Articles

Infrastructure bill includes $1.9 billion for cybersecurity

Passage of the infrastructure bill includes $1.9 billion for cybersecurity, and more could be on the way with the Build Back Better and other bills working their way through Congress.

On Friday, Congress passed one of President Biden’s signature pieces of legislation, the $1 trillion Infrastructure Investment and Jobs Act. This landmark bill promises not only massive upgrades to the nation’s aging infrastructure but also boosts government cybersecurity spending by $1.9 billion.

Among its provisions is a new $1 billion grant program to help state, local, tribal and territorial governments protect themselves from malicious actors and modernize systems to protect sensitive data, information, and public critical infrastructure. The Federal Emergency Management Agency (FEMA), which runs the Department of Homeland Security’s (DHS’s) existing grant programs, will provide the funds over four years starting in fiscal year 2022, with the Cybersecurity and Infrastructure Security Agency (CISA) serving as a subject matter expert.

The bill also incorporates the Cyber Response and Recovery Act of 2021, which authorizes $100 million over five years to help the government quickly respond to cybersecurity intrusions. Another notable provision is $21 million in funding for the newly created office of the National Cyber Director (NCD) to hire qualified personnel to support its essential cybersecurity mission. The bill further requires the Environmental Protection Agency (EPA) and CISA to identify public water systems that, if degraded or rendered inoperable due to a cyber-attack, would lead to significant impacts on the health and safety of the public.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

18 new cybersecurity bills introduced as US congressional interest…

The new bills, many with bi-partisan support, aim to increase cybersecurity funding, improve breach reporting, investigate cryptocurrencies, and more.

The series of alarming cybersecurity incidents that spurred the Biden Administration to take swift action during its first six months has also prompted the US Congress to introduce new cybersecurity bills. In the little more than two months since CSO reported on what was then a busy Congressional cybersecurity agenda, lawmakers have introduced at least 18 additional bills to shore up and expand the nation’s cybersecurity capabilities.

In a sign that cybersecurity is becoming an increasingly higher legislative priority, the pace of Congress’ interest in a range of digital security matters seems to be accelerating. Last week alone, the House Committee on Energy and Commerce voted to advance six bills that primarily deal with digital security and two other bills that contain significant cybersecurity provisions.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Proposed bill would create a new federal agency to…

The Data Protection Act of 2021 has wide-ranging definitions of high-risk data practices and privacy harm.

n mid-June, Senator Kirsten Gillibrand (D-NY) reintroduced a new version of her bill, the Data Protection Act of 2021, that would create a new independent, executive-level government agency, the Data Protection Agency (DPA). The DPA would “protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.”

Under the bill, the DPA would have the authority and resources to enforce any data protection rules created by Congress or the agency itself, backed by a range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. In addition to creating privacy rules and enforcing federal-level rules, the DPA would reach out to organizations to promote data protection and encourage the adoption of model privacy and data protection standards, guidelines and policies.

The new bill, which features substantial changes to Gillibrand’s original 2020 legislation, spells out DPA’s three core missions:

  1. Authorize DPA to create and enforce data protection rules to give Americans more control and protection over their data by regulating high-risk data practices and personal data collection.
  2. Foster innovation by ensuring fair competition within the digital marketplace by having DPA’s research unit analyze and report on data protection and privacy innovation across sectors. The research unit would also develop the model privacy and data protection templates.
  3. Prepare the American government for the digital age by advising Congress on emerging privacy and tech issues while coordinating with Federal agencies and State regulators to promote consistent regulatory treatment of personal data.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

US Congress tees up ambitious cybersecurity agenda in the…

Roughly 115 cybersecurity-related bills are working their way through the legislative process, in many cases with bipartisan support.

The Biden Administration has been thrown into a thicket of cybersecurity troubles in its first six months, forcing the White House to issue complex cybersecurity executive orders, directives and policy changes in rapid succession. Congress, meanwhile, is teeing up an ambitious cybersecurity agenda of its own, sparking hopes that the recent spate of cybersecurity crises might break through the partisan logjam that has increasingly blocked meaningful legislative action.

Last week, Senator Majority Leader Chuck Schumer (D-NY) initiated a review of recent high-profile ransomware attacks in the run-up to new legislation. Then, Chairman Gary Peters (D-MI) and Rob Portman (R-OH), chair and ranking member of the Senate Homeland Security Committee sent a letter to national security adviser Jake Sullivan and Shalanda Young, the acting director of the Office of Management and Budget, asking the two officials to spell out within 30 days the legal authorities they think federal agencies need to combat ransomware attacks. Their responses could serve as the basis for new legislation to rein in ransomware.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Advanced Persistent Threat

SolarWinds hack is quickly reshaping Congress’s cybersecurity agenda

More cybersecurity funding for states and Capitol, new breach reporting rules, and ransomware-related bills will likely be on the agenda for the 117th Congress.

