The series of alarming cybersecurity incidents that spurred the Biden Administration to take swift action during its first six months has also prompted the US Congress to introduce new cybersecurity bills. In the little more than two months since CSO reported on what was then a busy Congressional cybersecurity agenda, lawmakers have introduced at least 18 additional bills to shore up and expand the nation’s cybersecurity capabilities.
In a sign that cybersecurity is becoming an increasingly higher legislative priority, the pace of Congress’ interest in a range of digital security matters seems to be accelerating. Last week alone, the House Committee on Energy and Commerce voted to advance six bills that primarily deal with digital security and two other bills that contain significant cybersecurity provisions.
Data breach notification bill emerges
Last week Senator Mark R. Warner (D-VA), chairman of the Senate Select Committee on Intelligence, along with Senator Marco Rubio (R-FL), vice chairman of the Committee, and Senator Susan Collins (R-ME), a senior member of the Committee, also introduced the Cyber Incident Notification Act of 2021. This bill would “require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the US government can mobilize to protect critical industries across the country.”
The bill further grants legal immunity to organizations that come forward with breach reports. In addition, it asks CISA to “implement data protection procedures to anonymize personally identifiable information and safeguard privacy.”
The legislation fills a void of what many cybersecurity professionals say is a woeful lack of metrics about how many and what kind of cybersecurity incidents take place. Outside of a handful of critical infrastructure sectors, no consistent data breach reporting mandates exist, making it difficult for the government to use its resources to fend off attacks while occurring or gather lessons learned after they’ve occurred.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” Warner said in announcing the cyber incident bill. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
Cybersecurity funding boosts appear in authorization bills
Last week also saw the Senate Armed Services Committee pass its version of the 2022 defense authorization bill, which calls for hefty cybersecurity budget increases and requirements for the defense sector. Among the increases are $268.4 million more for the Defense Department’s cybersecurity budget.
The authorization also assigns to the head of Cyber Command the “responsibility for directly controlling and managing the planning, programming, budgeting, and execution of the resources to maintain the Cyber Mission Forces.” Moreover, the bill asks the Department of Defense to assess what it needs to defend itself against cyberattacks as well as conduct a pilot study to examine the “viability of teaming with “internet ecosystem companies to discover and disrupt the use of their platforms, systems, services, and infrastructure by malicious cyber actors.”
The proposed increases in cybersecurity funds for the Pentagon follow the draft fiscal year 2022 Homeland Security funding bill released on June 29 by the House Appropriations Committee. That bill calls for a 16%, or $397.4 million, increase in CISA’s budget above the fiscal year and $288.7 million above the requested amount.
Probe launched into cryptocurrency’s role in ransomware
Finally, last week Senator Gary Peters (D-RI), Chairman of the Homeland Security and Governmental Affairs Committee, announced he is launching an “investigation into the role cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing threat to United States national security.” Peters’ investigation would also look at “how federal regulators and lawmakers can work to disrupt the incentive to commit crimes in exchange for cryptocurrencies.”
16 additional bills cover a gamut of cybersecurity issues
In addition to Warner’s breach notification bill and a bill reintroduced by Senator Kirsten Gillibrand (D-NY), the Data Protection Act of 2021, which would create a new federal agency to protect Americans’ data, lawmakers have introduced at least 16 other new cybersecurity bills since the end of May. These bills range from vehicles seeking to improve cybersecurity literacy to possible regulatory requirements affecting the nation’s communications infrastructure:
- R. 3919, Secure Equipment Act of 2021. Sponsored by Rep. Steve Scalise (R-LA). This bill requires the Federal Communications Commission (FCC) to establish rules stating that it will no longer review or approve any authorization application for equipment on the covered communications equipment or services list. (Listed communications equipment or services are those that the FCC determines to pose an unacceptable risk to national security or the security and safety of US persons.)
- R.2685, Understanding Cybersecurity of Mobile Networks Act. Sponsored by Rep. Anna G. Eshoo (D-CA). The bill requires the National Telecommunications and Information Administration (NTIA) to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries.
- R.2931, Enhancing Grid Security Through Public-Private Partnerships Act. Sponsored by Rep. Jerry McNerney (D-CA). This bill directs the Department of Energy (DOE) to implement a program to facilitate and encourage public-private partnerships to address and mitigate the physical security and cybersecurity risks of electric utilities. The Senate received this bill on July 20).
- R. 4028, Information and Communication Technology Strategy Act. Sponsored by Rep. Billy Long (R-MO). The bill requires the Secretary of Commerce to report on and develop a whole-of-government strategy concerning the information and communication technology supply chain’s economic competitiveness and other purposes.
- R.4046, NTIA Policy and Cybersecurity Coordination Act. Sponsored by Rep. Jeff Duncan (R-SC). The bill amends the National Telecommunications and Information Administration Organization Act to establish the Office of Policy Development and Cybersecurity at NTIA and for other purposes.
- R.4055, American Cybersecurity Literacy Act. Sponsored by Rep. Adam Kinzinger (R-IL). Under the bill, the assistant secretary for communications and information shall develop and conduct a cybersecurity literacy campaign to increase the knowledge and awareness of the American people of best practices to reduce cybersecurity risks
- R.4067, Communications Security Advisory Act of 2021. Sponsored by Rep. Elissa Slotkin (D-MI). The bill directs the Federal Communications Commission to establish a council to make recommendations on increasing the security, reliability and interoperability of communications networks and for other purposes.
- S.2199, Cyber Sense Act. Sponsored by Sen. Jacky Rosen (D-NV). The bill requires the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system and other purposes.
- S.1324, Civilian Cyber Security Reserve Act. Sponsored by Sen. Jacky Rosen (D-NV). The bill establishes a Civilian Cyber Security Reserve as a pilot project to address the cybersecurity needs of the United States concerning national security and for other purposes.
- S.2139 – International Cybercrime Prevention Act. Sponsored by Sen. Sheldon Whitehouse (D-RI). The bill amends title 18, United States Code, to prevent international cybercrime and for other purposes.
- S.2201, Supply Chain Security Training Act of 2021. Sponsored by Sen. Gary Peters (D-MI). The bill manages supply chain risk through counterintelligence training and for other purposes.
- S.2269 – Protect American Power Infrastructure Act. Sponsored by Sen. Rick Scott (R-FL). The bill aims to secure the bulk-power system in the United States
- S.2274, Federal Cybersecurity Workforce Expansion Act. Sponsored by Sen. Maggie Hassan (D-NH). The bill authorizes the Cybersecurity and Infrastructure Security Agency Director to establish an apprenticeship program and establish a pilot program on cybersecurity training for veterans and members of the Armed Forces transitioning to civilian life and other purposes.
- S.2292, Study on Cyber-Attack Response Options Act. Sponsored by Sen. Steve Daines (R-MT). The bill requires the Secretary of Homeland Security to study the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to an unlawful network breach.
- S.2305, Cybersecurity Opportunity Act. Sponsored by Sen. Jon Ossoff (D-GA). The bill aims to enhance cybersecurity education through DHS grants
- S.2439, A bill to amend the Homeland Security Act of 2002 to provide for the responsibility of the Cybersecurity and Infrastructure Security Agency to maintain capabilities to identify threats to industrial control systems and for other purposes. Sponsored by Sen. Gary Peters (D-MI). The bill amends the Homeland Security Act of 2002 to provide for the responsibility of CISA to maintain capabilities to identify threats to industrial control systems and for other purposes.