Cyber attack reporting rules must consider incident responders

Incidents like the ransomware attack on the Los Angeles Unified School District, or the Lapsus$ Group’s recent string of high-profile attacks on companies such as Nvidia, Ubisoft, and Samsung can last weeks on end and are often immensely stressful for the people working behind the scenes to regain control and investigate the issue.

An incident means crisis mode. Incident responders work around the clock to investigate the issue, while also sensitively managing communications with stakeholders. The term “easy” is not a word you will find in the job description of an incident responder. Their job is anything but easy and the pressure is only rising. In fact, a recent study conducted by IBM Security of 1,100 incident responders across the globe found that 68 percent of incident responders have been assigned to two or more overlapping incidents at once and, unsurprisingly, 67 percent report experiencing stress and anxiety.

There’s a growing volume of threats and only a finite number of incident responders; from 2020 to 2021 alone IBM’s X-Force’s Incident Response team reported a nearly 25 percent jump in the number of incidents reported. It’s clear that cyber incident responders — the professionals who are integral to keeping businesses, federal agencies, consumers and our nation secure — are under pressure, and it is not letting up anytime soon.

This is precisely why we need to support the humans behind the investigation — the people on the digital front lines tasked with stopping cyberattacks before they get out of control and cause harm to the public. One way to do that is by considering incident responders when creating cyber incident reporting rules.

The need for cybersecurity incident reporting rules is indisputable. The  Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), for example, is a big step forward for information sharing and enhanced visibility into the true impact of ransomware. We don’t know nearly enough about our ransomware adversaries and the true extent of their impact. Reporting rules can help fix that.

But we can’t ignore the impact that incident reporting legislation will have on responders. There are already multiple global regimes including India’s CERT-In incident reporting requirements and the Australian Cyber Security Center’s incident reporting rules and pending CIRCIA rules in the U.S. They each have different requirements from when to report to who to report to and what to report.

Responding to a cybersecurity incident is already extremely stressful — how will incident responders deal with the growing pressure of finding answers in time to report to the proper authorities? Federal reporting rules should be kept as simple as possible. Rules that are too prescriptive, or overly rigid, will lead to confusion, or reporting delays. Harmonizing is key here. We must make it as simple as possible for the defenders tasked with the investigation and resolution of an incident.

I think we can all agree that the job of an incident responder is anything but “easy,” so let’s not add to their difficulties. By keeping incident responders in mind when planning for potential incidents, and legislation, we can help reduce the stress of an incident on the frontline responders of today’s digital world. 

Charles Henderson is the global head of IBM X-Force, where he leads a global team of hackers, researchers, investigators and incident responders.