For more than a decade, cyber security has been a concern for the government and private sector alike. The growth in Information Technology and ecommerce sector in the United States have given rise to cyber crimes, causing a huge loss to the US government and its people.

In August 2015, it was reported that cyber crime caused an average annualized loss of 16.45 million U.S. dollars in the technology sector. The cyber crimes came into the limelight in January 2013, when Twitter, the Wall Street Journal, New York Times, and the Department of Energy each reported that their systems had been breached. Since these organizations have a large subscriber base, the attackers were successful in probing into millions of peoples’ systems and compromise data. However, a more serious attack on the US critical infrastructure could be devastating to the public.

“Richard Clarke, the former special advisor on cyber security to George W. Bush, stated that within the first 48 hours of a cyber attack, the United States could experience, among other things: classified and unclassified network failures, large oil refinery fires and gas pipeline explosions, financial system collapse with no idea of who owns what, trains and subways derailing, and a nationwide blackout leaving cities in the dark.”

Understanding United States Cyber Security Regulation

The United States privacy system is arguably the oldest, most robust and effective in the world. The State’s’ privacy system relies more on post hoc government enforcement and private litigation. Currently, cyber security regulation comprises of directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cybersecurity regulation is to force companies and organizations to protect their systems and information from cyber-attacks such as viruses, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks.

Federal Government Regulation

There are three main federal cybersecurity regulations –

  • 1996 Health Insurance Portability and Accountability Act (HIPAA)
  • 1999 Gramm-Leach-Bliley Act
  • 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA).

These three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information. However, these rules are not foolproof in securing the data and require only a “reasonable” level of security. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”. But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the vague language of these regulations leaves much room for interpretation.

“Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.”

Recent Federal Laws

In a recent effort to strengthen its cyber security laws, the federal government is introducing several new cyber security laws as well as amending the older ones for a better security ecosystem. Below are a few of them:

Cybersecurity Information Sharing Act (CISA) – It’s objective is to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate October 27, 2015

Cybersecurity Enhancement Act of 2014:  It was signed into law December 18, 2014. It provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development and education and public awareness and preparedness.

Federal Exchange Data Breach Notification Act of 2015: This bill requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach.

National Cybersecurity Protection Advancement Act of 2015: This law amends the Homeland Security Act of 2002 to allow the Department of Homeland Security’s (DHS’s) national cybersecurity and communications integration center (NCCIC) to include tribal governments, information sharing and analysis centers, and private entities among its non-federal representatives.

State Laws

State governments also have taken sincere measures to improve cyber security by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. These security breach regulation notification regulations punish firms for their cyber security failures while giving them the freedom to choose how to secure their systems. This regulation creates an incentive for companies to proactively invest in cyber security to avoid potential loss of reputation and economic loss. This worked well for California and later several other states have implemented a similar security breach notification regulations.

The United States government has seen the coming and are working to introduce stricter laws to equip organizations to secure the data from the latest cyber threats. However, Bruce Schneier rightly said that successful cyber-attacks on government systems still occur despite government efforts. This holds true for private companies as well. It is advisable that organizations become proactive about the security of their apps and data. Cyber criminals are always on the prowl & are becoming sophisticated in their approach to attack. For the same reason, companies should keep a regular check on their systems to identify any vulnerabilities and address the loopholes immediately.

Resources:

ISACA
Cybersecurity Information Sharing Act Wikipedia
Congress.Gov
Cyber Security Regulation Wikipedia
The Privacy Data Protection And Cybersecurity Law Review Via Sidley
Federation Of American Scientists