Introduction
Washington Watch is an amalgamation of executive, congressional, and judicial action on various topics within cybersecurity designed to inform on the trends and conversations happening in Washington surrounding cyber. We hope the information provided here will help your organization prepare for any changes it will need to make based on legislation or other federal action that may be taken and that it will start a conversation about the national movement towards greater cybersecurity and resilience.
Executive
White House: Over the last six months, the White House focused heavily on consumer protection. In September, following a listening session on tech platform accountability, the White House put out a list of principles to guide the regulation of tech platforms going forward: tech competition, algorithm discrimination, algorithm transparency, online privacy, social platform safety, and changes to Section 230. These guiding principles come from the six key areas of concerndiscussed in the session: competition, privacy, youth mental health, misinformation and disinformation, illegal and abusive conduct, including sexual exploitation, and algorithmic discrimination and lack of transparency. While these principles and concerns are directly targeted at tech platforms, businesses in other industries should keep them in mind as potential areas of regulation going forward.
In October, the Biden administration announced a plan modeled after the Energy Star labeling system to enable consumers to make cybersecurity-minded decisions when purchasing Internet of Things (IoT) devices. The plan follows recommendations from the 2020 Cyberspace Solarium Commission and is intended to roll out sometime in Spring 2023. The initial launch will focus on “at risk” products widely used in American homes like routers and home cameras. Going forward, manufacturers and other businesses producing or selling these kinds of products should consider building better security systems into these devices or risk low ratings and, potentially, consumers moving to competitor products with higher cybersecurity ratings.
On the last day of cybersecurity awareness month, the White House held the second annual Counter-Ransomware Initiative with 37 countries and 13 global companies represented. This initiative was launched with the goal of setting international norms and the second iteration indicates Washington’s continued commitment to countering ransomware and building the international coalition necessary to achieve shared goals in cyberspace.
Other actions out of the White House include the announcement of a 100-day sprint on chemical sector cybersecurity that will end in February and the announcement of $1 billion in funding for a state and local government cybersecurity grant program that can be used to fund new or existing cybersecurity programs.
Cybersecurity and Critical Infrastructure Agency (CISA): As CISA prepared for the new year, it announced several forward-leaning initiatives and requests. The first of these came following March’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as CISA requested input from industry on how to best shape this Congressionally-mandated regulation. The final regulation requires owners and operators of critical infrastructure to file incidents with CISA within 72 hours and must report ransom payments within 24 hours. Other businesses are encouraged to take part voluntarily.
In August, CISA released an insights paper on preparing for post-quantum computing urging business leaders to prepare now for a post-quantum world ahead of the forthcoming 2024 encryption standard changes from NIST.
In September, CISA released its 2023-2025 strategic plan which defined the organization’s four main goals: to spearhead national cyber defense efforts, reduce risks to and strengthen the resilience of critical infrastructure, strengthen operational collaboration and information sharing, and unify as “One CISA.” CISA also floated a potential plan to engage university students as the frontline response on a cybersecurity emergency call line. This plan aims to involve young people in cybersecurity to address the growing talent shortage in the field and provide support to organizations experiencing cybersecurity issues. Finally, the agency announced potential changes in critical infrastructure sectors, namely consolidating some sectors and adding others such as space and bioeconomy.
Following a July 2021 presidential memorandum, CISA released voluntary cross-sectional cybersecurity performance goals in October. These come ahead of CISA’s sector-specific cybersecurity recommendations expected sometime this year. Also coming next year are CISA sprints focused on improving the security of hospitals, schools, and water facilities.
Other Executive Agencies: A number of joint statements were put out by various intelligence and executive agencies for industry including the NSA, CISA, and ODNI’s joint software supply chain guidance for developers and CISA, DoJ, and FBI MS-ISAC’s guide for responding to distributed denial of service (DDoS) attacks.
The NSA released future quantum-resistant algorithm requirements for national security systems in September, further signaling Washington’s significant concern over quantum computing. TSA rolled out a long-awaited cyber directive for freight and passenger rail systems as part of the administration’s broad effort to increase resilience across critical infrastructure sectors. The FCC approved new rules aimed at protecting emergency alert systems from cyber threats. As for rules that have been proposed but not yet finalized, the FTC closed comment for commercial surveillance at the end of November, but final rules have yet to be announced. The Office of the National Cyber Director requested public input on building the cyber workforce and expanding training and education. This information gathering period ended January 6 with select respondents attending a virtual reverse stakeholder day in February. Finally, a comment period for an advanced notice of proposed rulemaking from the TSA/DHS on enhancing surface cyber risk management and strengthening cybersecurity and resilience in the pipeline and rail sectors ends January 17, 2023.
