When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry.
When making notifications, companies often do not know the true identity of victims and may only have a single email address through which to provide the notification. Victims often do not trust these notifications, as cyber criminals often use the pretext of an account compromise as a phishing lure.
The volume of messaging across digital platforms means that important messages are often simply overlooked. Even when victims do trust that a notification is real, they may simply not know what actions to take given a lack of context or the technical skills necessary to secure their accounts.
To address these challenges, the Cyber Safety Review Board of Directors (CSRB) made a series of recommendations for cloud service providers to improve the process for victim notification and support. Chief among these recommendations was to encourage cloud service providers to work with major mobile device platform vendors to develop an “‘amber alert’ style victim notification mechanism for high-impact situations.”
While there is merit in the CSRB’s recommendation to develop a shared notification capability for cyber incidents, implementation would require overcoming significant technological and governance challenges.
Overcoming these challenges would require considerable investment and willing partnership from multiple parties. Given these barriers, development of the system is unlikely to move forward to solve the relatively narrow problem the CSRB proposed to address – “high-impact situations” within the ecosystem of cloud service providers.
However, expanding the purpose and reach of the system to address any account compromise within the broader technology ecosystem may increase stakeholder willingness to invest in overcoming the technological, governance, and viability challenges.
This report explores the challenges associated with developing the native-notification concept and lays out a roadmap for overcoming them. It also examines other opportunities for more narrow changes that could both increase the likelihood that victims will both receive and trust notifications and be able to access support resources.
The report concludes with three main recommendations for cloud service providers (CSPs) and other stakeholders:
- Improve existing notification processes and develop best practices for industry.
- Support the development of “middleware” necessary to share notifications with victims privately, securely, and across multiple platforms including through native notifications.
- Improve support for victims following notification.
While further work remains to be done to develop and evaluate the CSRB’s proposed native notification capability, much progress can be made by implementing better notification and support practices by cloud service providers and other stakeholders in the near term.
