The third-party cyberattack that is crippling operations of Canada’s Sunwing Airlines is another example of why critical infrastructure providers should have to disclose a breach of cyber security controls to a government agency as soon as possible, says an expert.
“The lessons that need to be learned from this attack need to be shared widely,” David Shipley, CEO of New Brunswick-based awareness training provider Beauceron Security, said in an interview Wednesday.
Canada should follow the lead of the U.S., he said, which last month approved legislation requiring named organizations in critical infrastructure sectors to report substantial cybersecurity incidents to the Department of Homeland Security (DHS) within 72 hours of learning of a successful attack, or within 24 hours of making a ransomware payment. Details of what has to be reported are still being worked out, so the reporting regime hasn’t started yet.
DHS will be able to share certain information about threat indicators and security vulnerabilities through these disclosures. Meanwhile, disclosing organizations will be protected from being sued.
Shipley, who is also co-chair of the Canadian Chamber of Commerce’s Cyber. Right. Now. campaign, said the problem is that private and public sector organizations need to know at least some of the indicators of compromise [IoCs] or tactics used by threat actors as soon as possible to stop the spread of similar attacks.
“Right now, if you are a critical infrastructure company in Canada you can ask the [federal government’s] Canadian Centre for Cyber Security for assistance, and they’d be happy to do that. But they can’t say [without invitation], ‘We’re coming in to help, we’re coming in to understand this. We’re going coming in to understand the IoC’s to make sure the rest of the industry learns quickly from this.’”
Unfortunately, he said, the lawyers, risk team, or insurers of a victim organization will refuse to give permission for such disclosure.
He complained about the “tyranny” of companies “acting in their own motivated self-interest when dealing with a disaster.”
“The reality is this is a societal issue,” he maintained. The lessons that need to be learned from cyberattacks need to be shared widely.
“When we have a physical disaster in the airline industry, there’s a transportation safety agency investigating it, and there’s full and clear public transparency. That’s the law. But we’re missing that on the cyber side … We’ve seen this in healthcare in Canada, where we only find out about breaches if they become public. Sometimes we get better information from vendor forensic analysis than we get from the digests sent out by the Canadian Center for Cyber Security. We have got to change the story. We need mandatory breach reporting.”
Over the holiday weekend, Sunwing began having trouble with its IT system for checking in passengers. Company staff had to resort to manual procedures, leading to hours-long delays in departing flights — if they were able to leave at all. News reports say some flights were delayed from Canada by more than 24 hours. Others are stuck trying to get home.
“Our third-party systems provider, Airline Choice, continues to work with the relevant authorities to find a resolution to the system issue as soon as possible,” a Sunwing statement to the news service said. “In the meantime, while we continue to process flights manually, additional flight delays can be expected and customers are advised to sign up for flight alerts on Sunwing.ca.”
Airline Choice offers a range of flight-related applications, including a departure control system for passenger and crew check-in, and checked baggage control.
Headquartered in Michigan, the company’s website says its solutions are used by airlines and airports around the world.
Shipley said under a mandatory breach disclosure regime, victim firms wouldn’t have to hold a press conference and publicly give away sensitive IT details. But they should have to report to a designated agency to explain what IT knows. “And the moment they do that, they’re given some broad indemnities and some protections,” he added, “so the information they share with the federal government is protected, and they’re also not exposed to any additional liability by sharing this information with the government. Then the government can distribute to trusted groups levels of detail appropriate to those groups.”
Some cybersecurity and software companies already share varying degrees of intelligence, he added. “We just need to unclog this jam from the source, while they’re fighting the fire. They might be thinking just of themselves, but time is of the essence if we want to save others.”
One of an organization’s IT providers — as in the Sunwing incident — may be headquartered outside of Canada. Wouldn’t that pose a legal problem to a mandatory breach reporting regime, Shipley was asked? How could a company outside Canada be forced to comply with a Canadian regulation?
Firms in critical infrastructure segments — such as the financial, energy, transportation and communications sectors — could be told they and their suppliers have to comply with Canadian law, he said. It would be a requirement put in a firm’s contracts with suppliers.