Building the Case for Cybersecurity

Bill's Aim: Assemble Facts to Support Stronger Cyberdefense
Building the Case for Cybersecurity
It's been nearly two years since President Obama declared cybersecurity a national priority (see The President's 10-Point Cybersecurity Action Plan), but the urgency many in IT security circles feel about the need to safeguard the nation's critical digital assets isn't necessarily shared by the general public. The authors of new Senate legislation say they hope their bill, if enacted, would assemble the information needed to convince the public and their representatives in Congress for the need for a more vigorous cyberdefense.

"Every year, cyberattacks inflict vast damage on our nation's consumers, businesses and government agencies, but they have not received the attention they deserve," says Sen. Sheldon Whitehouse, D-R.I., who along with Sen. Jon Kyl, R-Ariz., last week introduced the Cybersecurity Public Awareness Act of 2011. "Congress needs to act in a number of areas to improve cybersecurity. One important element of this effort will be to ensure that we are properly informed going forward about the cyberthreats posed by criminals, terrorists and hostile nations."

Whitehouse and Kyl contend that the level of public awareness of cyberthreats is unacceptably low, pointing out that only a tiny portion of relevant cybersecurity information is released to the public. The sponsors say information about attacks on federal sites is usually classified and on private systems are ordinarily kept confidential, declaring that sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form. Their bill is aimed to change that.

The legislation would require the departments of Homeland Security and Defense to submit annual reports to Congress on attacks on federal networks. Among the data to be collected: aggregate statistics on the number of federal network breaches, volume of data stolen and the estimated cost to remediate breaches. DHS also would be required to report on impediments to appropriate public awareness of common cybersecurity threats.

Another provision of the bill would require the Justice Department and FBI to submit annual reports on the number of investigations initiated, arrest made and cases prosecuted related to cybercrimes. These reports also would include the number of cybercrime prosecutions that have been delayed or prevented because of the inability to extradite a defendant in a timely manner.

The regular reports to Congress also would identify the number of employees, financial resources and other resources such as technology and training devoted to enforcing, investigating and prosecuting cyberintrusions, including the number of investigators, prosecutors and forensic specialists dedicated to the tasks.

Among other provisions, the bill would require the:

  • DHS to describes policies for federal agencies to assist the private sector in defending information networks against cyberthreats that could result in loss of life or significant harm to the national economy or national security. These reports would be unclassified, though they could include classified addenda.
  • Security and Exchange Commission, in consultation with the secretary of Homeland Security, to report on the financial risk to issuers of securities caused by cyberintrusions and any resulting legal liability.
  • Primary regulators for each critical industry to report the nature of the vulnerabilities to cyberattacks as well as the prevalence of cyberattacks and to recommended steps to thwart or diminish virtual assaults.
  • Attorney general, in coordination with the federal courts' administrative office, to report on whether federal courts have granted timely relief in matters relating to botnets and other cyberthreats and provide recommend changes to court rules, training and federal civil and criminal laws.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.