image

Cyber Attacks and the Rapidly Developing US Regulatory Response

By now just about everyone is aware that bad actors are out there attacking US businesses, schools, and infrastructure anonymously over the internet. Few attacks have captured public attention like the recent wave of ransomware attacks; prominently among those the Colonial Pipeline ransom. This attack dominated media headlines, disrupted air travel, caused fuel shortages and price spikes on gasoline, and even caused some to hoard gas in their homes. While the Colonial Pipeline attack was far from being the only one to produce this level of harm, it appears to have been the catalyst needed to drive US Cyber regulation forward.

The Federal Motor Carrier Safety Administration (FMCSA) quickly declared a state of emergency on May 9th, 2021, to address the immediate crisis created by the pipeline attack. By May 12th President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. CNN quickly began reporting that US lawmakers are preparing a bipartisan bill providing liability protections to both private and public entities that alert the government within 24 hours of a cybersecurity breach. From attack to action, these events are moving at light speed on Capitol Hill.

At the Federal level lawmakers have faced challenges in regulating technology in general. Issues like legally defining nebulous terms, regulators’ and lawmakers’ inability to keep up with emerging technologies, and attempting to regulate without driving away investors and entrepreneurs have thus far mostly kept Federal cybersecurity input for the public sector at the recommendation level, with industry specific covered entities. Those being the HIPAA Security Rule, the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and a few others mostly in the Finance and Telecom industries. Thus far lawmakers have opted to focus on growing cybersecurity practices within the Federal Government, Federal and DoD contractors, and provide guidance for Critical Infrastructure and the Public Sector. Now we’re seeing a shift away from this relatively light touch approach.

The new rumored bipartisan bill on breach reporting favors the metaphorical carrot. As noted in the CNN report, “The bill includes liability protections for companies that submit breach notification reports, which cybersecurity experts have said is critical to ensuring that businesses are not afraid to come forward to disclose breaches and to help US officials bolster the nation's cybersecurity.” This style of protection from liability is known as breach litigation ‘safe harbor’ and has already been used to incentivize the adoption of a cybersecurity framework in order to improve security for businesses and consumers in Ohio, Utah, and Connecticut. These types of regulation incentivize maturing cybersecurity practices rather than require oversight or fines and fees for noncompliance. With President Biden’s latest order on Cybersecurity, that may not continue to remain true.

One hotly debated item in the order is the establishment of a Cyber Safety Review Board (CSRB) which will be “modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.” The specific text states that the board shall, “review and assess, with respect to significant cyber incidents… affecting FCEB Information Systems, or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.” A congressional aide told ZDNet, “…some on Capitol Hill have questioned how the board could work like the National Transportation Safety Board, which has broad authority to investigate transportation incidents and can issue subpoenas… With the NTSB, they just show up with their badge and the entity has to produce anything the investigator wants. They don't always need a subpoena or the court system to get what they want.” It remains to be seen which incidents the CSRB will review and what the potential outcomes of these reviews might be. Chief among these concerns is whether or not they, like the NSTB, can assess civil penalties as a result of their findings.

Cybersecurity risks have seen continuous growth in terms of both likelihood and impact since computers and the internet were invented. Until somewhat recently, implementing controls and mitigations to those risks has been largely voluntary. All organizations, whether they’ve been paying attention to those risks or not, should now also consider the quickly evolving regulatory environment. The reality is that, in the event of a cybersecurity incident, their organization may very well be investigated by the Federal Government on top of the other harmful impacts of the incident.

Right now there is an avalanche of Cybersecurity bills being introduced and making their way through Congress. Many of these are targeted improving cybersecurity for state and local levels of government, small businesses, and schools. Others seek to bolster federal agencies capabilities in combatting cyber threats by supporting the Cybersecurity and Infrastructure Security Agency (CISA), further enabling the Department of Homeland Security, and even creating a U.S. Cybersecurity Reserve force. Whether or not these bills become law and how they are implemented and managed remains to be seen, but the message is clear. Cybersecurity must be a focus at all levels and for all organizations.