What to Know About Pending Cyber Legislation

As 2020 winds down, the number of bills and laws being passed regarding cybersecurity measures are only increasing. One of those is the National Defense Authorization Act (NDAA), the series of laws passed each year that help determine the annual budget of the U.S. Department of Defense. This year, a number of measures to combat cybersecurity threats were addressed, including recommendations from the Cyber Solarium Commission.

Additionally, separate legislative actions important to cybersecurity will potentially be passed including bills to strengthen the Cybersecurity and Infrastructure Security Agency (CISA) among other cybersecurity provisions.

CO– had a conversation with cybersecurity experts and U.S. House Representative Jim Langevin about the importance of NDAA, CISA, and future legislation, and what it all means for cybersecurity and business endeavors.

NDAA Allows for the Appointment of a National Cyber Director

Representative Langevin is confident the NDAA will allow for the creation of an additional post within the White House. An appointment of a National Cyber Director will allow a cybersecurity expert to work alongside the president on cyber policies and “address vulnerabilities that exist within their systems,” said Representative Langevin.

“I think the process of having the National Cyber Director is very important,” added Christopher Roberti, SVP of cyber, intelligence, and supply chain security policy at the U.S. Chamber of Commerce. “It also provides industry and business with a very senior voice in the administration with whom they can engage.”

However, Roberti emphasized that the appointment of a National Cyber Director does not mean agencies should stop speaking to one another or conversing with their current networks.

“If you only have one person that anyone can talk to, that becomes a choke point,” Roberti added. “So, you need to maintain the existing relationships.”

Legislatures Are Pushing to Strengthen CISA

CISA improves cybersecurity among the entirety of government as well as its threat defenses. Since the agency is fairly new, legislation was up in the air about its future.

“We did talk about creating a [cyber] department,” said Representative Langevin of the legislation. “In the end though, we decided that doubling down on CISA was the right thing to do.”

Strengthening CISA looks like creating a program known as the CISA Subpoena Authority. CISA has a number of capabilities to identify vulnerabilities within systems. However, they’re usually unable to notify the affected entities directly due to privacy acts. A subpoena authority would allow them to work with internet service providers and notify those affected by the vulnerability.

“We take a partnership approach,” said Bryan Ware, former assistant director of the cybersecurity division of CISA. “I think that industry is looking for us to be able to deliver that kind of value to them.”

CISA’s Current Capabilities Are Being Put to the Test in Private Sectors

With hopes of strengthening CISA via joint cyber planning offices and pathfinder initiatives, cybersecurity experts are currently looking at how CISA has been an asset and how it could improve.

“One of the key attributes of CISA … is the voluntary basis of its engagement with the private sector,” said Roberti.

CISA has been able to involve stakeholders and be transparent about what’s really going on within the cybersecurity sector, all while gaining constructive feedback to address vulnerabilities and gaps within the system, added Roberti.

Ware also emphasized the importance of sharing and collaborating information within private sectors.

“[We want to] make it possible for us to collaborate [within the] industry, make it possible for us to join our data,” he said. “What could we see if we saw it all together?”

Legislature Is Looking at the Future of Cybersecurity During the Pandemic

Representative Langevin noted that, with the current pandemic, there are a number of ways cybersecurity-focused companies can do to assist those unable to protect themselves against vulnerabilities, such as, “improving the posture of small- and medium-sized enterprises that might not have the resources,” he said.

Mark Montgomery, executive director at U.S. Cyberspace Solarium Commission, noted the NDAA is the main legislation set to pass and will expand the infrastructure of cybersecurity across the country. However, “if we see another tool related [to] COVID recovery or correcting COVID errors on public response areas, then we jump on those,” he said.