Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Legislation Week 2015: The Aftermath

While virtually the entire security world was in San Francisco last week, our elected officials on the other coast held what they called Cyber Legislation Week. While it may not have been an official name, there was movement on several important pieces of legislation and some new legislation was even introduced. With the number of new cyber bills being introduced, it’s almost as if Congress wants to pass something—anything—relating to information security before the end of this session.

The National Cybersecurity Protection Advancement Act

The big event last week was the passage in the House of The National Cybersecurity Protection Advancement Act. Its passage did not come without criticism though, as a letter signed by over sixty security professionals opposing the act has been making the rounds on the Hill. Most of our elected representatives in the House decided to ignore the opposing viewpoints of security professionals, and passed the bill with a comfortable margin of 355-63. The House also overwhelmingly passed the Protecting Cyber Networks Act 307-116. Both bills focus on information sharing; the first came out of the Homeland Security subcommittee, and the second came out of the House Intelligence Committee. Questions on both bills surround the privacy of individual’s data that might be shared, and reduced liability for companies that may inadvertently share private information. Lawmakers will work to combine both bills before sending them on to the Senate.

Cybersecurity Information Sharing Act

The Senate is working on the Cybersecurity Information Sharing Act (CISA). This is the bill that seems to be getting the most attention. The Senate had hoped to pass CISA before the end of April. It seems that NSA reform has gotten in the way, temporarily stalling CISA’s forward progress as staffers are now hoping it will reach the Senate floor by mid-May. This is the third Congress in which the House has passed major cyber legislation and passed it on to the Senate. Will the Senate act on its third try or will they strike out?

A national data breach notification bill is definitely needed

Data breach notification

There are several data breach notification bills winding their way through both houses of Congress. The latest bill was introduced by Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) and is called simply the Data Security Act. This is the Senate’s second major bill on the topic. Sen. Mark Warner (D-Va.) has been circulating a draft breach notification bill of his own and plans to introduce it soon. Warner hopes his bill will have the backing of the retail industry. In addition to the Senate bills, the House also has two similar bills covering data breach notification but they are not seeing widespread support. Some lawmakers fear that one of these data breach notification bills will get tacked on as an amendment to one of the more broadly supported cybersecurity bills. A national data breach notification bill is definitely needed, because the burden for companies attempting to stay in compliance with the states’ 47 different laws is quite high. However, if a national law supersedes a state law, consumers may actually end up with a lower level of protection.

Computer Fraud and Abuse Act

Sen. Lindsey Graham, chair of the Senate Judiciary crime subcommittee said that he and Sen. Sheldon Whitehouse are working on a possible rewrite of the controversial Computer Fraud and Abuse Act (CFAA). The CFAA is the most widely used—and some say the most widely abused—cyber law on the books. The big problem is that the CFAA was passed almost 30 years ago and besides being woefully out of date by today’s standards, it is considered by many to be overbroad and vague. CFAA reform has been attempted before, most recently after the prosecution and subsequent suicide of Aaron Swartz, with the introduction of Aaron’s Law. Unfortunately, Aaron’s Law never made it to the floor for a vote and died in committee. There is no timeline on this current effort yet but there will likely be something introduced soon.

Encryption

It seems like the crypto wars are back, or at least for one (hopefully) final skirmish. The FBI has been pushing for some sort of legalized back door, front door or key escrow claiming that current encryption technologies are a hindrance to law enforcement and are putting the public at risk. The White House has also weighed in saying that such weakening of encryption would unquestionably introduce greater levels of security risk into encrypted IT systems. The FBI has been adamant about wanting major technology companies to develop encryption technology that only the FBI can get into. On Wednesday April 29th, the House Oversight Committee's IT subcommittee held a hearing on encryption technology; witnesses included several people with law enforcement backgrounds, but only one cryptography expert.

This is only the beginning

Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation

Following the mega breaches of Target, Home Depot, Anthem and Sony in addition to the President’s executive orders, things are quite busy in DC right now. There appears to be a great urgency around all things cyber at the moment. We will have to wait and see what, if anything, comes of all these different initiatives. Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation and not just vote into law the first thing that crosses their desks. Stay tuned.

For more information, see my previous blog about Cybersecurity Legislation Week 2015.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training