Lance Bellers - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Homeland Security chief calls for federal breach reporting law

The Homeland Security head wants federal laws requiring data breach reporting and information sharing, but one expert warns that government officials need better understanding of infosec technology before creating such laws.

Jeh Johnson, U.S. Secretary of Homeland Security, said the top item on his wish list is a national data breach reporting law to replace the various state laws and the disparate rules within government agencies.

"Key to cybersecurity is information sharing," Johnson said at a Center for Strategic International Studies conference. "It's key even among the most sophisticated actors -- you can't be out there alone, and should partner with the federal government."

Johnson ultimately wants the government to require organizations to report data breaches and to levy harsher penalties for malicious hackers. He also advocated education as the best way to prevent successful cyberattacks.

Privacy Professor CEO Rebecca Herold warns that the education needs to start with the government officials tasked with creating these laws.

"Lawmakers must have a much better understanding of technology involved in the many laws they are proposing," Herold said. "The current moves by the FBI, and some of the lawmakers to require backdoors in encryption are a good example of how most who are making cybersecurity decisions simply don't understand technology and cybersecurity at all."

Herold said the need for an overriding breach law is real, but noted that the requirements for reporting a breach need to be considered differently from any requirements related to information sharing.

"Regarding the data sharing, we definitely do not want to have a lot of sensitive data in a large government storage location, with untold numbers of people and entities accessing it, and potentially misusing it for many other purposes," Herold said. "Past laws and situations that have occurred with government control over data show a need to have some other type of entity that is not the government to control any type of data security data, and potentially a large amount of personal data that could accompany it, that may be shared amongst U.S. entities."

Beyond the need for new laws, DHS Secretary Johnson talked about the need for the government to make better decisions when buying security systems and to expand the use of the Einstein intrusion detection system to more government agencies.

"With the use of Einstein E3A, agencies could clean up 60% of vulnerabilities in a very short period of time," Johnson said.

Einstein is the system used by the US Office of Personnel Management (OPM). It was not, however, able to prevent the OPM data breach because the system was not designed to detect or protect against new threats until they are identified and an associated signature is developed and entered into the system, according to the Department of Homeland Security.

Herold said implementing Einstein in more government agencies is long overdue.

"There is also no good explanation for why the government agencies, after all this time, still have not implemented Einstein," Herold said. "All the agencies should not only be using security tools by this point in time, but they should have had them implemented years ago. It demonstrates the disjointed, non-communicative and haphazard way in which all the agencies are managing their information security programs and associated efforts."

Next Steps

Learn about Best practices for security data breach reporting

Dig Deeper on Information security laws, investigations and ethics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What stipulations do you see as necessary for a potential data breach reporting bill?
I don't have a background in security, so I don't know what stipulations a build should include. However, I can say that I totally agree with Ms. Herold - the government needs to fully understand an issue before they go handing down mandates. 

As a consumer, I believe that a law requiring data breach reporting is necessary. But as someone who works on a team that frequently works with the government, I know that they can come up with some pretty ridiculous requirements. 
Yeah I agree there needs to be more understanding.  Many of the things called breaches, aren't breaches, but compromises of specific accounts.