Inventorying Cyber-Assaults in U.S.Legislation Seeks Better Disclosure of Attack Information
Do you know how many government agencies or, for that matter, critical infrastructure operations have been attacked online? Neither does Congress. But some senators have introduced legislation to find out.
The Cybersecurity Public Awareness Act of 2013, S. 1638, would require national security and federal law enforcement agencies to report to Congress on attacks on federal networks, investigations of cybercrime and impediments to public awareness of common cybersecurity threats.
The bill also includes provisions that would boost awareness of threats against federal agencies, the military, the nation's critical infrastructure and publicly traded companies.
"This legislation will allow us to better arm ourselves with the basic knowledge needed to protect our nation's vital assets and our privacy," says Sen. Sheldon Whitehouse, D-R.I., the bill's chief sponsor.
S. 1638 would require the departments of Homeland Security and Defense to submit to Congress unclassified summaries of major cyber-incidents against executive agencies and the military. The reports from DHS and DoD also would furnish aggregate data on the number of breaches on executive branch and military networks, the amount of data stolen and the costs to remedy the breaches.
Smart, Market-Based Approach
Jacob Olcott, cybersecurity principal at the security advisory firm Good Harbor Consulting, says one of the biggest challenges stymying those seeking to improve cybersecurity is identifying public data on vulnerabilities.
"Whether you're an investor, an insurance company, or a member of Congress, you want to gain greater visibility into what's happening on the network so you can act accordingly," says Olcott, a former counsel to the Senate Commerce, Science and Transportation Committee. "Sen. Whitehouse likely designed this bill to help create the conditions for greater information disclosure. It's a smart, market-based approach to the problem."
The legislation also would require:
- The Securities and Exchange Commission to assess cyber-risks and cyber-incidents reported in financial statements public companies file with the SEC;
- Federal regulators to describe the state of cyber vulnerabilities threatening critical infrastructure sectors they regulate;
- The attorney general and FBI director to describe federal investigations and prosecutions relating to cyber-intrusions, network compromises or other forms of illegal hacking;
- DHS to work with federally funded research and development agencies to report on opportunities to develop new ways to enhance critical infrastructure cybersecurity without infringing on privacy rights.
Step Toward Understanding the Problem
Congress in recent years has failed to enact significant cybersecurity legislation (see Cybersecurity Legislation: What's Next?), a point made by Sen. Lindsey Graham, the South Carolina Republican who's one of the bill's cosponsors. "So far Congress has failed to forge a workable cybersecurity framework to protect the United States against a fast-growing national security and economic threat," he says. "This bill is a great step toward understanding this problem so that Congress can adequately and appropriately address it."
The bill, introduced Oct. 31, was assigned to the Senate Homeland Security and Governmental Affairs Committee.