Latest in Cybersecurity: Legislation
The good news is that national security bipartisanship in Congress lives. The bad news is that the only place it lives is in the pages of the Senate Intelligence Committee report on Russian election interference.
American companies are getting hacked, and the Securities and Exchange Commission wants corporate executives to do something about it. According to a White House Council of Economic Advisers report released earlier this year, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.
There is a mounting gap between what the headlines say about the costs of cyber insecurity to the U.S. economy and the results of data-driven research on this topic—with negative implications for cybersecurity. Congress should move to narrow the gap by passing a federal law that takes two steps to protect data. First, it should require companies that possess sensitive personal information to publicly disclose when significant breaches of this information occur.
On Dec. 21, all eyes were on the Republican bill to cut taxes. Yet a bipartisan group of six senators also had their eyes on the far less sexy (but still important!) topic of election hacking. They quietly introduced a bill called the Secure Elections Act that, if passed, would be a good down payment on improving the confidence we can have in the integrity of our elections.
The next National Defense Authorization Act (the NDAA FY’18) is nearing the finish line. A Conference Report is now available, and so the time has come for a closer look at some of the key provisions of interest to Lawfare readers. My colleague Scott Anderson is going to post a broad overview shortly. For my part, I’d like to walk you through the “Cyberspace-Related Matters” section (sections 1631-1649C).
The U.K. government released a new “Internet Safety Strategy” Green Paper last week, making clear its intention to follow through on bold campaign rhetoric promising aggressive internet regulation.
Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines have proposed a bill, the Internet of Things Cybersecurity Improvement Act of 2017, that is a good first step in securing the Internet of Things and U.S. government systems in particular. While there are still places for improvement, this is a solid piece of common-sense legislation.
Last week, the Senate took a significant step towards imposing additional sanctions on Russia. The latest step came in the form of an amendment to S.722, the Countering Iran's Destabilizing Activities Act.
Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).
Bobby Chesney raised a number of issues regarding the Active Defense Certainty Act, and I’m just getting into it now. I think Bobby’s comments are spot on, but I want to amplify some of his concerns.
Meaning of persistent intrusion