a threat for a very short period of time. In an ideal cyber incident reporting world, network defenders are able to shut down a lot of incidents before they become serious, thus reducing the threat to the global digital ecosystem. That means that people’s data is a lot more secure, and they can have confidence that the digital technology that we use on a daily basis is far less likely to be disrupted or compromised."

"This guide to national cybersecurity incident reporting provides input to national cybersecurity authorities (NCAs) and legislative bodies as they consider implementing a range of mandates and voluntary reporting procedures for cybersecurity incidents.”

- Cyber Incident Reporting Framework: Global Edition

Latest Events and Publications

AI-NC3 Integration in an Adversarial Context: Strategic Stability Risks and Confidence Building Measures

Over the past year, the IST team has been working to examine the strategic stability risks posed by integrating AI technologies into nuclear command, control and communications systems across the globe. Report authors Alexa W., Andrew W. Reddie, PhD, Leah Walker, and Philip Reiner present a novel set of scaled confidence building measures, based on a range of levels of effort and international cooperation, that states could embrace.

IST Reviews the 2023 National Cybersecurity Strategy: Analysis and Next Steps

The IST cyber team notes 3 key priorities from the latest National Cybersecurity Strategy that have the potential to directly affect our work. Above all, they write, “implementation is critical."

Technology, Warfare, and Russia’s Invasion of Ukraine: IST’s Anniversary Assessment

Prompted by the one-year anniversary of Russia’s invasion, IST experts took stock of the major tech trends the war in Ukraine has revealed, accelerated, and even redirected.  

IST in the News

Will the Pentagon's cyber strategy address offensive cyber operations? 

Megan Stifel tells DefenseOne that precise guidance on the rules for offensive cyber operations is needed, including "how much and how often, whether it's defending forward or other capabilities that DOD can bring to the table."

IST's Alice Friend moderates a conversation with DoD's Michael Horowitz 

The two talked the latest directive on autonomy in weapons systems, the role of emerging technologies, and the importance of responsible AI. Check out NextGov's recap.

Recommended Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month: 

• Researchers say they have discovered a material that conducts electricity without resistance at ambient pressure & temperature conditions. With this breakthrough, are commercial superconductors—and even fusion—on the horizon? 
• The Microsoft AI Security Red Team found that hackers could compromise AI systems using traditional software threats. 
• Could artificial general intelligence benefit all of humanity? OpenAI articulates its guiding principles. 
• 5G-enabled electric robots have been deployed to clean Singapore's rivers and even respond to emergencies. 
• Chinese technology is giving Silicon Valley a run for its money.  

The Institute for Security and Technology designs and advances solutions to the world’s toughest emerging security threats. It is a nonpartisan, nonprofit network based in the San Francisco Bay Area dedicated to solving critical international security challenges through better technology and policy. Donate today to support our mission.

Thanks for reading The TechnologIST. To be sure you don't miss the next edition, subscribe here.