What are we talking about?
By now you may have heard the news about a cybersecurity bill, or more accurately two cybersecurity bills, that have been introduced in the U.S. Congress. Those bills are the ‘State And Local Cybersecurity Act of 2019’, that the Senate passed in November and is currently in the House, and the ‘Cybersecurity State Coordinator Act of 2020’, which is in the Senate.
These bills strike a particular chord with BitLyft for three reasons:
- This is bipartisan legislation that has gained traction in both parties;
- This is action that directly aims to improve cybersecurity at a time when the U.S. is falling behind, and;
- a lot of the work is being done by our own Michigan Senator, Gary Peters.
In addition, the work has been done with Senator John Cornyn (R-TX), Senator Rob Portman (R-OH) and Senator Maggie Hassan (D-NH). The bills are meant to strengthen the coordination of federal officials, including those at the Department of Homeland Security (DHS) and, state and local officials, and comes in the wake of attacks on cities like New Orleans, Atlanta and Baltimore and state-wide attacks in Colorado and Louisiana.
In the words of Senator Peters: “State and local governments with limited resources and cybersecurity expertise can struggle to secure their systems against malicious hackers that could expose their constituents’ personal data. I’m pleased the Senate passed my bipartisan bill that will help ensure all levels of government can bolster their defenses and protect themselves from sophisticated cyber-attacks.”
What does it mean?
These are the first attempts to have better coordination between agencies, and that alone is something that is a plus in this day and age. But the crux of the issue is information sharing. Some of this is being accomplished through groups like Multi-State Information Sharing and Analysis Center (MS-ISAC), but another big step is increasing access for state and local government to the National Cybersecurity and Communications Integration Center (NCCIC).
Coordination of this kind eases information sharing amongst the actors, but also allows for sharing of tools and resources, including security tools and things like policies and procedures. But it will also allow for joint exercises and training that can help ease the gaps by exposing existing talent to wider threats.
In addition, the big takeaways from the second act is the federal government may appoint a cybersecurity coordinator for each state to oversee efforts. “The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development. Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to non-federal entities from the federal government.
Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist non-federal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.”
This comes at a time when states like New York have gone far as to consider banning government entities from paying ransoms in ransomware events. And a recent report published jointly by the National Association of State Chief Information Officers (NASCIO) and National Governors Association (NGA) urges state governments to embrace partnerships with their localities to beef up the cybersecurity postures of all parties.
Why should you care?
So, what really matters here is that this is something that happens on a daily basis. In the words of Chris DeRusha, the Chief Security Officer for the State of Michigan: “Every day our state and local government networks experience millions of intrusion attempts by those looking to do harm. This…will help the state of Michigan access resources, tools and expertise developed by Federal government and national cybersecurity experts, which will enhance the security of the information Michiganders have entrusted us to keep safe.”
Keeping a local angle, Lansing was recently hit with ransomware. The Lansing Board of Water & Light, which is a key utility provider for Genesee County suffered a ransomware attack. It doesn’t matter where you live or work, these kinds of attacks will affect you. And the reality is that the data here is sensitive and the systems involved are critical. How long would you be comfortable going without water, or power, or knowing the data your state or local governments had on you was exposed?