The federal government and private sector are still reeling from the SolarWinds supply chain hack, and Congress is on edge as it begins a new term beset by fears of domestic terrorism. It would seem all bets are off in terms of the previous legislative agenda for cybersecurity, at least in the near-term. The relevant committees in the new 117th Congress have yet to weigh in on specific pieces of legislation, but it’s clear that cybersecurity will be a big focus across both the House and Senate.

First, in the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. Late last week, the Biden team made good on that promise when announcing its Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency.

One of the legislators leading the fight for cybersecurity legislative initiatives in Congress, Representative Jim Langevin (D-RI), applauded Biden’s push for more cybersecurity spending. “I’m also grateful to see the president-elect pushing for important investments in cybersecurity in the wake of the SolarWinds hack, which has placed a spotlight on the need to act now to protect Americans and our interests in cyberspace,” he said in a statement lauding the overall rescue package.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Many Cyberspace Solarium Commission recommendations expected to become federal…

lead centered=”no”
Dozens of cybersecurity measures designed to protect US businesses and infrastructure are part of the National Defense Authorization Act. Budget, political concerns might eliminate some.
/lead

Several cybersecurity proposals are advancing in both the US House and Senate that flow from the prolific work of the public-private brainstorming initiative called the Cyberspace Solarium Commission. The Commission was formed in 2019 to break through the seemingly intractable barriers blocking the path to devising and implementing practical solutions to the most challenging cybersecurity problems.

The vehicle through which the commission hopes to enact several dozen of its legislative recommendations (out of 75 recommendations included in its inaugural report this past spring) is the National Defense Authorization Act (NDAA), an annual “must-pass” federal law that sets the budget and expenditures for the US military. The commission’s executive director Mark Montgomery estimated earlier this month that each chamber’s bills would feature eight to 20 of the commission’s recommendations.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Bipartisan bill could bring back the White House national…

lead centered=”no”
Cyberspace Solarium Commission leaders introduce the National Cyber Director Act to reintroduce cybersecurity expertise into the White House.
/lead

Last week a bipartisan group of US House of Representatives legislators introduced the National Cyber Director Act to create the position of a national cyber director within the White House. The creation of this role is one of the chief recommendations of an increasingly influential intergovernmental group known as the Cyberspace Solarium Commission.

The commission issued its report — the product of months-long deliberations by four members from congress, four senior executive agency leaders and six experts from outside of government – just as the coronavirus pandemic quarantine kicked in during March. Nevertheless, the commission’s 80 recommendations, such as creating a national cyber director, are quickly being translated into actionable legislation on Capitol Hill.

Two of the commission’s leaders, Cyberspace Solarium Chair Congressman Jim Langevin (D-RI) and Solarium Co-Chair Congressman Mike Gallagher (R-WI), introduced the bill. Other legislators backing the bill include House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), Ranking Member of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure and Innovation John Katko (R-NY), former Ranking Member of the House Intelligence Committee C. A. Dutch Ruppersberger (D-MD), and Ranking Member of the House Intelligence Committee’s Subcommittee on Intelligence Modernization and Readiness Will Hurd (R-TX).

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

New Republican bill latest in long line to force…

lead centered=”no”
Here we go again. Senate Republicans push a new bill to mandate “lawful access” to encrypted devices and data. It won’t end until law enforcement has better cyber forensics capabilities./lead

In what seems like Groundhog Day when it comes to encrypted communications, a group of Republican senators last week introduced the Lawful Access to Encrypted Data Act, which aims to end the use of so-called “warrant-proof” encrypted technology by terrorists and criminals. Senate Judiciary Committee Chairman Lindsey Graham (R-SC), Tom Cotton (R-AR) and Marsha Blackburn (R-TN) introduced this latest measure to find a way for law enforcement to gain access to devices and data that are protected by unbreakable encryption methods.

“The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security,” the Senators said in a statement.

Although the bill’s proponents don’t say so explicitly, the “lawful access” it seeks to establish mirrors a long string of potentially damaging efforts by the federal government to install backdoors into encrypted communications, according to critics. Virtually all cybersecurity and cryptography experts insist that any break in the encryption chain will break security and protection altogether, leaving criminals and adversarial nation-states with even more power to hack into users’ devices and communications for nefarious purposes.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Congress steers clear of industrial control systems cybersecurity

lead centered=”no”
Industry resistance to regulation, complexity of securing ICS systems are roadblocks to passage of critical infrastructure cybersecurity legislation.
/lead

Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.

Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

The cybersecurity legislation agenda: 5 areas to watch

lead centered=”no”The 116th Congress is only a few months old, but far-reaching cybersecurity bills to protect infrastructure and the supply chain, ensure election integrity, and build a security workforce are now being considered. Here’s the list. /lead

New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.

A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus, flagged this stumbling block at the 2019 State of the Net conference in January by calling for consolidation in Congress over cybersecurity.

Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, Langevin said, “We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.” Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.

This article appeared in CSO Online. To read the rest of the article please visit here.