The story below comes from the Washington Post:
People are paying more attention to hacks, and that's helping Congress pass more cybersecurity bills
This is shaping up to be the most productive congressional term for cybersecurity in history — in no small part because of the efforts of Senate Homeland Security Committee Chair Sen. Gary Peters (D-Mich.). Peters and the committee’s top Republican, Sen. Rob Portman (Ohio), shepherded the largest expansion of requirements for industry to share hacking information with government into law last year. Before the close of this term, they hope to get at least two more big cyber bills into law — one that would upgrade the government’s aging and clunky information security requirements and another that would make it easier for government agencies to securely use cloud-computing systems. Both have already passed in the Senate.
That’s on top of other legislation Congress has passed surging funding to cyber offices including the Cybersecurity and Infrastructure Security Agency and expanding those agencies’ mandates.
MOUNTING THREATS
The efforts have gone a long way toward upgrading the government's cyber posture to meet the current threat — though there's still a long way to go, most cyber analysts agree. “If we're going to be effective in fighting cyber criminals and cyber attacks, we have to be able to fight in a coordinated fashion and this puts the framework in place where we can do that,” Peters told me in an interview. “We’ve come a long way, but we can’t stop there.”
There were two big enabling factors for this burst of cyber legislation.
First: There was immense public pressure to get something done quickly — especially in the wake of a series of cyber crises including ransomware attacks against the oil, IT and agricultural sectors and heightened fears of Kremlin hacking after Russia’s invasion of Ukraine. Peters described the results as a mix of legwork and timing.
“We did all the groundwork to have really good bills,” Peters told me. “So when something happens that really brings everybody's attention to an issue, we can act on it very quickly and provide a solution that people can immediately vote on and feel comfortable they're taking action.” Indeed, the cyber incident reporting bill passed the Senate with unanimous support — as did the other two bills they hope to get over the finish line.
“That gives me a lot of leverage talking to my friends in the House that we've got 100 senators in support of the bills as written here in the Senate,” he said.
Second: Congress has slow-rolled cyber legislation for so long that even pretty common-sense measures seem like super big deals at this point. The cyber reporting bill that passed last year requires companies in critical infrastructure sectors, such as energy, transportation and manufacturing, to alert the government about significant cybersecurity incidents. It requires a far broader set of companies to alert the government when they pay ransoms to hackers. But it doesn’t require companies to meet any particular cyber standards. That’s a move many experts say is long past due — but it would probably take an even greater cyber crisis to impose such rules more broadly. The executive branch has imposed minimum cyber standards on a handful of sectors where it has the regulatory authority, such as pipelines.
By contrast: The last time Congress passed a big cyber bill affecting industry in 2015 it merely gave companies the option of sharing hacking information with the government without any legal jeopardy. Even that measure was highly controversial and barely made it into law.
NEXT UP
Peters’ next big cyber target is legislation aimed at helping make small businesses more resilient against ransomware and other hacks. Small businesses are a frequent target for ransomware hackers because they tend to have far weaker defenses than larger firms. But it’s proven difficult to get government cyber resources out to small businesses because they’re so diverse and widespread.
“It is absolutely an existential threat to small businesses if they’re hit with a ransomware attack. So we’re thinking through how do we help small businesses defend themselves? How do we leverage federal cyber resources to work with small businesses?” Peters said. “It’s not an easy problem, but it’s one that we have to address.”
###
