Sifting through legislative literature can be arduous, and since we’ve already done the work we wanted to share a quick summary of what the White House is proposing around cybersecurity and how it might affect you. Please note: we are not taking a stance, but rather just aiming to help inform.
In the most recent session of Congress collectively both parties introduced 50 new bills related to cybersecurity. An indication a more cohesive plan and policy is needed, the President decided to draft a cybersecurity bill that addresses protecting the American people, America’s critical infrastructure and Federal Government computers and networks.
From the White House:
“It has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated […] We have developed a pragmatic and focused cybersecurity legislative proposal for Congress to consider. This legislative proposal is the latest achievement in the steady stream of progress we are making in securing cyberspace and completes another near-term action item identified in the Cyberspace Policy Review.”
As for the “protecting the American people” part, the new Bill will standardize laws about notifying consumers in the event of a data breach. Today there are 47 different state laws in this area. It will also clarify laws around computer crimes. One of the key tools law enforcement uses today against organized crime is the Racketeering Influenced and Corrupt Organizations Act (RICO). But today RICO doesn’t apply to computer criminals. The Bill aims to change that and also sets mandatory minimums for cyber intrusions into critical infrastructure.
The “protecting America’s critical infrastructure” part is less clear. The new Bill will “enable” DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. And it grants companies and governments immunity when sharing cybersecurity information with DHS and mandates “robust privacy oversight” to guarantee that the voluntarily shared information doesn’t hurt individual privacy and civil liberties. We look forward to understanding more in that area.
The Bill proposes a three-step process around protecting critical infrastructure like the electricity grid and financial sector:
1. Critical infrastructure operators would develop their own frameworks for addressing cyber threats.
2. Then, each critical-infrastructure operator would have a third-party auditor assess its cybersecurity risk mitigation plan.
3. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate.
According to the Bill, in the event the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology (NIST), could modify a framework. And DHS can also work with organizations to help them fix plans that are deemed insufficient by auditors.
As for “protecting Federal Government computers and networks,” the Bill will do a lot of different things. For one, it will formalize the responsibility of DHS to manage security for the Federal Government’s civilian computers. (It’s DHS’s responsibility today technically, but it’s not a formal relationship.) This includes also overseeing intrusion prevention systems for all Federal Executive Branch civilian computers.
Not falling squarely into these three primary buckets but interesting nonetheless, the Bill will also prevent states from requiring technology companies build datacenters in that state, allowing companies a bit more operational flexibility than they have today.
How does this affect you and your privacy directly? The Bill specifically states certain privacy and civil liberty measures:
– DHS would have to develop cybersecurity practices with help from and review by privacy and civil liberties experts and get them approved by the Attorney General.
– All monitoring, collection, use, retention and sharing of information is limited to protecting against cybersecurity threats.
– If a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.