Organizations within the United States have been subject to a series of effective and damaging attacks in recent months, and pressure has increased for the Senate to provide cyber legislation that will address them. Many victims of these attacks lack the appropriate security measures, or they’re in place but compromised somehow – such as a weak password. Currently, there are no required federal cybersecurity regulations that have enforceable requirements for civilian organizations – there are only suggested standards (such as NIST).
A bipartisan bill aims to change that by defining “critical infrastructure” which would be subject to federal cyber requirements, along with increasing security standards for federal agencies. This bill would also provide a measure of protection to organizations that report a breach by shielding them from some or all of their liability, in exchange for reporting an incident within 24 hours. While this may seem like it would be expensive – the damage caused by an ongoing, unreported attack is likely to be significantly higher as the attacker moves system-to-system or organization-to-organization.
However, while the general concept of the bill enjoys bipartisan support there are currently two versions of it – one drafted by Democrats and one by Republics – which are circulating. Both parties have expressed support for both versions of the bill, as long as some changes are made to the other side’s version. It remains to be seen if either version will make it to the Senate floor.