How To Report A Cybersecurity Incident in 2021
With the headlines about Solar Winds and Colonial Pipeline many IT organizations have taken precautions against a cybersecurity incident. But what happens when those precautions fail and a ransomware demand comes up on your computer? When implementing a cyberattack remediation plan should there be a step for reporting incidents to the US government?
According to recent outreach by the White House, the US Government wants the industry’s help in understanding and countering the cyberwar threat. In this post I help to navigate the federal agencies who cover cybersecurity, tell you who to contact, and then describe what happens when things get really bad.
Who Do You Call?
I sorted through the myriad of agencies and capabilities in the Biden Administration to give simplified guidelines on reporting a cybercrime. Here are the top two US government agencies who need to know when you are the victim of a cybercrime.
- Cybersecurity & Infrastructure Security Agency (CISA) Incident Report Form (https://us-cert.cisa.gov/forms/report)
The recent Biden Administration Executive Order makes it clear that CISA is now the lead agency for basic reporting of cybersecurity incidents. The CISA website is also an educational gateway to other Federal agencies involved in security standards, such as the National Institute of Standandards and Technology (NIST).
Even if you remediate an incident, it should still be reported to CISA so the agency may accurately measure the national scope of the problem. - Federal Bureau of Investigation (FBI) Field Offices (https://www.fbi.gov/contact-us/field-offices)
Contact the FBI Cyber Task Force via a local FBI field office to report cybercrime. This includes computer intrusions or attacks, digital extortion, fraud, intellectual property theft, identity theft, theft of trade, secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity.
What Happens Next?
Let us say your cybersecurity incident is going unbelievably bad very quickly, and you are thinking about paying a ransom or operational technology has become compromised. Who do you call then?
The answer is to stick with the local FBI field office as the primary contact into the federal system.
The United States Department of Justice (DOJ), which includes the FBI, reorganized cybersecurity in April 2021 and created the Ransomware and Digital Extortion Task Force. This is the group that was responsible for clawing back $2.3 million of the ransom paid by Colonial Pipeline by tracking Bitcoin payments to a digital wallet managed by a Northern California technology company.
To contact the Ransomware and Digital Extortion Task Force follow step #2 above, start working with a local FBI agent, and then look to the FBI for further escalation of your concerns.
Better Federal Cybersecurity Incident Guidance is Needed
The new DOJ task force is emblematic of how troublesome it is to deal with the US federal government. That is, they created a new agency to deal with the fact there are too many agencies in the US government. And the myriad of agencies and responsibilities is part of what makes cybersecurity seem magical and imponderable to students and practitioners alike.
While researching this article I found many other US Government agencies with contacts for cybersecurity incidents. Check out this undated Department of Homeland Security bulletin, which purports to be ”A Unified Message for Reporting to the Federal Government”, but it doesn’t even mention CISA.
To make it simple, I synthesized recent events, the Biden cybersecurity EO, and public statements by the DOJ to give you a simplified two-step escalation procedure. However, depending on your situation you may still need to contact a another agency. Here are some of the other contact points I found:
- United States Secret Service (http://www.secretservice.gov/contact/field-offices)
Report password trafficking, theft of payment card, or other financial payment information. - Immigration and Customs Enforcement / Homeland Security Investigations (ICE/HSI) (https://www.ice.gov/contact/hsi)
Report illicit e-commerce (including hidden marketplaces); Internet-facilitated proliferation of arms and strategic technology; child pornography; and cyber-enabled smuggling and money laundering.
Industry Action Is Needed
Let us hope that the recent summit between President Joseph R. Biden, Jr. of the United States and President Vladimir Putin of the Russian Federation, plus other diplomatic and high-level actions, reduces the ongoing cybercrime assault against the United States and its allies by Russian criminal gangs.
However, since we cannot count on diplomatic measures working based on threats and promises, the IT industry needs to step up and secure all operational technology in private industry as quickly as possible. Enterprises must allocate additional resources for all levels of cybersecurity systems in order to meet the threat posed by the cyberwar.
For Salesforce devops architects, IT leaders, practitioners, and developers, the industry cannot take basic things like workstation and network security for granted. With remote work the norm, there is a real challenge to maintaining secure developer environments.
Salesforce Architects Must Act on Security Concerns
Finally, architects need to incorporate security concerns earlier in the development process. And devops tools vendors need to support those efforts by incorporating application security directly into the developer workflow process without creating a new cognitive load on coders.