Guest Post: Thoughts on Cybersecurity Bills in the 117th Congress

By Liam Dorney

Reading through the new report Cybersecurity Bills in the 117th Congress from the Cyber Policy Institute, I am struck by the range and scope of legislative activity on this issue. The report reviews the 80 cybersecurity-related bills submitted or passed by the 117th Congress between January 2021 and January 2022. With that in mind, here are some specific thoughts on pieces of legislation that caught my attention for better or worse:

• 1605and H.R. 4350, the National Defense Authorization Act for Fiscal Year 2022—The report says, “All federal agencies will eliminate legacy software, a housekeeping task that will reduce security threats.” This is an immense undertaking for the federal government, requiring a sound implementation of inventory and configuration management. Whether it is a CIS control (Control 1) or a NIST control (CM-02, CM-08, AU-06 (NIST SP800-53 (version) used for critical government support (i.e., FedRAMP), the control is, and has been, considered critical and foundational for some time. When legislation like NDAA passes, right-sizing funding (specifically targeted) and execution efforts (i.e., how to sunset technology to include configuration and hardening of replacements) are crucial to the success of this legislation.

• 1687: Small Business Cyber Training Act of 2021and H.R. 4515: Small Business Development Center Cyber Training Act of 2021—This is a very healthy and welcomed approach to training those on the front lines of small businesses. Many vendors, including SimSpace, are standing by to assist with this kind of training. Socialization of those vendors and their solutions based on known, successful past performance with the government will help increase access for small businesses and, by proxy, improve that state of information security in our country.

• 3522: Ukraine Democracy Defense Lend-Lease Act of 2022/S. 3488: Defending Ukraine Sovereignty Act of 2022 and H.R. 6470: Defending Ukraine—Similar to efforts led by the Departments of State, Defense, and agencies throughout government, partnering with those in the crosshairs of our named and unnamed adversaries is sound statecraft. Monitoring, coordination, and validation of how those technologies and TTPs are utilized, especially against intended targets, remains a crucial area for further consideration. When dealing with cultural (non-state defined) boundaries, many in the US are distant enough from external cultural conflicts (potentially older than our country) that understanding the employment of advantages (technological or otherwise) remains limited and often vague when considering a well-defined “long game” for our country and those who need our support. This is something our nation-state adversaries do inherently, and it’s time for us to as well.

• 2292: Study on Cyber-Attack Response Options Act—Pointing back to CISA, we have so much to get right before opening the flood gates to counter attacks. That said, adding to existing playbooks for the defense of private information systems with proportional responses could make sense. While the private sector has a fairly well-defined standard (and maturing technology set) for red teaming, BAS, and penetration testing, this study should make some strong recommendations for coordination of efforts across critical infrastructure sectors. In the world of offensive security, attribution is extremely complex. One would want to consider the ramifications for incorrect (think US on the US) or inappropriate (#company vs. competitor) attribution for offensive actions taken under this kind of guidance.

• R. 4551: RANSOMWARE Act—Legislation dealing with ransomware should be keenly focused on what to do when in a ransomware situation and strictly avoid treating ransomware as a distinct function of an attack framework. That is to say, providing clear guidance on what to do (i.e., a methodology) and what tools to respond with (opensource and for a fee) when a company or agency detects unauthorized encryption of critical business systems is where this bill goes right. Again, pointing at CISA, we have the tools identified, but we need more employment methodologies that speak to and support business. Where it could go wrong is if this bill wraps compromise (intrusion, breach) and payload delivery into what the media has labeled ransomware, which is, in fact, the execution of that payload restricting access to business systems (in whole or in part). A lot happens before a company gets into a full-blown Ransomware scenario, and we should be clear about that in the RANSOMWARE Act. This bill should also avoid attempting to provide a solution to federally supported on-prem decryption solutions. Privacy advocates (myself included) do not want to see the federal government engaging with the private sector to find ways to break encryption. Instead, provide a practical, cost-considerate way for those hit with ransomware to solve their problem: retrieve their data or restore their systems. In my mind, getting left of the situation by offering legislative incentives for routine, secure system backups makes a whole lot of sense. It’s worth pointing out that secure backup has been part of federal controls for well over a decade. Ransomware should be the impetus for moving everyone to use secure system backups. I’ve repeated “secure system backups” several times intentionally……secure system backups.

About the author: Liam Dorney is CEO of Resolvn, a SimSpace subsidiary. Resolvn offers cyber range solutions with offensive and defensive security methodologies.