Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Cybersecurity Legislation Week 2015: The Aftermath

While virtually the entire security world was in San Francisco last week, our elected officials on the other coast held what they called Cyber Legislation Week. While it may not have been an official name, there was movement on several important pieces of legislation and some new legislation was even introduced. With the number of new cyber bills being introduced, it’s almost as if Congress wants to pass something—anything—relating to information security before the end of this session.

The National Cybersecurity Protection Advancement Act

The big event last week was the passage in the House of The National Cybersecurity Protection Advancement Act. Its passage did not come without criticism though, as a letter signed by over sixty security professionals opposing the act has been making the rounds on the Hill. Most of our elected representatives in the House decided to ignore the opposing viewpoints of security professionals, and passed the bill with a comfortable margin of 355-63. The House also overwhelmingly passed the Protecting Cyber Networks Act 307-116. Both bills focus on information sharing; the first came out of the Homeland Security subcommittee, and the second came out of the House Intelligence Committee. Questions on both bills surround the privacy of individual’s data that might be shared, and reduced liability for companies that may inadvertently share private information. Lawmakers will work to combine both bills before sending them on to the Senate.

Cybersecurity Information Sharing Act

The Senate is working on the Cybersecurity Information Sharing Act (CISA). This is the bill that seems to be getting the most attention. The Senate had hoped to pass CISA before the end of April. It seems that NSA reform has gotten in the way, temporarily stalling CISA’s forward progress as staffers are now hoping it will reach the Senate floor by mid-May. This is the third Congress in which the House has passed major cyber legislation and passed it on to the Senate. Will the Senate act on its third try or will they strike out?

A national data breach notification bill is definitely needed

Data breach notification

There are several data breach notification bills winding their way through both houses of Congress. The latest bill was introduced by Senators Tom Carper (D-Del.) and Roy Blunt (R-Mo.) and is called simply the Data Security Act. This is the Senate’s second major bill on the topic. Sen. Mark Warner (D-Va.) has been circulating a draft breach notification bill of his own and plans to introduce it soon. Warner hopes his bill will have the backing of the retail industry. In addition to the Senate bills, the House also has two similar bills covering data breach notification but they are not seeing widespread support. Some lawmakers fear that one of these data breach notification bills will get tacked on as an amendment to one of the more broadly supported cybersecurity bills. A national data breach notification bill is definitely needed, because the burden for companies attempting to stay in compliance with the states’ 47 different laws is quite high. However, if a national law supersedes a state law, consumers may actually end up with a lower level of protection.

Computer Fraud and Abuse Act

Sen. Lindsey Graham, chair of the Senate Judiciary crime subcommittee said that he and Sen. Sheldon Whitehouse are working on a possible rewrite of the controversial Computer Fraud and Abuse Act (CFAA). The CFAA is the most widely used—and some say the most widely abused—cyber law on the books. The big problem is that the CFAA was passed almost 30 years ago and besides being woefully out of date by today’s standards, it is considered by many to be overbroad and vague. CFAA reform has been attempted before, most recently after the prosecution and subsequent suicide of Aaron Swartz, with the introduction of Aaron’s Law. Unfortunately, Aaron’s Law never made it to the floor for a vote and died in committee. There is no timeline on this current effort yet but there will likely be something introduced soon.

Encryption

It seems like the crypto wars are back, or at least for one (hopefully) final skirmish. The FBI has been pushing for some sort of legalized back door, front door or key escrow claiming that current encryption technologies are a hindrance to law enforcement and are putting the public at risk. The White House has also weighed in saying that such weakening of encryption would unquestionably introduce greater levels of security risk into encrypted IT systems. The FBI has been adamant about wanting major technology companies to develop encryption technology that only the FBI can get into. On Wednesday April 29th, the House Oversight Committee's IT subcommittee held a hearing on encryption technology; witnesses included several people with law enforcement backgrounds, but only one cryptography expert.

This is only the beginning

Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation

Following the mega breaches of Target, Home Depot, Anthem and Sony in addition to the President’s executive orders, things are quite busy in DC right now. There appears to be a great urgency around all things cyber at the moment. We will have to wait and see what, if anything, comes of all these different initiatives. Hopefully, our lawmakers will listen to the experts who have been in this industry for a long time and pass balanced and measured legislation and not just vote into law the first thing that crosses their desks. Stay tuned.

For more information, see my previous blog about Cybersecurity Legislation Week 2015.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.