Almost from the beginning of the Biden administration early this year, the federal government, through its many branches and agencies, has taken a hard and continuously evolving look at improving cybersecurity across the spectrum of American enterprises. This push has primarily been focused on both improving cybersecurity itself, while also combatting the increasingly prevalent scourge of ransomware events. According to a
September 2021 Bloomberg News article, ransomware alone became a $350 million criminal industry in 2020, with the bad guys paying particular attention to entities that hold large amounts of consumer data and sizable cyber insurance policies. To put an exclamation point on it, during the first week of December, the House of Representatives passed three bills with a
two-third majority (who says Congress can’t get anything done if it’s properly motivated?) to address current and future cybersecurity issues.
First, the
Understanding Cybersecurity of the Mobile Networks Act requires the National Telecommunications and Information Administration (NTIA), resident in the U.S. Department of Commerce to examine and report back on cybersecurity vulnerabilities in mobile networks within a year following passage of the act.
The FUTURE Networks Act directs the Federal Communications Commission (FCC) to create a 6G Task Force that will prepare and submit a report to Congress on the advantages and risks associated with 6th generation wireless, one year following the FCC’s appointment of someone to chair the group. The third bill is the
American Cybersecurity Literacy Act, that directs NTIA to launch a campaign aimed to educate the public on identifying phishing emails and other bad online behavior. These three bills are added to other bills introduced in October -
the Defense of United States Infrastructure Act of 2021, the
Good AI Act, and the
Federal Cybersecurity Workforce Expansion Act that promotes supply chain and network security. The bottom line is that preparing for cyberattacks is a real requirement for modern civic life, and one that requires constant attention.
In May of this year, the Biden administration issued
Executive Order 14028 focused on improving the nation’s overall cybersecurity, with particular attention to infrastructure. Specifically, the number of cyberattacks has increased dramatically, and has, according to
Bloomberg News hit the private sector particularly hard. Since the majority of critical infrastructure targets which own and operate 85% of critical infrastructure entities are privately held, this is of particular concern and warrants immediate, high level and sustained attention. In a word: “Yikes.”
Very briefly, the executive order was designed to protect critical infrastructure and federal government networks, while also providing support to those who manage these critical elements of our economy and society. The executive order also includes language to remove existing barriers between public and private sectors, as well as between and among law enforcement and other government entities. This will enable relevant and time-sensitive information to be shared between government and private sector entities to lessen the risk, mitigate the damage and restore violated systems and databases as quickly and completely as possible.
More specifically, the order directs that stronger cybersecurity standards be established and supported within the federal government, while also improving software supply chain security particularly as information flows between private sector and federal entities. Another goal is the creation of an “Energy Star” equivalent labeling system so that purchasers can be assured that acquired products and services are compliant with the latest government mandated standards.
In addition, the executive order creates a cyber safety review board, as well as a
standardized playbook for responding to cybersecurity events.
While the executive order is extensive, there is one area that’s worth some extra attention and consideration. Aside from creating some parameters for reporting breaches once it’s known that one has occurred, there are major questions about who should be notified. Not surprisingly, given that so much of the infrastructure is under private control, there remain critical issues about sharing information, even between federal agencies and local law enforcement.
Jen Easterly, director of the cybersecurity and infrastructure security agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to
require certain private companies, federal agencies and government contractors to report cyberattacks to the agency. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s recent hearing. Incident reporting should also be “broad-based and not limited to type or sector,” adding that CISA and the U.S. Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors.
Key words here are “should have.” This reads to me like a government turf war. While there are certainly reasons to be concerned about whom is notified in the event of a cybersecurity attack, and while CISA exists for this purpose, such attacks are also crimes, and thus everyone from the Department of Justice to local law enforcement needs also to be aware when such events occur. Finally, it has yet to be precisely determined where the mechanism to enforce rules, once they are sufficiently codified, will rest. Stay tuned.
Perhaps most importantly, from a legal perspective, agreements with suppliers of software and equipment that may even “touch” critical infrastructure elements must be drafted carefully to allow for the appearance of cybercrimes that are beyond current experience and preventative cybersecurity “solutions.” The bad guys are often a step ahead, and enterprises must have the tools, both legal and technical, to combat them.