Other efforts by the executive branch come out of the Department of State and the FTC. The State Department launched an outreach program in October to encourage Silicon Valley technology firms to take part in solving the nation’s cybersecurity challenges. The FTC extended compliance deadlines for the financial data security rule by six months through May 2023.
Congress
Congress took action on 24 cybersecurity-related bills with 2 becoming law, 3 passing one chamber, and one resolving differences. Because a new Congress was formed this January, any bills that did not pass are dead, but it is possible they will be reintroduced or repackaged in the 118th Congress.
Became Law: The Small Business Administration (SBA) Cyber Awareness Act (H.R. 3462) was signed into law in December and requires the SBA to annually report on certain information related to cybersecurity awareness. The Quantum Computing Cybersecurity Preparedness Act (H.R. 7235) which was also signed into law in December addresses the migration of executive agency information technology systems to post-quantum cryptography.
Resolving Differences: The Small Business Cyber Training Act (S. 1687) was passed in the Senate and has been returned by the House to resolve key differences. This bill would have required the SBA to establish a program for certifying 5-10% of the total number of employees at a small business development center to provide cybersecurity planning assistance to small businesses.
Passed One Chamber: The No TikTok on Government Devices Act (S. 1143), Industrial Control Systems Cybersecurity Training Act (H.R. 7777), and the Civilian Cybersecurity Reserve Act (S. 1324) all passed their chambers of origin but did not move beyond that.
Introduced:
- S. 4701: Small Businesses Cybersecurity Act
- H.R. 8806: Healthcare Cybersecurity Act
- Companion Senate Bill: S. 3904
- H.R. 8970: National Community College Cybersecurity Challenge Act
- S. 4985: Cryptocurrency Cybersecurity Information Sharing Act
- H.R. 9022: Shifting Forward Vehicle Technologies Research and Development Act
- H.R. 9085: Cybersecurity Clinics Grant Program Act
- H.R. 9229: Department of Health and Human Services Cybersecurity Coordination Act
- H.R. 9234: Critical Electric Infrastructure Cybersecurity Incident Reporting Act
- H.R. 9259: Cybersecurity Skills Integration Act
- S. 4698: Improving Cybersecurity of Credit Unions Act
- H.R. 9356: RESILIENCE Act
- H.R. 9443: Small Business Cybersecurity Enhancement Act
- S. 4528: Improving Digital Identity Act
- S. 2875: Cyber Incident Reporting Act
- S. 2993: CISA Cyber Exercise Act
- S. 4913: Security Open Source Software Act
Supreme Court
After agreeing to hear them in October 2022, the Supreme Court will hold oral arguments for Gonzales v. Google LLC and Twitter, Inc. v. Taamneh. Both cases deal with Section 230 of the Communications Decency Act in different ways.
Gonzales v. Google LLC addresses questions around the scope of liability and immunity for internet service providers as it relates to Section 230. Twitter, Inc. v. Taamneh also addresses the liability of internet service providers under Section 230 while also looking into the Anti-Terrorism Act. Taamneh alleges that Twitter and other internet service providers aided and abetted the growth of the Islamic State terrorism group that led to the shooting of 39 people at the Teina nightclub in Turkey.
These cases and the way that the Court rules on the liability of internet service providers under Section 230 have significant potential to change the landscape of the internet and accessibility of information going forward.
At the State Level
In the continued absence of a national data privacy regulation, multiple states have taken steps to ensure the online privacy of their citizens. California’s Consumer Privacy Act (CCPA) was reformed in the second half of last year to better define unstructured data, simplify implementation efforts, modify disclosure regulations, modify requirements for archived backups, and change opt-out requirements. Overall, the changes to the CCPA address concerns heard in the comment period to make compliance easier for small to medium sized businesses. Virginia and Colorado’s data privacy acts also went into effect on January 1, 2023.
Though New York does not have an overarching cybersecurity regulation, the Department of Financial Services proposed the official version of its new regulation. Changes from July’s pre-proposed rule are that the official rule:
- Removes the requirement for an independent CISO
- Requires the board, in addition to having or consult with cyber expertise, to provide oversight and management to the entity’s cyber risk management program
- Requires a written vulnerability management program to assess the effectiveness of its cybersecurity program.
About Consortium Networks
With our engineering roots, we know that the best evaluation and advice around technology comes from the subject matter experts that use the product every day. At Consortium Networks we solicit and consolidate this information and make it available to help you make the best decisions for your business.
Consortium Networks is a veteran-owned business built on honesty, integrity, moral principles, and high ethical standards. We Infuse these values into every aspect of our company.
Consortium Networks is committed to helping others in our community by supporting causes such as Feeding the Homeless, Helping End Addiction, Alstrom Strong, Families of FBI Agents, CLLF USA and others.