Cybersecurity Policy and Law Are Becoming More Aggressive at Just the Right Time


Posted on by Robert Ackerman Jr.

There are a lot of increasingly troublesome issues on a lot of fronts in the United States, and among the items on the list is cybersecurity. Cyberattacks continue to persist in heightened frequency and have been deemed the “new normal” for government, companies, and individuals.

So says the Biden administration’s top cyber officials, and it was probably predictable given that more than a year of ransomware attacks have pummeled US companies, schools, and local governments. In addition, there have been warnings for months about enhanced Russian cyber aggression and security weaknesses sparked by a much bigger remote US workforce.

What this means is that the federal government’s multiple pronouncements this year to further embrace a “shields-up” approach to cybersecurity will continue indefinitely while cyberthreats may get even worse.

Amid the tumult arises a question mark about the closely related and important matter of cybersecurity policies and law. Their chief goal is to set the standards of behavior for cyber activities and restrictions to minimize cybersecurity incidents. Given the somber backdrop, just where do policies and laws stand today?

The answer, paradoxically, is positive: The government is doing more in the cybersecurity realm than ever. While no cybersecurity pro would disagree that much more must be done, new and pending government policies and laws are gathering momentum in a budding war against cyberattacks. States and the federal government have been passing more cyber laws and implementing more policies, and the federal government, in particular, has begun cracking down on cybercriminals.

According to the National Conference of State Legislatures (NCSL), 36 states in 2021 enacted cybersecurity legislation. About half of these states have provided strengthened security measures to protect government resources. In addition, new legislation in Connecticut and Utah provides incentives for private sector entities to have reasonable security practices in place at the time of a breach. Five other states—Georgia, Kansas, Michigan, Vermont, and Washington—passed bills to exempt select cybersecurity information from disclosure under public records laws.

The list goes on. In the case of Indiana and North Carolina, for instance, new legislation expressly targets ransomware. Indiana requires the reporting of ransomware attacks, while North Carolina became the first state to prohibit government entities from paying ransomware demands.

This hectic pace continues in 2022. The NCSL says at least 23 states so far have enacted 40 different cybersecurity bills.

Federal law, meanwhile, still doesn’t require all companies to disclose cyber breaches. But it has made significant headway on this front (described below) and also has begun pressing forward to address a number of other cyber issues. Last year, for instance, in a new effort to begin slowing the growth of soaring ransomware attacks, the Department of Justice created the Ransomware and Digital Extortion Task Force. Subsequently, it retrieved $2.3 million of the $4.4 million ransom paid by oil company Colonial Pipeline. A few months later, the task force arrested some members of the European hacking group REvil and seized more than $6 million linked to ransomware payments.

Here are some other recent activities in Washington aimed at improving cybersecurity.

Companies involved in critical infrastructure now must inform the federal government of major cybersecurity incidents within three days.

This law was passed in Washington in March and immediately became the most expansive cybersecurity requirement that the US government has ever placed on the private sector. The law levies these reporting requirements on companies in areas such as energy, manufacturing, and transportation. In addition, local and state governments, nonprofits, and businesses with more than 50 employees, as well as critical infrastructure companies, must report ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency.

The federal government is starting to come to grips with its perennial headache of finding enough qualified cyber professionals to hire.

At any one time, nearly a third of roughly 75,000 government cyber jobs go unfilled. This is likely to change in coming years due to a new, ballyhooed report by the congressionally led Cyberspace Solarium Commission outlining ways to help resolve the problem. Cyberspace Solarium members, including Senator Angus King (I-Maine) and Senator Ben Sasse (R-Nebraska), are expected to introduce many of its recommendations to a friendly legislature this year or next.

Plans include the adoption of higher pay scales to better compete with the private sector and changing job requirements to make it much easier to hire people who lack bachelor’s degrees but have select cybersecurity certifications.

Steps are being taken to combat threats, some deadly, against election workers that are increasingly fleeing their jobs, heightening the risk of election security lapses.

These issues have become widespread, according to extensive testimony at a recent hearing before the House of Representatives committee investigating the January 6, 2021, attack on the Capitol. A recent survey by the Brennan Center for Justice found that 77 percent of local election officials nationwide say that threats against them have increased and are pushing out employees.

The Department of Justice has responded by launching an election threats task force to address the threats and will investigate and prosecute offenses where appropriate. In addition, Senator Angus King and other Congressmen are working with US Cyber Command to produce two unclassified reports connected with each biennial election. The first would highlight foreign threats to the election beforehand and what is being done to stymie them. The second would provide an overall assessment of election security after the election is over.

Contributors
Robert Ackerman Jr.

Founder and Managing Director, AllegisCyber

Policy & Government

government regulations policy management cyberattacks incident response

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community