This is, as you may be able to tell, a fairly wide-ranging bill. That was partially by design. The core of the bill is a heavily reshuffled version of the RL Cyber Incident Notification Act, currently still on the House floor, but it also incorporates about half a dozen other measures recommended by various cybersecurity experts in view of our current situation: a lot of exposure and not enough ways to secure our important digital assets from both foreign and domestic threats.
Cybersecurity protections can fail in a number of different ways. That may occur as a result of sloppy practices or human error or simply having overly weak defenses against bad actors, so Section 3 is a roadmap for both the public and private sectors to work to shore up their defenses with a baseline measure of certification of security measures, focusing particularly on both one’s own protections and the protections used by immediate suppliers. It is difficult for a given agency or entity to look into the practices of their entire supply chain, but a focus on their immediate neighbors is both doable and can lead to a substantial strengthening of the overall system's security. The federal government's practices are often adopted by the private sector and §3.1.b attempts to make use of that with regard to establishing a common baseline for cybersecurity measures.
This is not necessarily a fight we can accomplish alone, especially when foreign actors are involved, so Section 4 lays out some aims to be pursued on the international level: both cooperative (with other intelligence agencies from around the world and with their governments, which can sometimes be affected by other nations’ individual privacy and data policies) and deterrent (against foreign agents working on behalf of places like Russia and China). We urgently need a two-pronged policy of this sort on the international stage and this section gives leeway for the executive branch to set out its own detailed path.
Sections 5 and 6 are a response to the common problem of cybersecurity response. It's difficult to combat cyber threats when we don't even know they are carried out, as is overwhelmingly the case because of underserved reporting capabilities. Most private agencies are also reluctant to report breaches because that can invite unwanted scrutiny. Being able to find out about and respond to cybersecurity incidents in time substantially raises the odds of us being able to counter these threats, down to recovering the assets or random that allows cybercriminals to turn profits. So these two sections create reporting capabilities that anyone can make use of, establish guidelines for what needs to be reported and when, and lay out what needs to be done with that information. Section 6 indemnifies people and companies who make these submissions from legal liability.
To take a quote by the
eponymous xkcd character out of context, the best defense is an indiscriminate offense. This bill is not quite as haphazard as that implies, but the spirit of that statement is in line with our best national efforts against cybercrime. It was also originally composed all at once at 3 a.m. in the morning so please offer your thoughts and any improvements you think could be made.
