Lance Bellers - Fotolia

Homeland Security chief calls for federal breach reporting law

The Homeland Security head wants federal laws requiring data breach reporting and information sharing, but one expert warns that government officials need better understanding of infosec technology before creating such laws.

Jeh Johnson, U.S. Secretary of Homeland Security, said the top item on his wish list is a national data breach reporting law to replace the various state laws and the disparate rules within government agencies.

"Key to cybersecurity is information sharing," Johnson said at a Center for Strategic International Studies conference. "It's key even among the most sophisticated actors -- you can't be out there alone, and should partner with the federal government."

Johnson ultimately wants the government to require organizations to report data breaches and to levy harsher penalties for malicious hackers. He also advocated education as the best way to prevent successful cyberattacks.

Privacy Professor CEO Rebecca Herold warns that the education needs to start with the government officials tasked with creating these laws.

"Lawmakers must have a much better understanding of technology involved in the many laws they are proposing," Herold said. "The current moves by the FBI, and some of the lawmakers to require backdoors in encryption are a good example of how most who are making cybersecurity decisions simply don't understand technology and cybersecurity at all."

Herold said the need for an overriding breach law is real, but noted that the requirements for reporting a breach need to be considered differently from any requirements related to information sharing.

"Regarding the data sharing, we definitely do not want to have a lot of sensitive data in a large government storage location, with untold numbers of people and entities accessing it, and potentially misusing it for many other purposes," Herold said. "Past laws and situations that have occurred with government control over data show a need to have some other type of entity that is not the government to control any type of data security data, and potentially a large amount of personal data that could accompany it, that may be shared amongst U.S. entities."

Beyond the need for new laws, DHS Secretary Johnson talked about the need for the government to make better decisions when buying security systems and to expand the use of the Einstein intrusion detection system to more government agencies.

"With the use of Einstein E3A, agencies could clean up 60% of vulnerabilities in a very short period of time," Johnson said.

Einstein is the system used by the US Office of Personnel Management (OPM). It was not, however, able to prevent the OPM data breach because the system was not designed to detect or protect against new threats until they are identified and an associated signature is developed and entered into the system, according to the Department of Homeland Security.

Herold said implementing Einstein in more government agencies is long overdue.

"There is also no good explanation for why the government agencies, after all this time, still have not implemented Einstein," Herold said. "All the agencies should not only be using security tools by this point in time, but they should have had them implemented years ago. It demonstrates the disjointed, non-communicative and haphazard way in which all the agencies are managing their information security programs and associated efforts."

Next Steps

Learn about Best practices for security data breach reporting

Dig Deeper on Security operations and management