[BreachExchange] Top cybersecurity legislation of 2019

[Inga Goddijn]

https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/

*It’s the law…almost*

2018 may go down as the year the EU’s GDPR went into effect but legislators
domestically kept busy introducing and passing legislation meant to bolster
the U.S.’s cybersecurity and privacy postures.

*California Privacy Act*

After a rush to get legislation done so a ballot measure slated for the
November election could be pulled by the withdrawal deadline, the
California State Assembly passed the California Consumer Privacy Act of
2018, which many privacy pros peg as the foundation of an eventual U.S.
GDPR-type law. The act, set to take effect in 2020, is the most stringent
of its kind in the U.S. “With the breaking news of the dramatic passage of
California’s new privacy law, AB 375, the strictest privacy measure in the
nation, along with the coming into force of the European GDPR and SCOTUS
decision in Carpenter – it’s clear privacy has risen to the top of
policymakers’ agenda worldwide,” said Omer Tene, Chief Knowledge Officer of
the International Association of Privacy Professionals (IAPP). “Now,
industry will need to adapt.” Support for a national law that addresses
privacy issues has grown. Apple CEO Tim Cook recently said that his company
is “in full support of a comprehensive federal privacy law in the United
States.”

Cook called the argument made by some tech companies that they could “never
achieve technology’s true potential” if they are “constrained by privacy
regulation” as not only “just wrong,” but also destructive. “We will never
achieve technology’s true potential without the full faith and confidence
of the people who use it,” he said, noting that legislation should be based
on users having the right to access to the data companies collect and to
security. “Security is foundational to trust and all other privacy rights.”

*National breach notification law*

A bill introduced by the House Financial Services Committee would amend the
Gramm-Leach-Bliley Act (GLBA) to include a national breach notification law
for the financial industry that would supersede the multitude of state laws.

“It is going to take better cooperation from all my colleagues and the
industries that handle consumer data in order to advance additional
meaningful changes,” the author of the bill, Rep. Blaine Luetkemeyer,
R-Mo., said in a statement. “At some point, there will be another major
breach, and without a comprehensive solution our constituents will pay the
price for our inaction.”

*State of California’s SB: 327 –** Information privacy: connected devices*
<https://techbeacon.com/secure-iot-not-just-good-idea-its-law-california>*
act*

California’s IoT law applies to manufacturers of devices or those who have
a device manufactured on its behalf for sale in California. It does not,
however, apply to devices purchased for resale, even if they are privately
labeled, and some legal experts
<http://www.mondaq.com/unitedstates/x/743698/IT+internet/Californias+IoT+Security+Law+Will+This+Law+Really+Improve+Security>
feel “the law is ambiguous in many respects, and will likely create
significant challenges in its implementation and effectiveness,” according
to Sudhakar Ramakrishna, CEO, Pulse Secure.

*Secure Elections Act*
<https://www.congress.gov/bill/115th-congress/house-bill/6663?q=%7B%22search%22%3A%5B%22Secure+Elections+Act%22%5D%7D&r=1>

Introduced in December 2017 by Sen. James Lankford, R-Okla., the proposed
legislation in many ways resembles the Protecting American Votes and
Elections Act of 2018 bill. It would eliminate paperless voting machines,
replacing them with paper ballots. It also encourages states to perform
post-election audits. In June 2018, the bill, which was panned
<https://www.scmagazine.com/home/security-news/government-and-defense/white-house-pans-election-security-act/>
by a White House that said DHS has the needed statuatory authority to
assist states, was submitted to the Congressional Committee on Rules and
Administration, and hearings were held. But the legislation has not
progressed since then.

*Cybersecurity and Infrastructure Security Agency Act *

In November, the president signed H.R. 3359
<https://www.congress.gov/115/bills/hr3359/BILLS-115hr3359rh.pdf>,
legislation that redesignates the Department of Homeland Security’s
<https://www.scmagazine.com/search/DHS/> National Protection and Programs
Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency
(CISA). Introduced by Rep. Michael McCaul (R-Tex.)
<https://www.scmagazine.com/$shortname/$version/scmag/US/journal/article/631162.json>,
the bill, known as the Cybersecurity and Infrastructure Security Agency Act
of 2017, amends the Homeland Security Act of 2002.  According to a
Congressional bill summary
<https://www.congress.gov/bill/115th-congress/house-bill/3359?q=%7B%22search%22%3A%5B%22h.r.+3359%22%5D%7D&r=1>,
the legislation states that CISA would be “headed by a Director of National
Cybersecurity and Infrastructure Security to lead national efforts to
protect and enhance the security and resilience of U.S. cybersecurity,
emergency communications, and critical infrastructure.” This restructured
agency would consist of a cybersecurity division, an infrastructure
security division and an emergency communications division.

