Over the past 12 months alone, high-profile cybersecurity attacks against Microsoft Exchange, Colonial Pipeline, Facebook, JBS Foods, T-Mobile, Kaseya, Log4j, Kronos and many more have driven the issue of national cybersecurity to the forefront of the media agenda and as a result, questions have been posed to policymakers about how the U.S. is addressing such threats to its economy and the security of its citizens.
The concern stretches across the aisle and has become a hot topic at both the federal and state levels and in 2021, 45 states and Puerto Rico introduced or considered 301 pieces of legislation dealing with cybersecurity. Of those 45 states, 35 enacted bills pertaining to cybersecurity including the largest state cybersecurity appropriations bill in United States history in Texas which set aside more than $800 million to address cybersecurity and legacy system risks outlined in the state’s 2020 Prioritized Cybersecurity and Legacy Systems. Read more about what is being done at the state level in our recent blog post.
But is it enough?
It’s no secret that cyber policy is behind the times. The pace of change in the wild has long since pulled away from the slow-moving legislative engine that is in place to govern it.
It seems that by the time a law gets passed, the issue at hand is already five additional steps ahead of the game, leaving policymakers, businesses and individuals struggling to keep up.
Advancing technology can be found in almost every industry from automotive to travel, e-commerce and education; the more we connect online, the higher the risk of a security breach.
That means that every industry must be vigilant in taking precautions to protect themselves and their customers to prevent breaches while also having well-rehearsed plans in place to address a breach when it occurs.
States must work together to create fluid policies that expand beyond borders.
For example, The United Nations Economic and Social Council Commission has laid out regulations for automotive cybersecurity related to software update management that goes into mandatory affect July 2024. Japan and Korea are also on board with these mandates on a separate timeline. Unfortunately, these new regulations do not apply to the United States.
So, what is the United States doing to combat cybersecurity threats? There are several pieces of Federal legislation that could make a significant impact in the fight against cyber threats.
The For the People Act was widely touted in the media as expanding voter rights, but it also includes grants for voter system security improvements and sets forth standardized requirements for voting vendor companies that include provisions for cybersecurity reporting and requirements that the company must be owned and controlled by United States citizens or permanent residents.
The American Rescue Plan Act of 2021 set aside $1 billion for the Federal Technology Modernization fund which acts as a reserve of funds that government agencies can apply for as a loan to make technology upgrades.
The Invest in America Act was the largest federal bill for cybersecurity. Provisions included $600 million to improve cybersecurity for water, power and transportation. There is $1 billion for state, local and tribal governments to improve security practices. Additionally, funding for the newly created Office of the National Cyber Director was established at a rate of $20 million annually through 2028.
There are a few major takeaways from these federal acts; most glaringly, funding is being funneled heavily toward technology and not people. If we don’t have the people to be trained in and implement best practices, the technology cannot be used to its fullest potential.
According to the 2021 (ISC)2 Cybersecurity Workforce Study, 67% of cybersecurity professionals report a shortage of professionals in their department. This represents a high level of risk and puts organizations in a vulnerable position when planning for and handling threats.
According to an article in The Washington Post, following one of the worst cyber breaches in the history of the United States government by Kremin-backed hackers, Congress is looking to overhaul U.S. cybersecurity policies and regulations.
The Federal Information Security Management Act (FISMA), which initially dates to 2002, has not been updated in eight years and highlights the lack of progress made by the government while the technology used in cyberattacks has grown exponentially.
“[FISMA] is the best defense our federal information networks and supply chains have against cyberattacks. But the reality is that it’s simply not enough to protect us in its current form,” House Oversight Chairwoman Carolyn B. Maloney (D-N.Y.) said during a hearing on the rules yesterday.
On February 4, the House of Representatives passed The America COMPETES Act (H.R.4521). This bill is a comprehensive package of science, commerce, trade, foreign policy, manufacturing, and education policy to improve American competitiveness. Representative Judy Chu of California, who sponsored the bill released a statement that said, in part, “ The America COMPETES Act will also make investments in the future, by creating a new Directorate for Science and Engineering Solutions to accelerate research and development at institutions like Caltech that address pressing issues like climate change, cybersecurity, and global competitiveness. And it modernizes our support for workers who have lost jobs due to trade while also improving our laws to ensure trade is more fair to the US, while continuing to protect the supply chain.”
As cybersecurity continues to be at the forefront of media agendas it will likely continue to become a higher priority in Congress. This will hopefully lead to more robust and comprehensive legislation and funding for cyber protections and regulations.