As we start to make plans to celebrate the New Year in just about a week from now, Cybersecurity “pundits” are already making their rounds as to what they think will happen to our industry starting on January 1st. I think may have written some content about it before in my blog postings, but today for sure we are going to start on this theme.
So, we start off with the top Cybersecurity Legislations that will impact the United States starting in 2019. Here we go:
*The California Privacy Act:
This is also known as the “California Consumer Privacy Act of 2018”. Many Cybersecurity professionals view this as the precursor to a GDPR style law here based in the United States. This piece of Legislation is actually to take effect in 2020, is deemed to be amongst in this country. Believe it or not, there is a lot of support for this law, both by the average consumer and even in the tech industry itself. One of the biggest supporters of this Legislation has been Apple, for example: “Apple CEO Tim Cook recently said that his company is in full support of a comprehensive federal privacy law in the United States.” (SOURCE: https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/). But Cook also noted that while it is great to have these kinds of laws, they can be constraining as well. The only way that the law can be effective is if it gets full support from the American people, which so far, seems to be happening.
*The National Breach Notification Law:
This is a specific Bill that is geared towards the financial industry here in the United States. In fact, it was first introduced by the House Financial Services Committee, and this would actually be an amendment to the current Gramm-Leach-Bliley Act (GLBA) Legislation. The primary thrust of this is to create a common mechanism across all 50 states that would inform customers of banks, brokerage companies, and all sorts of financial institutions in the case of a Security Breach that would compromise their Personal Identifiable Information (PII).
*The State of California’s SB: 327:
This is California’s ever famous Internet of Things, or IoT Legislation. This law is geared towards those products that are manufactured to specifically support an IoT environment, and the primary goal of is to implement a common set of authentication mechanisms. However, there are a lot of ambiguities that exist with this law, and many people, and even Corporate America, feels that is too vague. For instance, it only applies to those devices that come fresh off the assembly line, and not to those that have been resold. But, on the flip side, this is a good start on having some sort of Cybersecurity Legislation with regards to the IoT, because nothing else exists yet.
More details about this soon to enacted law can be seen here:
*The Secure Elections Act:
This bill was actually introduced way back in 2017 by Senator James Lankford, a Republican Senator from Oklahoma. The intent of this is to completely do away with electronic voting machines, and instead, go back to doing things the old-fashioned ways with the traditional paper ballots. If this bill were to be passed in 2019, it would also require that all 50 states must manually audit each and every polling place across the United States. This was eventually submitted to the Congressional Committee on Rules and Administration, but has not made any traction ever since.
True going back to the old days would be a very costly and laborious process, but this option may not be so bad as there are so many fears right now of nation state actors threatening our electronic voting system.
More details about this can be seen here:
*The Cybersecurity and Infrastructure Security Agency Act:
This piece of Legislation was signed into law by Trump just this past November. This has redesigned the existing National Protection and Programs Directorate (aka NPPD, which is housed under the Department of Homeland Security) into the national Cybersecurity and Infrastructure Security Agency (CISA). As its name implies, the goal of this newly branded agency would be to protect the overall Critical Infrastructure of the United States, by having both a Cybersecurity and Emergency Response divisions.
More details about this law can be seen here:
*The NIST Small Business Cybersecurity Act:
This took almost a year and a half to become law here in the United States, and it was just passed during the summer time of this year. This federal law mandates that the Director of the National Institutes of Standards of Technology (aka NIST) to “. . . issue guidance and a consistent set of resources to help SMBs identify, assess and reduce their cybersecurity risks.” (SOURCE: https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/). In other words, the goal here is to help the small to medium sized (SMB) business sector in the United States to implement a basic set of Security Controls, as well as indoctrinating methods to promote good levels of “Cyber Hygiene” amongst employees.
More details about this legislation can be seen here:
*The Encrypt Act:
This a bill that has been introduced by Representatives Ted W. Lieu (a Democrat from California), Mike Bishop (a Republican from Michigan), Suzan DelBene (a Democrat from Washington), and Jim Jordan (a Republican from Ohio). This bill actually stands for the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act. The goal of this bill, if it were to be passed, is to introduce a set of best practices and common standards for the implementation and use of Encryption based technologies across all of the 50 states.
*The Russian Sanctions Legislation:
As its name implies, this bill would impose the severest of sanctions upon Russia for interfering with any future US national elections, as well as other nation state actors. Any interference by the Russians could also be strong grounds for denying any form of immigration into the United States. There are also two other subcomponents to this bill which are as follows:
*The International Cybercrime Prevention Act:
This would allow for federal prosecutors here in the United States to literally shut down the digital assets of any other foreign country that is found using any form of US property to conduct illegal activities.
*The Defending the Integrity of Voting Systems Act:
With this, federal prosecutors can go after any nation threat actor that is found to be have been interfering with any sort of election process here in the United States.
More details about this bill can be seen here:
*The Cyber Diplomacy Act:
The bill was introduced by Representatives Edward Royce (a Republican from California), and Elliot Engel (a Democrat from New York) way back in September 2017. This bill has already been passed by the House of Representatives, and is now making its way to the Senate. The primary of this bill is instructing other nations on how they should properly behave, from the standpoint of Cybersecurity, when doing business with organizations based in the United States, focusing upon the following:
*The theft of Intellectual Property;
*The misuse of Information and Communications Technology (ICT);
*The creation of secure ICT based products when they are manufactured in a foreign country and imported here into the United States.
My thoughts on this?
Well, here you have them, the top 9 legislations or bills that will receive the most attention here in the United States as we steam roll into 2019. Given the current state of the Cybersecurity landscape and how it is becoming much more complex and sophisticated, it is good to see that their new laws to protect both US citizens and businesses.
But my concern here, is given the complete chaos that is now transpiring with the Trump Administration, how well will these laws and soon to be laws be enforced? I mean it’s great to say on paper that everything will be done to enforce them, but in reality, how will it happen? There is no apparent answer here either, at least not yet.
Finally remember that getting these laws and bills passed takes an enormous amount of time and effort. By the time that these all become actually enforceable, the Cyberthreat landscape will have become a totally different animal which will become even more difficult to tame.
But hey, having some set of enforceable rules and their consequences for not following them is better than nothing at all in the end.