James Bond always orders his martini prepared a special way: “Shaken, not stirred.” Being a teetotaler, I have always wondered what would happen if Bond – James Bond – was served a stirred martini. Would he be able to tell? Many of the more notable drink masters in the infosec community could probably educate me about the subtle differences between a mixed or stirred martini. Apparently, there is clearly a difference. I have a similar fascination with the difference between a data breach and cybersecurity incident, and there is more evidence that the subtle differences are being noticed and better defined. For example, on September 14, New York State governor Andrew Cuomo announced new regulations for all financial and insurance firms that conduct business in New York State. These new regulations are currently under review through October, but if accepted in their current form, they go beyond anything that has previously been promulgated in the cyber world. The legislation is a very easy read, clocking in at only 12 pages. I strongly suggest that every member of the infosec community take a close look at it, as it is sure to change the entire cybersecurity landscape. For those of you who are seriously time-crunched, although not recommended, you can find a summary of the salient points here, as well. There is also some well-argued and thoughtful criticism that the regulation falls short of a comprehensive plan. Aside from the obvious directives of the regulation, one point that struck me about the regulation is the absence of the word “breach.” The clever authors of this regulation have beautifully avoided the use of the infamous “B” word. In a previous article, I posited that a ransomware event is not a data breach. The evidence used to support the logic in that article was met with a collective shrug by the infosec community. The new regulation proposed by Governor Cuomo further distances itself from defining a breach, and it does so in a magnificent way that clarifies the difference for all of us. The word used to bypass that messy breach argument is: tampering. In a beautifully stated definition, it is presented as follows:
“Any business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity.”
(In legal parlance, the word “material” in that definition has a distinct meaning, but that is not of issue here.) What we have in this bold regulation is not only new guidelines towards better cybersecurity but also a more accurate approach to the mandated reporting requirement of a cybersecurity event. The unanticipated encryption of data which occurs in a ransomware event is definitely within the realm of a tampering event. Data tampering, as a definition, raises the cybersecurity lexicon to a new level. Why is this all important? It is important because a little regulation that is decreed in New York State can easily become the test case for broader reaching Federal and International business regulations. If that happens, the language will also flow into a broader reaching legislation. The “B” word is of no concern to the authors of this new regulation, and its absence could be the catalyst for something much bigger and better in the world of information security. As we start to understand the subtle differences between tampered, not breached, we elevate the entire infosec profession. Would you like that regulation shaken, or stirred?