*NIST Small Business Cybersecurity Act*

A year and nearly four months after the measure was introduced, the NIST
Small Business Cybersecurity Act
<https://www.gpo.gov/fdsys/pkg/BILLS-115s770enr/pdf/BILLS-115s770enr.pdf>
was officially signed into law. Originally proposed as H.R. 2105 in April
2017, the act was later absorbed into U.S. federal law S.770, and requires
the director of the National Institute of Standards and Technology, within
within one year of the law’s passing, to issue guidance and a consistent
set of resources to help SMBs identify, assess and reduce their
cybersecurity risks. S.770 also tasks NIST, a division of the U.S. Commerce
Department, with considering the needs of small businesses when developing
these recommendations, which among other key qualities should be widely
applicable and technology-neutral and “include elements that promote
awareness of simple, basic controls, a workplace cybersecurity culture, and
third-party stakeholder relationships.”

*ENCRYPT Act*

A bipartisan group of representatives has put forth a bill to create a
national standard encryption that would supersede any similar standards
created on the state or local levels. Representatives Ted W. Lieu D-Calif.,
Mike Bishop R-Mich., Suzan DelBene D-Wash. and Jim Jordan R-Ohio
reintroduced the Ensuring National Constitutional Rights for Your Private
Telecommunications (ENCRYPT) Act. If enacted the bill would ensure a
uniform, national policy for the interstate issue of encryption technology.
“As a computer science major, I can tell you that having 50 different
mandatory state-level encryption standards is bad for security, consumers,
innovation, and ultimately law enforcement,” Lieu said.Bishop agreed saying
the concept of having a central repository is key to defending the nation
against cyberattacks.

*CLOUD Act*

Rights groups sounded the alarm over the Clarifying Lawful Overseas Use of
Data (CLOUD) Act, ostensibly meant to streamline the process through which
law enforcement accesses data across borders, saying that it instead would
circumvent Fourth Amendment protections and put human rights activists at
risk. The act would essentially provide a “backdoor” for law enforcement at
home and abroad to access emails, chat logs, videos and photos, “without
following the privacy rules where the data is stored,” according to an
Electronic Frontier Foundation (EFF) blog post
<https://www.eff.org/deeplinks/2018/03/new-backdoor-around-fourth-amendment-cloud-act>.
The CLOUD Act backdoor “operates much in the same way” as provisions under
Section 702 of the FISA Amendments Act that let police “search, read and
share” private communications without obtaining a warrant, the post states.
Essentially, “U.S. police could obtain Americans’ data, and use it against
them, without complying with the Fourth Amendment.”

*Russian sanctions legislation*

Determined to show Russia the full wrath of the U.S. government for its
interference in the 2016 presidential election, a bevy of Democratic and
Republican senators pushed a bill that would, according to Sen. Lindsey
Graham, R-S.C., “impose crushing sanctions and other measures” on the
nation-state until Russian President Vladimir Putin puts a halt to meddling
in U.S. elections and cyberattacks on critical infrastructure. The
legislation reiterates
<https://www.lgraham.senate.gov/public/index.cfm/press-releases?ID=E4AC5E4C-EFD0-4F25-9808-745E1737EF65>
the U.S.’s support for NATO and would require a two-thirds vote to exit the
organization. Interference in elections would be grounds for refusing to
allow immigration to the U.S. The bill includes an *International
Cybercrime Prevention Act* that would let prosecutors “shut down botnets
and other digital infrastructure that can be used for a wide range of
illegal activity” while the *Defending the Integrity of Voting Systems
Act *would
the Justice Department “pursue federal charges for the hacking of any
voting system that is used in a federal election.”

*FISA Amendments Authorization Act*

A six-year extension to the much-debated Section 702 of the Foreign
Intelligence Surveillance Act (FISA) made its way to the White House for
the president to sign in January after the Senate gave it a nod by a vote
of 65 to 34.

But not without some confusion and controversy. Prior to an earlier House
vote,  President Trump posted a pair of contradictory tweets over his take
on the proposed legislation that momentarily threw
<https://www.scmagazine.com/$shortname/$version/scmag/US/journal/article/736429.json>
lawmakers into confusion over his position. “We’re disappointed with the
passage of the FISA Amendments Reauthorization Act and the misleading
statements supporters of the bill made about the collection of
communications, the process by which these records are obtained by the FBI,
and the alternatives offered by privacy-minded members of the House and
Senate like Justin Amash, Mike Lee, Rand Paul, and others,” FreedomWorks
Vice President of Legislative Affairs Jason Pye said in a statement.

*Cyber Diplomacy Act*

A bipartisan group of lawmakers cheered the passage of the Cyber Diplomacy
Act (H.R. 3776) by the House of Representatives. The bill was introduced by
Rep. Edward Royce, R-Calif., and Elliot Engel, D-N.Y., in September 2017
and will now move on to the Senate. If signed into law the Cyber Diplomacy
Act would require the government to secure and implement commitments from
other countries on proper cyberspace behavior. This would include
generating agreements between nations to not support cybercriminal activity
such as theft of intellectual property, cooperate in developing measures to
keep their territories clear of intentionally wrongful acts using
information and communications technology (ICT) in violation of
international commitments and promote securely-designed ICT products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181224/6efcf37a/attachment.html>