Building the Case for CybersecurityBill's Aim: Assemble Facts to Support Stronger Cyberdefense
"Every year, cyberattacks inflict vast damage on our nation's consumers, businesses and government agencies, but they have not received the attention they deserve," says Sen. Sheldon Whitehouse, D-R.I., who along with Sen. Jon Kyl, R-Ariz., last week introduced the Cybersecurity Public Awareness Act of 2011. "Congress needs to act in a number of areas to improve cybersecurity. One important element of this effort will be to ensure that we are properly informed going forward about the cyberthreats posed by criminals, terrorists and hostile nations."
Whitehouse and Kyl contend that the level of public awareness of cyberthreats is unacceptably low, pointing out that only a tiny portion of relevant cybersecurity information is released to the public. The sponsors say information about attacks on federal sites is usually classified and on private systems are ordinarily kept confidential, declaring that sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form. Their bill is aimed to change that.
The legislation would require the departments of Homeland Security and Defense to submit annual reports to Congress on attacks on federal networks. Among the data to be collected: aggregate statistics on the number of federal network breaches, volume of data stolen and the estimated cost to remediate breaches. DHS also would be required to report on impediments to appropriate public awareness of common cybersecurity threats.
Another provision of the bill would require the Justice Department and FBI to submit annual reports on the number of investigations initiated, arrest made and cases prosecuted related to cybercrimes. These reports also would include the number of cybercrime prosecutions that have been delayed or prevented because of the inability to extradite a defendant in a timely manner.
The regular reports to Congress also would identify the number of employees, financial resources and other resources such as technology and training devoted to enforcing, investigating and prosecuting cyberintrusions, including the number of investigators, prosecutors and forensic specialists dedicated to the tasks.
Among other provisions, the bill would require the:
- DHS to describes policies for federal agencies to assist the private sector in defending information networks against cyberthreats that could result in loss of life or significant harm to the national economy or national security. These reports would be unclassified, though they could include classified addenda.
- Security and Exchange Commission, in consultation with the secretary of Homeland Security, to report on the financial risk to issuers of securities caused by cyberintrusions and any resulting legal liability.
- Primary regulators for each critical industry to report the nature of the vulnerabilities to cyberattacks as well as the prevalence of cyberattacks and to recommended steps to thwart or diminish virtual assaults.
- Attorney general, in coordination with the federal courts' administrative office, to report on whether federal courts have granted timely relief in matters relating to botnets and other cyberthreats and provide recommend changes to court rules, training and federal civil and criminal laws.