Sue Bergamo, CISO at BTE Partners, LLC, agrees. “Governments should have a whistleblower program with clear instructions on how to disclose information, then offer the resources to enable procedures to encourage employees to come forward and guarantee a safe reporting environment,” she says.
Secondly, nations need to upgrade their legislation to include strong anti-retaliation protection against tech workers, making it unlawful for various entities to engage in reprisal. This includes job-related pressure, harassment, doxing, blacklisting, and retaliatory investigations.
The US, for example, has no federal laws designed to protect employees who blow the whistle on cybersecurity issues. However, anti-retaliation stipulations are broad enough to include such cases. For instance, some laws that push back against punishing corporate whistleblowers and people who reveal misdeeds with federal funds can also apply to tech whistleblowers. Additionally, in 2021, the US Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative paved the way for using the False Claims Act to address government contractors and grant recipients that submit false claims misrepresenting compliance with cybersecurity standards.
According to Empower Oversight non-profit, certain acts can be applicable to whistleblowers who report on tech-related issues:
- The False Claims Act safeguards employees who blow the whistle on government fraud.
- The Sarbanes-Oxley Act shields employees who reveal fraud and securities violations in publicly traded firms.
- The Dodd-Frank Act defends employees reporting securities violations to the Security and Exchange Commission (SEC).
- The Financial Institutions Reform Recovery and Enforcement Act covers employees disclosing legal infringements at banks and similar depository institutions.
- The Energy Reorganization Act ensures protection for nuclear industry employees against violations of related laws or regulations.
- The Whistleblower Protection Act upholds protections for federal government employees reporting legal violations, significant threats to public health or safety, or gross mismanagement, waste, or abuse.
- The National Defense Authorization Act protects employees that reveal gross mismanagement, waste, abuse, or violations of laws or regulations relating to federal contracts.
The European Union has also made progress in the effort to protect whistleblowers. Member states were asked to transpose EU Directive 2019/1937 into their legal framework, and the countries that did not (Czechia, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland) were referred to the Court of Justice in February this year. The directive asked EU members to provide increased protection to whistleblowers in both the public and private sectors, which included creating a robust system of protection against retaliation.
However, the advancements made on the legislative front need to be matched by similar progress in corporate practices.
What organizations could do to reduce whistleblower risks
Corporate whistleblowers have a lot at stake when they decide to report issues. They could be labeled troublemakers or lose their security clearance, both of which could limit their employment opportunities and affect their financial security. Additionally, they could also face legal consequences if the information they disclose is sensitive or classified.
Many of the headaches could be prevented if organizations address whistleblowers’ concerns internally, before they escalate, creating a positive and supportive environment for those who want to signal wrongdoings.
The first priority for organizations should be to establish a clear policy for employees who want to flag issues. “This involves developing and implementing comprehensive and easily accessible procedures,” according to Empower Oversight.
Employees need to be assured that their identities will remain confidential throughout the entire internal reporting process, if this is something they want. That said, providing options for anonymous reporting of cybersecurity issues is absolutely crucial to encourage them to talk. Kolja Weber, CEO FlokiNET, who has assisted whistleblowers in the past, says organizations should walk the extra mile to protect their employees’ identity. “Anonymity is always the best way to ensure whistleblowers stay safe and feel encouraged to come forward,” he says.
Whistleblowers should be given multiple reporting options
Ideally, organizations should offer multiple paths for reporting problems. Whistleblowers could, for instance, talk to their supervisors, call an anonymous hotline, address a designated ombudsman, or even notify a specialized office that has access to leadership. A system that offers plenty of options gives employees flexibility based on their comfort level and the nature of the issue. If organizations offer several avenues for reporting issues, they can increase the likelihood that employees will come forward.
To further increase chances, employees can be offered regular training sessions in which they are informed about the importance of coming forward on cybersecurity issues, the ways to report wrongdoing, and the protection mechanisms they could access. Moreover, leadership should explain that it has zero tolerance for retaliation. “Swift action should be taken if any instances of retaliation come to light,” according to Empower Oversight.
The message leadership should convey is that issues are taken seriously and that C-level executives are open for conversation if the situation requires such an action. As Renee Guttmann, founder and principal of Cisohive and former CISO of companies like Coca-Cola, Time Warner, and Campbell, points out, “a process for escalating issues to executive leadership and the Board [should be in place] if there is a belief that issues are not being appropriately addressed through their chain of command.”
At each step, employees should be assured that the problem they disclose will be investigated thoroughly and that enough resources will be poured into that. The entire process should be transparent, with both the person who reported the issue and the organization being kept informed of the progress.
All these measures can be beneficial in the long run, and organizations that implement them should be able to address problems internally, preventing them from escalating. Many companies are slowly understanding the true importance of the process. “It takes time, but I think it’s happening, companies stop stigmatizing employees who blew the whistle,” says Delphine Halgand-Mishra, founding executive director at The Signals Network, a non-profit that provides support to whistleblowers and journalists. The organization created the legal section of the Tech Worker Handbook, which explains legal concerns and issues tech workers might have before, during, and after deciding to speak out.
Cybersecurity whistleblowers can be essential for democracy
Peiter “Mudge” Zatko and Anika Collier Navaroli, who reported security, privacy, and disinformation issues related to Twitter, were “vital whistleblowers,” Gold says. “Their willingness to testify about the role of social media in facilitating unprecedented threats to democracy was courageous and vital.”
Both, however, had to navigate a series of challenges after they blew the whistle, but their decision to come forward was a calculated one. “There’s a sentence I heard many whistleblowers say: ‘I was hoping someone else would do it, and nobody did,’” said Halgand-Mishra. “I also hear them say: ‘I just couldn’t face my own conscience.’ They know they are getting in trouble, but there’s no other way.”
The Signals Network’s founding executive director believes both governments and the private sector should do more to foster an open culture and protect whistleblowers because they are part of any “vibrant democracy.” According to Halgand-Mishra, “Whistleblowers should be embraced by society; they should be celebrated.”
