There are an alarming amount of cybersecurity incidents that are happening right now. The Biden Administration is taking swift action within the first six months, which has also prompted the United States Congress to introduce several cybersecurity bills. Lawmakers have currently introduced at least eighteen additional bills to help expand the nation's cybersecurity capabilities.
This is a sign that cybersecurity is becoming a bigger and bigger legislative priority, and the interests of national security in a range of digital matters seem to be accelerating. Just this last week, The House Committee on Energy and Commerce voted to advance six bills that will primarily deal with digital security along with two more that contain important cybersecurity provisions.
Data Breach Bill Notification
Also last week, Senator Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, along with Senator Marco Rubio (R-FL), Vice Chairman of the Committee, and Senator Susan Collins (R-ME), a Senior Member of the Committee, introduced the Cyber Incident Notification Act of 2021.
This bill would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the US government can mobilize to protect critical industries across the country.
The bill further grants legal immunity to the organizations that will freely come forward with breach reports. In addition, it asks CISA to "implement data protection procedures to anonymize personally identifiable information and safeguard privacy."
The legislation will fill a void of what many cybersecurity professionals say is a woeful lack of metrics about how many and what kind of cybersecurity incidents take place. Outside of a handful of critical infrastructure sectors, no consistent data breach reporting mandates exist, making it difficult for the government to use its resources to fend off attacks while occurring or gather lessons learned after they've occurred.
"We shouldn't be relying on voluntary reporting to protect our critical infrastructure," Warner said in announcing the cyber incident bill. "We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."
Funding Boosts in Authorization Bills
Last week, we also saw the Senate Armed Services Committee pass its version of the 2022 defense authorization bill, which calls for hefty cybersecurity budget increases and requirements for the defense sector. Among the increases are two hundred and seventy million more for the Defense Department's cybersecurity budget.
The Authorization will assign to the head of Cyber Command:
The responsibility for directly controlling and managing the planning, programming, budgeting, and execution of the resources to maintain the Cyber Mission Forces.
Moreover, the bill asks the Department of Defense to assess what it needs to defend itself against cyberattacks as well as to conduct a pilot study to examine:
The viability of teaming with "internet ecosystem companies to discover and disrupt the use of their platforms, systems, services, and infrastructure by malicious cyber actors.
Sixteen Other Cybersecurity Bills
In addition to Warner's breach notification bill and a bill reintroduced by Senator Kirsten Gillibrand (D-NY) called the Data Protection Act of 2021 which would create a new federal agency to protect Americans' data, lawmakers have introduced at least 16 other new cybersecurity bills since the end of May. These bills range from vehicles seeking to improve cybersecurity literacy to possible regulatory requirements affecting the nation's communications infrastructure:
- R. 3919, Secure Equipment Act of 2021. Sponsored by Rep. Steve Scalise (R-LA). This bill requires the Federal Communications Commission (FCC) to establish rules stating that it will no longer review or approve any authorization application for equipment on the covered communications equipment or services list. (Listed communications equipment or services are those that the FCC determines to pose an unacceptable risk to national security or the security and safety of US persons.)
- R.2685, Understanding Cybersecurity of Mobile Networks Act. Sponsored by Rep. Anna G. Eshoo (D-CA). The bill requires the National Telecommunications and Information Administration (NTIA) to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries.
- R.2931, Enhancing Grid Security Through Public-Private Partnerships Act. Sponsored by Rep. Jerry McNerney (D-CA). This bill directs the Department of Energy (DOE) to implement a program to facilitate and encourage public-private partnerships to address and mitigate the physical security and cybersecurity risks of electric utilities. The Senate received this bill on July 20).
- R. 4028, Information and Communication Technology Strategy Act. Sponsored by Rep. Billy Long (R-MO). The bill requires the Secretary of Commerce to report on and develop a whole-of-government strategy concerning the information and communication technology supply chain's economic competitiveness and other purposes.
- R.4046, NTIA Policy and Cybersecurity Coordination Act. Sponsored by Rep. Jeff Duncan (R-SC). The bill amends the National Telecommunications and Information Administration Organization Act to establish the Office of Policy Development and Cybersecurity at NTIA and for other purposes.
- R.4055, American Cybersecurity Literacy Act. Sponsored by Rep. Adam Kinzinger (R-IL). Under the bill, the assistant secretary for communications and information shall develop and conduct a cybersecurity literacy campaign to increase the knowledge and awareness of the American people of best practices to reduce cybersecurity risks
- R.4067, Communications Security Advisory Act of 2021. Sponsored by Rep. Elissa Slotkin (D-MI). The bill directs the Federal Communications Commission to establish a council to make recommendations on increasing the security, reliability, and interoperability of communications networks and for other purposes.
- S.2199, Cyber Sense Act. Sponsored by Sen. Jacky Rosen (D-NV). The bill requires the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system and other purposes.
- S.1324, Civilian Cyber Security Reserve Act. Sponsored by Sen. Jacky Rosen (D-NV). The bill establishes a Civilian Cyber Security Reserve as a pilot project to address the cybersecurity needs of the United States concerning national security and for other purposes.
- S.2139 - International Cybercrime Prevention Act. Sponsored by Sen. Sheldon Whitehouse (D-RI). The bill amends title 18, United States Code, to prevent international cybercrime and for other purposes.
- S.2201, Supply Chain Security Training Act of 2021. Sponsored by Sen. Gary Peters (D-MI). The bill manages supply chain risk through counterintelligence training and for other purposes.
- S.2269 - Protect American Power Infrastructure Act. Sponsored by Sen. Rick Scott (R-FL). The bill aims to secure the bulk-power system in the United States
- S.2274, Federal Cybersecurity Workforce Expansion Act. Sponsored by Sen. Maggie Hassan (D-NH). The bill authorizes the Cybersecurity and Infrastructure Security Agency Director to establish an apprenticeship program and establish a pilot program on cybersecurity training for veterans and members of the Armed Forces transitioning to civilian life and other purposes.
- S.2292, Study on Cyber-Attack Response Options Act. Sponsored by Sen. Steve Daines (R-MT). The bill requires the Secretary of Homeland Security to study the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to an unlawful network breach.
- S.2305, Cybersecurity Opportunity Act. Sponsored by Sen. Jon Ossoff (D-GA). The bill aims to enhance cybersecurity education through DHS grants
- S.2439, A bill to amend the Homeland Security Act of 2002 to provide for the responsibility of the Cybersecurity and Infrastructure Security Agency to maintain capabilities to identify threats to industrial control systems and for other purposes. Sponsored by Sen. Gary Peters (D-MI). The bill amends the Homeland Security Act of 2002 to provide for the responsibility of CISA to maintain capabilities to identify threats to industrial control systems and for other purposes.