Cybersecurity is a major priority for U.S. President Joe Biden. It was at the top of the agenda at last week's summit with Russian President Vladimir Putin and the subject of an executive order Biden issued last month.
The legislative branch is also eager to get in on the action.
U.S. Senator Kirsten Gillibrand (D-N.Y.) has proposed a piece of legislation that would create a Data Protection Agency that would have the power to penalize high-risk data practices.
"The U.S. needs a new approach to privacy and data protection," she said in a statement last week.
Meanwhile, a bipartisan group of senators introduced the International Cybercrime Prevention Act last week to put more tools in the hands of law enforcement, including the right to shut down botnets and other digital infrastructure used for illegal activity.
And yet another bipartisan group is circulating a draft of a federal breach notification bill that would require companies to report breaches or potential breaches to the Cybersecurity and Infrastructure Security Agency within 24 hours of confirmation of the intrusion, with hefty financial penalties for those that don't comply.
"In order to deter these intrusions, we will need to accurately attribute them and hold our adversaries accountable," Senator Mark Warner (D-Va.), one of the bill's backers, told the Senate intelligence committee in April.
Some experts have doubts that the federal government will be able to pass meaningful data breach legislation.
After all, for years there have been attempts to do so that have not panned out.
"I’m not holding my breath for any long-term legislation," said Peter Klimek, director of technology at cybersecurity vendor Imperva.
"But some of the incremental improvements they’re making will have a meaningful impact on the problem, like the Justice Department creating the task force," he told DCK.
That's the Ransomware and Digital Extortion Task Force, formed in April, which includes participants from the Justice Department's National Security Division, Criminal Division, Civil Division, Executive Office of US Attorneys and the FBI.
The proposed federal breach notification would create a centralized system for collecting breach reports in order to investigate them and prevent future breaches, while providing companies with some immunity for the disclosure, said Ilia Kolochenko, CEO at ImmuniWeb, a cybersecurity company.
This is a good idea, he told DCK, but would require a 10-fold increase in the Cybersecurity and Infrastructure Security Agency's budget. "Otherwise, valuable threat intelligence information will just gather dust."
It's also unclear to what degree the legislation would supersede the existing state-level breach notification laws.
State Action
All 50 states have had breach notification laws in place for years.
And states continue to strengthen their laws.
California's Privacy Rights Act, approved by voters last fall, is now the most stringent in terms of privacy protections for consumers and data security requirements for enterprises. It goes into effect in 2023.
Connecticut, which has had data privacy legislation in place for over a decade, passed a more stringent version of the law earlier this month, broadening the definition of personal information and shortening the notification window from 90 to 60 days.
In fact, according to the National Conference of State Legislatures, more than 20 states are working on strengthening cybersecurity laws this year by shortening the notification windows, expanding the definition of personal information and other measures.
"There's a lot of legislative changes coming in around privacy," said John Carey, managing director in the technology practice at AArete, a management consulting firm.
Plus, there's also legislation focusing on particular industry sectors. There are already national laws in place to protect health care and financial information, for example.
Impact on Data Center Cybersecurity Managers
For cybersecurity managers, all these laws create a compliance minefield. Sensitive data requires additional protections, for example.
And the proposed legislation could create even more headaches. For example, if authorities gain the power to shut down botnets, data centers that have been unwittingly used by criminals who have hijacked their servers will be at risk of being shut down.
Michael J. Del Giudice, leader of the cyber practice at Crowe LLP, recommends that cybersecurity managers shoot for the highest common denominator and base their policies and procedures on the most stringent elements of the laws, rather than having different policies in place for users from different states.
"Focus on achieving that as the baseline for your controls," he told DCK. "You can't keep up with all the changes in 50 states, plus federal, plus [Europe's] GDPR, Canada; it all gets very complex."
Having different rules for different users would add unnecessary complexity and would require the cybersecurity teams to make constant changes as those rules themselves change.
Del Giudice recommends starting with the NIST Cybersecurity Framework, if a data center isn't already using it.
One thing that's clear is that it's no longer feasible for cybersecurity managers to take a reactive, piecemeal approach to compliance and security investments; to hope they get lucky and not get targeted; to count on cybersecurity insurance to bail them out; or to count on being able to pay the fines and be quickly forgiven by a public that's become inured to all the new reports.
According to a report released by Canalys earlier this year, 2020 was a record-breaking year for data breaches, with 101 billion records compromised.
The average cost of a breach? More than $3.8 million, according to IBM's 2020 Cost of a Data Breach Report. But that's global data; in the U.S., the average cost was $8.6 million.
Small and medium-size companies may go out of business altogether. According to a 2019 National Cyber Security Alliance survey, 69% of small businesses hit by a cyberattack were offline for a limited time, 37% suffered a financial loss, 25% filed for bankruptcy, and 10% went out of business.
A better approach is to look at the underlying spirit of the laws. Legislators across the United States – and around the world – are looking to strengthen protections on personal data and protect critical infrastructure and services.
A cybersecurity strategy that focuses on the fundamentals and on what the laws are aiming to achieve, instead of where they are today, is not only more likely to be effective, but better able to position the company for new laws as they come down.
