• cyber security

Cybersecurity Monitor: May 2016

IN THIS ISSUE
As we indicated in last month’s Cybersecurity Monitor, time is running out for national legislation on major cybersecurity issues. One type of cybersecurity legislation is finding support, however. We highlight two bills that recently passed in the House. The bills have three characteristics in common: they are narrow in scope; they introduce no new regulations; and likely because of the first two characteristics, they are able to win bipartisan support.

HOUSE BILLS SEEK TO PROMOTE PREVENTION
The cybersecurity legislation at the top of the 114th Congress’ agenda has tended to be reactive, in that it addresses what companies and federal agencies should do after a crime has been committed. One recent bill is noteworthy because it seeks to promote preventive measures within the private sector.
 
Toward the end of April, Republican Congressman Richard Hanna (N.Y.) and Democrat Derek Kilmer (Wash.) introduced H.R. 5064, the Improving Small Business Cyber Security Act. This narrow-scope bill would authorize the Small Business Administration, via its network of Small Business Development Centers (SBDCs), to assist small businesses in developing or enhancing their cybersecurity infrastructure, cyber threat awareness, and cyber training programs for employees. The bill also would require the Small Business Administrator and Secretary to develop a Small Business Development Center Cyber Strategy, which should include plans for incorporating SBDCs into existing cyber programs – such as cyber threat sharing programs – to enhance their cyber assistance to small businesses.
 
“Many small business owners don’t have the time or resources to plan for a cyberattack or keep up to date with rapidly changing technology,” Rep. Hannasaid. “This bill would streamline and improve these resources, providing critical assistance to American entrepreneurs to help them safeguard their business transactions and protect information from thieves who want to do them harm.”
 
Since its introduction on April 26, H.R. 5064 has advanced quickly. On May 18, the full House easily approved adding the bill as an amendment to its defense appropriations bill, H.R. 4909, the National Defense Authorization Act for Fiscal Year 2017. H.R. 5064’s fate now rests on the reconciliation process – as soon as the Senate approves its own defense appropriations bill (S. 2814).
 
A second piece of legislation worth mentioning is H.R. 4743, the National Cybersecurity Preparedness Consortium Act. The bill, which passed the House on a nearly unanimous vote, is similar to H.R. 5064 in that it has a narrow scope, imposes no new regulations on the private sector, and has strong bipartisan support. The bill would allow the Department of Homeland Security (DHS) to collaborate with experts outside of the government – at universities, in particular – to improve state and local cyber preparedness. It would also authorize DHS to “conduct cross-sector cybersecurity training and simulation exercises for entities, including State and local governments, critical infrastructure owners and operators, and private industry, to encourage community-wide coordination in defending against and responding to cybersecurity risks and incidents.”
 
NEW HOUSE CAUCUS TO FOCUS ON CONNECTED VEHICLES
Four House members have formed the Smart Transportation Caucus to “help educate members about the innovation that is happening in the United States, identify policy areas that need to be improved to support the development of new technologies, and boost collaboration to ensure the U.S. always maintains its competitive edge,” according to a statement by Rep. Debbie Dingell (D-Mich.). Another founding member, Rep. Ted Lieu (D-Calif.), added, “Our technological advances are only as good as the cyber security that ensures products work efficiently and safely.” Joining Dingell and Lieu as founding members are Reps. Joe Wilson (R-S.C.) and Joe Barton (R-Texas.).
 
STUDIES: HEALTHCARE ORGANIZATIONS NOT PREPARED FOR CYBER ATTACKS
Cyber attacks against healthcare organizations are on the rise. But according toHealthcare IT News, citing a March survey, the industry remains ill-prepared to prevent these attacks.
 
The survey of healthcare IT decision-makers by HIMSS Analytics and Symantec found that more than 80 percent of healthcare organizations spend less than six percent of their IT budgets on security, and more than half say that figure is less than three percent. (The finance industry, by contrast, spends 12-15 percent.) Furthermore, 75 percent of survey respondents said cybersecurity is brought up at board meetings only some of the time or upon request. “Overall, most provider organizations have a tactical approach to security rather than a strategic approach, the study says, reacting to immediate threats rather than deploying a comprehensive strategy.”
 
Healthcare IT News itself interviewed a variety of cybersecurity experts to determine the most pressing issues for healthcare organizations:

  • Ransomware attacks will get worse;
  • “Whaling” (also known as “CEO fraud”) is a major threat;
  • The need to educate C-suite executives on security has never been greater;
  • Application security should not be overlooked; and
  • Medical devices and the Internet of Things open an endless number of new doors that can threaten not just security but patient safety.

AROUND THE STATES

  • Nebraska joined California, Florida, Nevada, and Wyoming by amending its data breach notification law to expand the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.” The new law (KB 835) takes effect on July 20.
  • Two Michigan state senators introduced legislation (SB 927 and SB 928) that would make it a felony – with the possibility of a life sentence –  to “intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle.” Critics claim the bills’ language is too broad and could cover legitimate security research.
  • In California, the state legislature killed a bill (AB 1681) that would have penalized smartphone makers that refused to comply with court orders to decrypt their devices. Similar legislation in the U.S. Senate seems to be headed for the same fate. The draft bill released by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) last month “received overwhelming condemnation from civil liberties and privacy advocates along with a long list of the who’s who within the tech industry. Add to that 43,000 people that have signed a petition against proposed U.S. legislation,” one news outlet reported.