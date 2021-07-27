The series of alarming cybersecurity incidents that spurred the Biden Administration to take swift action during its first six months has also prompted the US Congress to introduce new cybersecurity bills. In the little more than two months since CSO reported on what was then a busy Congressional cybersecurity agenda, lawmakers have introduced at least 18 additional bills to shore up and expand the nation's cybersecurity capabilities.

In a sign that cybersecurity is becoming an increasingly higher legislative priority, the pace of Congress' interest in a range of digital security matters seems to be accelerating. Last week alone, the House Committee on Energy and Commerce voted to advance six bills that primarily deal with digital security and two other bills that contain significant cybersecurity provisions.

Data breach notification bill emerges

Last week Senator Mark R. Warner (D-VA), chairman of the Senate Select Committee on Intelligence, along with Senator Marco Rubio (R-FL), vice chairman of the Committee, and Senator Susan Collins (R-ME), a senior member of the Committee, also introduced the Cyber Incident Notification Act of 2021. This bill would "require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the US government can mobilize to protect critical industries across the country."

The bill further grants legal immunity to organizations that come forward with breach reports. In addition, it asks CISA to "implement data protection procedures to anonymize personally identifiable information and safeguard privacy."

The legislation fills a void of what many cybersecurity professionals say is a woeful lack of metrics about how many and what kind of cybersecurity incidents take place. Outside of a handful of critical infrastructure sectors, no consistent data breach reporting mandates exist, making it difficult for the government to use its resources to fend off attacks while occurring or gather lessons learned after they've occurred.

"We shouldn't be relying on voluntary reporting to protect our critical infrastructure," Warner said in announcing the cyber incident bill. "We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."

Cybersecurity funding boosts appear in authorization bills

Last week also saw the Senate Armed Services Committee pass its version of the 2022 defense authorization bill, which calls for hefty cybersecurity budget increases and requirements for the defense sector. Among the increases are $268.4 million more for the Defense Department's cybersecurity budget.

The authorization also assigns to the head of Cyber Command the "responsibility for directly controlling and managing the planning, programming, budgeting, and execution of the resources to maintain the Cyber Mission Forces." Moreover, the bill asks the Department of Defense to assess what it needs to defend itself against cyberattacks as well as conduct a pilot study to examine the "viability of teaming with "internet ecosystem companies to discover and disrupt the use of their platforms, systems, services, and infrastructure by malicious cyber actors."

The proposed increases in cybersecurity funds for the Pentagon follow the draft fiscal year 2022 Homeland Security funding bill released on June 29 by the House Appropriations Committee. That bill calls for a 16%, or $397.4 million, increase in CISA's budget above the fiscal year and $288.7 million above the requested amount.

Probe launched into cryptocurrency's role in ransomware

Finally, last week Senator Gary Peters (D-RI), Chairman of the Homeland Security and Governmental Affairs Committee, announced he is launching an "investigation into the role cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing threat to United States national security." Peters' investigation would also look at "how federal regulators and lawmakers can work to disrupt the incentive to commit crimes in exchange for cryptocurrencies."

16 additional bills cover a gamut of cybersecurity issues

In addition to Warner's breach notification bill and a bill reintroduced by Senator Kirsten Gillibrand (D-NY), the Data Protection Act of 2021, which would create a new federal agency to protect Americans' data, lawmakers have introduced at least 16 other new cybersecurity bills since the end of May. These bills range from vehicles seeking to improve cybersecurity literacy to possible regulatory requirements affecting the nation's communications infrastructure: