Lawmakers Unveil Cybersecurity LegislationBills Address Criminal Penalties, School District Protection and More
Republican and Democratic lawmakers have recently introduced several cybersecurity-related bills seeking to address issues ranging from tougher penalties for cybercriminals to improving protection of school districts.
A Senate bill, the International Cybercrime Prevention Act, would increase the criminal penalties for attackers who target U.S. critical infrastructure, such as power plants and hospitals. Meanwhile, a House bill, the Enhancing K-12 Cybersecurity Act, would provide funding to protect school district networks.
A third measure, the Data Protection Act, would create a federal agency to protect Americans' private data.
Plus, several senators are circulating a draft of a federal breach notification bill that would require government agencies and businesses that support critical infrastructure to report a cyber incident to the Cybersecurity and Infrastructure Agency within 24 hours (see: Senators Draft a Federal Breach Notification Bill).
The legislative proposals come on the heels of President Joe Biden's summit meeting Wednesday with Russian President Vladimir Putin, where they discussed cyber-related issues, including concerns that the Russian government was allowing cybercriminal to operate within its borders (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
Chris Pierson, CEO of concierge cybersecurity firm BlackCloak, says the legislative activity is a response to the surge in ransomware and other cyberattacks. But he asserts that "many of these efforts are purely perfunctory, and while some can assist in prosecution of cybercriminals, most won't actually solve or mitigate the risk to the U.S. or its critical infrastructure."
The government needs to create a broader strategy for enhancing cybersecurity, adds Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
"Increased penalties will play a part, but will not be effective without changes in other significant areas," says Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. "The U.S. took a big step declaring ransomware attacks a national security threat - raising the priority inside the Justice Department to be on par with counterterrorism and counterintelligence. Additionally, reducing the number of safe harbor countries where cyber actors operate with protection and eliminating the ability to utilize 'bulletproof hosting' or infrastructure protected from law enforcement and legal process will allow for the increased penalties to have the appropriate deterrent effect."
Cybercrime Prevention Act
The International Cybercrime Prevention Act, which was introduced last week in the Senate, would give the U.S. Justice Department additional tools to pursue cybercriminal activity and create enhanced penalties for attackers who target critical infrastructure, including dams, power plants, hospitals and election infrastructure.
The bill also would give federal prosecutors new powers to shut down botnets and other types of infrastructure used for cyberattacks and would make it a crime to sell access to botnet networks.
"From the criminal enterprise point of view, we have to up the cost of doing business here. These people are making probably millions of dollars, and the penalties are inadequate to the crime," Sen. Lindsey Graham, R-S.C., one of four senators supporting the bill, said at a Thursday press conference held to introduce the legislation.
Another sponsor, Sen. Sheldon Whitehouse, D-R.I., said he hoped the bill would address some of the cybersecurity shortcomings that were found during the recent ransomware attacks against Colonial Pipeline Co. and meat processor JBS.
Andrew Barratt, managing principal at security consultancy Coalfire, says that while the International Cybercrime Prevention Act is a step in the right direction, giving U.S. prosecutors and the FBI additional powers will not help when many cybercriminals operate overseas outside the realm of U.S. law enforcement agencies.
"Giving courts the power to shut down botnets is, in theory, a great provision. However, if those botnets are built off of devices out in other nations, the U.S. will be powerless to do anything other than to work more closely with its allies in the U.K., Europe and farther afield," Barratt says. "Some of the criminality never happens on U.S. soil, and as such, it might be better to add some additional focus to extradition treaties and … alliances with other countries allowing for a joint standard to be created that supports arrest and prosecution and extradition."
School Security Bill
The Enhancing K-12 Cybersecurity Act was introduced by Rep. Doris Matsui, D-Calif., and is supported by a bipartisan group of House members, including Rep. Jim Langevin, D-R.I., and John Katko, R-N.Y., who both serve on the House Homeland Security Committee that has been investigating several recent cyber incidents (see: House Probes Specifics of Colonial Ransomware Attack).
The bill would provide $10 million over the next two years to create a K-12 Cybersecurity Technology Improvement Program overseen by CISA to help school districts prevent attacks on their networks. The legislation would also create a voluntary registry to track these incidents and allow CISA to share best practices with school districts.
Since the start of the COVID-19 pandemic, several school districts across the U.S. have been hit by ransomware as well as distributed denial-of-service attacks that have disrupted both in-person and virtual learning. In March, attackers posted on a darknet site 26,000 files belonging to Florida's Broward County Public Schools district after officials refused to pay a ransom (see: Ransomware Attacks on Schools: The Latest Developments).
"Cyberattacks targeting schools have already forced class cancellations and exposed students’ sensitive personal information. As cybercriminals grow more sophisticated and aggressive, we must provide the resources and information necessary to protect our schools," Matsui said.
On Thursday, Sen. Kirsten Gillibrand, D-N.Y., reintroduced the Data Protection Act that would create an independent federal agency dedicated to protecting Americans' data, safeguarding citizens' privacy and ensuring that businesses and government agencies follow certain practices when it comes to personal data.
Gillibrand first introduced the bill in February 2020, but the legislation was not brought up for a vote in the Senate (see: Senator Calls for Creation of Federal Online Privacy Agency).
The latest version of the bill, Gillibrand noted, includes "updated provisions to protect against privacy harms and discrimination, oversee the use of high-risk data practices and to examine and propose remedies for the social, ethical and economic impacts of data collection."
The new agency created under the bill also would oversee mergers between large tech firms, including the transfer of data when the personal information of 50,000 or more individuals is involved.