Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Cyber Tactics / Cyber Security News

What Has Been Accomplished on Cyber Legislation?

In response to the growing cyber threat, Congress has been busy drafting legislation.

In response to the growing cyber threat, Congress has been busy drafting legislation.  Last year alone our representatives introduced more than 40 bills and resolutions with provisions relating to cyber security. In both the House and the Senate, and across party lines, members and their staff are educated, engaged, concerned and active. Change is in the air. Unfortunately, that is as far as it has gotten. Despite the growing threat, it has been over a decade since Congress sent a major cyber bill to the President. What follows are the most significant areas under consideration. 

 

FISMA Reform

In 2002, Congress placed federal executive agencies under the requirements of the Federal Information Security Management Act. Under FISMA’s compliance-based standards, federal agencies spend $15 billion annually on IT security. Yet, according to the Government Accountability Office, most federal agencies remain unable to track their cyber security goals and objectives. In response, the House recently passed the Federal Information Security Amendments Act of 2013 and sent it along to the Senate. Among other things, the bill would require federal agencies to conduct vulnerability assessments and penetration tests; and to use automated, continuous monitoring when possible to “detect, report, respond to, contain and mitigate incidents.” Although these added requirements would cost agencies a total of $150 million a year, no new funds are authorized.

 

Critical Infrastructure Protection

There is a longstanding debate about whether critical infrastructure security should be voluntary or mandatory. Earlier this year, President Obama issued an Executive Order directing the National Institute of Standards and Technology to develop a framework for these companies to voluntarily adopt. Step one is to gain adoption through government incentives. Should that approach fail, the Order gives the nod to regulatory agencies to consider appropriate mandates. The Senate’s recently introduced Cybersecurity Act of 2013, if passed into law, would codify only the voluntary aspects of that approach. This marks a significant departure from last year’s proposed Cybersecurity Act, which focused on developing mandatory risk-based cyber security performance requirements.

 

Information Sharing

The most extensive information sharing bill is CISPA, the Cyber Intelligence Sharing & Protection Act. This bi-partisan bill passed House vote in 2012 and 2013, but the Senate has refused to take it up, stating that it lacks sufficient privacy protections. Although the latest bill includes 11 substantive amendments aimed at allaying these concerns, it continues to lack support from the Senate, the White House and the civil liberties and privacy community. As it currently stands, the bill seeks to encourage greater information sharing from the private sector to the government, with appropriate limits on the receipt, retention, use and disclosure of cyber threat information associated with specific persons. The bill would provide criminal and civil immunity for certain private sector security efforts, and also would promote better sharing by the U.S. intelligence community.

 

Data Breach Notification

It has been 10 years since the State of California passed the country’s first data breach notification law. Since that time, nearly every state has followed, leading to a patchwork of varying obligations for notifying individuals and the government about the actual and potential loss of personally identifiable information.  Congress has focused on this problem in the past, seeking to create a single data breach notification statute to serve as the harmonized law of the land. However, disagreements have flared not only over the issue of States’ rights, but also as to which State law serves as the best model.

 

Private Sector Countermeasures

The private sector has the resources, capabilities, reach and speed to engage more directly in support of the government’s traditional roles to detect, attribute and respond to cyber threat actors. Clear legal authorities, however, remain lacking. Last year, the Senate’s Cybersecurity Act introduced a provision that would allow a private sector entity to operate, or approve the operation of, “countermeasures” in which the good guys modify, redirect or block information. A number of groups thought the bill was too vague as to what actual countermeasures would be allowed or prohibited, and for now the dialogue continues.

 

Research and Development

This year, the House also passed the Cybersecurity Enhancement Act, which would require additional research into access control management, systems assurance, industrial control systems security, and supply chain management.  Meanwhile, the Senate’s Cybersecurity Act of 2013 would require a federal R&D plan that, among other things, seeks to establish new Internet protocols that stress security and include the ability to determine the origin of messages transmitted over the Internet.  The Senate bill also would seek new ways to guarantee individual privacy; verify third-party software and hardware; address insider threats; and better secure cloud computing storage and wireless transmissions.

 

Moving Ahead

Additional areas of legislative focus include government procurement, workforce development, promoting international norms and fostering public/private collaboration. Still, in terms of a first priority, perhaps what we really need is for NIST to issue Best Practices for Congress and the President to Pass a Cyber Law. Just a closing thought.  

 

About the Columnist: 

 Steven Chabinsky is General Counsel and Chief Risk Officer for cybersecurity technology innovator CrowdStrike, which provides incident response services, cyber intelligence feeds, and a next generation intrusion detection, attribution, and prevention platform. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.