Following a series of national-level cyber incidents, federal lawmakers in the United States are beginning to take steps to clamp down on standards for data protection law as well as the big companies that make up the tech industry.
One of the biggest wake-up calls to Washington was the Equifax breach in mid-September, the hack that has come to be known as the single most detrimental cyberattack in history.
While the extent of the damage caused by Equifax is still coming to light, all the information uncovered about the breach until this point has been a major prod for Congress members to take action.
Almost immediately following the news of the breach, congressional committees began to set up inquiries into the incident. Recently, US media reported that the former CEO of Equifax—ousted from his position due to the breach—was due to testify in front of lawmakers to give answers as to how the devastating breach occurred.
Then came the Kaspersky saga.
On 13 September, the Department of Homeland Security put issued a directive forbidding all federal computers to run software produced by Russian cybersecurity software firm Kaspersky, citing unspecified “ties” between the company and “Russian intelligence and other government agencies.”
Against the backdrop of the incidents, it is not surprising that Congress has actually taken some substantial policy steps as of late.
Two weeks ago, a cybersecurity strategy bill was drafted and scheduled to be introduced by a bipartisan co-op of several representatives. The bill lays out a goal for security and intelligence arms in Washington to give an all-encompassing assessment of the digital grid and requires that several federal agencies and their heads including the Director of National Intelligence, the Secretary of Energy, and the Secretary of Homeland Security, team up and produces a report delineating some key points.
In addition to an overview of the military, the text of the bill also requires the three officials to make a list of vulnerabilities to elements of the civilian electrical infrastructure, and to coordinate with the Secretary of Defense on what those important elements might be.
The text of the bill requires that “vulnerabilities” be identified as well as mediums through which foreign bodies may be able to conduct “influence operations” against the United States.
This provision would essentially set the stage for Congress–through the above agencies or others–to take serious steps to address any “vulnerabilities” that may be identified in the assessment.
Meanwhile, the follow up on these incidents has not served to quell the fears of the public or Washington.
On Thursday, several outlets reported on the uncovering of the hacking of a personal computer belonging to a National Security Agency (NSA) contractor by Russian cybercriminals. While the hack apparently occurred in 2015, it only came to late a year later, and in only now being revealed to the public. The reports contained the bombshell claim the Kaspersky software contained on the contractor’s computer remotely alerted the hackers to the presence of valuable files.
Revelations on the cyberattack on the NSA came just a few weeks following the DHS ban. The close proximity of these incidents strongly supports the possibility that the ban was influenced by the hack public only became aware of a few days ago.
While Kaspersky has vehemently denied any connection to the NSA hack, as well as any illicit ties to the Russian government whatsoever, claims of Kaspersky’s involvement will probably only serve to escalate the same concerns driving federal policies.
If these cyber incidents do end up spurring actual legislation to regulate the industry, what can we expect to see?
First on the list might be regulations requiring companies to report cyber breaches in a timely manner, modeled after similar injunctions in the European Union’s General Data Protection Regulations. The earliest reports on the Equifax fiasco, showed that the company was aware of the unauthorized access to its system for a substantial amount of time, maybe even months, before reporting to authorities.
Another element likely to be contained in any future legislation would likely be various security standards and compliance protocols for companies dealing with sensitive data. While security basics such as staying up to date with software patching and encryption standards will probably find their way into any bill produced by Congress, the issue of authentication methods will likely be a major, if not the central focus of regulations.
As many observers within the industry have pointed out, if the recent cyber blunders have done anything, it is to call into question the entire model of authentication prevalent in the world of information security today. The trend we are seeing now in the US, will likely result in promoting alternative authentication methods, incorporating new multi-factor and password-free models.
It will be interesting to see what legal implications end up resulting from these series of events. Steps taken by policymakers in Washington in reaction to the events of the past month may end up producing substantial changes for the industry.