President Obama and members of Congress have been vocal about cybersecurity threats facing the U.S. At the same time, despite rising fears and increasing numbers of attacks, lawmakers have taken few relevant steps to meet cyberthreats. Universities around the country are rolling out new and improved cybersecurity programs, and you can find out more about some of them over at this website. However, U.S. enemies may not wait until your cybersecurity master’s degree is finished to start launching new and dangerous attacks.
The U.S. Senate’s Commerce Committee, chaired by John Rockefeller (D-W.Va.) in cooperation with ranking member John Thune (R-S.D.), has finally released a cybersecurity bill draft. Some argue that it does too much while others say it doesn’t do enough. It’s important to become familiar with the bill and to understand how it will affect government agencies and businesses. After a review of the bill, you’ll see that the senate has three major areas left to address.
What the New Bill Includes
The Commerce Committee’s draft bill covers these major cybersecurity initiatives:
- Voluntary information sharing between government and operators of critical national infrastructure. The bill would create a framework by which utility companies could become voluntarily compliant with standards put forth by the National Institute of Standards and Technology (NIST). It does not require mandatory compliance.
- Training for new government cybersecurity personnel. The federal government would offer a “scholarship-for-service” program that would give tuition to students in exchange for government service.
- Researching the effectiveness of effective cybersecurity education in America. The bill would fund a study of existing cybersecurity education programs as well as research into why the federal government is struggling to attract high-quality cybersecurity professionals.
- Expansion of Office of Science and Technology Policy. The office would be given additional authority to formulate regulations regarding secure network design, third-party software testing, privacy protection and cloud security.
- Public awareness. The bill funds an education program to teach Americans about cybersecurity. It also funds additional scholarships, competitions and internships that would allow the U.S. to build a new army of cyberwarriors.
How the Bill Could Affect Public Agencies and Businesses
President Obama signed a cybersecurity executive order in February 2013 that created steps to establishing a framework between government and critical infrastructure operators. Critical infrastructure, as defined by the president includes both systems and assets that are so vital to the U.S. that their penetration could result in significant financial, national security, public safety or health care consequences.
While the president didn’t name specific entities, his language means that critical infrastructure may include telecommunications, utilities, banks and even Fortune 500 companies that have large effects on the U.S. stock market. For these entities, Obama tasked the head of Homeland Security to conduct a risk assessment of critical infrastructure to determine its top vulnerabilities to cyberattack.
Both President Obama’s order and the new senate bill could give the government considerable insight into the top ways in which cyberattackers could cripple the United States. However, private companies would have to share data and network information with the government. In return, they could receive both classified and unclassified briefings from the government about potential cyberthreats.
What the Bill Doesn’t Cover
The bill leaves out three large points that could significantly increase cybersecurity. These include:
- Eliminating liability for companies that adopt NIST directives. Asking businesses to voluntarily invest in cybersecurity isn’t enough. If the government isn’t going to require compliance, then it should financially reward businesses for their efforts.
- Requiring businesses to disclose major data breaches and related information. When a business suffers a data breach, it often suffers a public relations setback. For this reason, businesses have too much incentive to not share information about their cybersecurity problems.
- Improving channels that allow businesses to share information about online threats. The bill helps critical infrastructure operators to share information with the government, but it does nothing to make information sharing between businesses any easier.
Conclusion
The Senate bill does address some critical cybersecurity issues; unfortunately, if the apocalyptic pronouncements about cybersecurity threats from Washington are true, then the bill doesn’t do enough to address this looming national security threat.
John Rockefeller image photo credit: SenRockefeller / Foter / CC BY
About the Author: Jeb Lewis is an IT security consultant for both public and private sector organizations. He has participated in numerous cybersecurity seminars and panel discussions in cities throughout the U.S.