What New Cybersecurity Legislation Doesn’t Include
Cybersecurity legislation needs to include ways to improve IT hygiene and visibility, the collective root of the cybersecurity problem
Cybersecurity challenges aren’t slowing down. Government websites have been hacked and kicked offline by ransomware; dozens of United Nations servers were breached earlier this year. The extent of these attacks—how much data was stolen, how long the affected parties took to react—is not always immediately known. But one thing is certain: Malicious threat actors are out there in ever-increasing volume and they are targeting everyone, looking for easy access to sensitive data.
Noting that ransomware and other cyber threats have “grown at an alarming rate,” in January Congress introduced the Cybersecurity State Coordinator Act (CSCA) of 2020, bipartisan legislation that focuses on cybersecurity coordination between federal, state and local governments. If signed into law, the bill would pave the way for the appointment of a cybersecurity state coordinator in each state to assist in managing, preventing, anticipating and recovering from cyberattacks.
In November, the Senate passed the National Cybersecurity Preparedness Consortium Act (NCPCA) of 2019, which would “authorize the Secretary of Homeland Security to work with cybersecurity consortia” for training, technical assistance and other purposes. The Senate also passed the State and Local Government Cybersecurity Act (SLGCA) of 2019 in November, in an attempt to provide “collaboration between the Department of Homeland Security (DHS) and state, local, tribal, and territorial governments.”
And, last summer Congress proposed the Cybersecurity Vulnerability Remediation Act (CVRA), hoping to improve how the Cybersecurity and Infrastructure Security Agency (CISA) “helps Federal and non-Federal entities manage known cybersecurity risks.” Passed by the house in September, the bill would authorize CISA to develop playbooks filled with procedures and mitigation strategies for the “most critical” vulnerabilities.
All of these cybersecurity legislative efforts have merit. The problem is that most of the proposed bills seeking to address ongoing challenges—and so many others that are likely to be proposed in the near-term—do not cover the fundamental problems that have weakened cybersecurity posture, especially at the state and local government level.
Poor IT hygiene continues to plague both organizations and governments alike. For a decade now, Verizon’s “Data Breach Investigations Report“—the most comprehensive review of security breaches on a global level—has highlighted that most organizations are far more likely to be compromised via a known vulnerability than affected by something more exotic, such as a targeted nation-state attack. Many government agencies are justifiably concerned about these attacks, especially with the world on heightened alert and distracted with the day-to-day-challenges of the coronavirus. But at the same time, agencies haven’t focused on fundamental hygiene needs such as maintaining a complete inventory of assets, patching assets for known vulnerabilities, managing credentials, enabling two-factor authentication and ensuring there are no gaps in visibility or control by being able to identify managed and unmanaged endpoints on the network immediately.
A cybersecurity state coordinator might be able to offer assistance, but if the proposed solution is to spend more money on tools and further complicate an already gap-filled IT environment without addressing fundamentals, the problems are exacerbated. It is also not quite clear how much a consortium would help in providing training or assistance, or if the playbooks would offer any real value beyond proposing more frameworks or procedures.
Threat Mitigation Starts With Improved IT Hygiene
By investing in more unnecessary tools—most of which will be used minimally, deployed improperly or unable to integrate with other tools in the IT operations and security stack—governments will remain vulnerable to the disruptions they are trying to prevent. Of course, they’re going to spend on security, but they need a good strategy; it can’t just be about acquiring more products. Instead, governments should focus on taking the right steps to improve IT hygiene. This includes being able to patch vulnerabilities fully as soon as possible after they are discovered. They should also make sure their environment is configured for least-privilege access. Once these controls are in place, CIOs, CISOs and, if appointed, cybersecurity state coordinators will be in a much better position to mitigate further threats.
Full Endpoint Visibility is a Must
Improved IT hygiene starts with full visibility of computing endpoints and the ability to patch, remediate or otherwise solve issues right away. This is not merely a nice-to-have option but a must-have feature to combat the rising costs associated with cyberattacks. Every unpatched endpoint is a potential threat vector. All it takes for a hacker to be successful is finding one weak spot. Look at almost any of the major, headline-grabbing attacks from the past few years, from WannaCry to BlueKeep, or the Equifax breach, in which hackers obtained the personal information of more than 147 million Americans. Each relates, in some way, back to IT hygiene issues.
It’s Time To Do More – and Differently
At a time when the cost of cyber incidents increases every year, it is encouraging to see Congress propose cybersecurity legislation that would foster coordination and collaboration. But these bills don’t go far enough. CSCA, for example, might increase communication, but the bill says nothing about improving IT hygiene and visibility. It also says nothing about increasing the necessary manpower to deal with every possible threat. In addition, it fails to provide specific details explaining how the coordinators would help to ensure that vulnerabilities are patched as soon as they are discovered.
We also wonder how state governments will pay for the cybersecurity state coordinator. Is this solely intended to increase communication within the government or will there be additional funds to actually combat the problem? If so, where will the funds be allocated? Who will decide?
Ideally, these bills will serve as a starting point for more comprehensive cybersecurity legislation that addresses these and other concerns. But a better, more effective bill would clearly state where any new funds would be directed. Focusing on areas that are historically ignored or underfunded—such as IT hygiene, patch management, asset inventory and access control—would be constructive. It would be a mistake to think that throwing more resources at security and IT operations will solve these problems. The best solution still comes down to executing a plan with the right end goal in mind: fixing the basics, including improved hygiene.
