If the opening weeks of 2019 are any indication, the rest of the year will prove a challenge for the drafting and implementation of a United States Federal regulatory framework for cybersecurity. The partial shutdown of the U.S. government that began on December 22, 2018 placed a strain on essential resources and tested the country’s cybersecurity response.
Expired security certificates impacted multiple government websites operating under the .gov domain, scarce cybersecurity talent left for the private sector, and skeleton staff operated critical national security systems in January 2019. As 2019 progresses, government cybersecurity is expected to remain in the spotlight. With nation-state cyber warfare and data breaches making the headlines daily, analysts believe the nation’s vital infrastructure, elections, and government secrets remain a prime target.
According to the Pew Research Center, of the 26 countries surveyed, the US was among the most likely to say cyber attacks will occur on targets within its borders. With 43% of the U.S. respondents believing the government is not prepared to handle a major cyber incident, politicians may begin feeling the pressure from states, companies, and consumers to implement a European-style GDPR (General Data Protection Regulation) framework around data protection and privacy.
Another political catalyst that may also impact policy in 2019 is the 2020 US Presidential election. With accusations of Russian meddling in the previous polls still making headlines, Congress may enact legislation to try and prevent it from happening again. However, as the election campaigning gets underway, politicians’ attention may be directed away from cybersecurity legislation. At the U.S. federal level, we have already seen Facebook, and other technology companies testify before Congress on security and privacy matters. There has been some movement in this critical area of national defense, but no legislation has been forthcoming. The U.S. Government must maintain its momentum and give this vital area of national security the attention it deserves.
U.S. National Cyber Strategy
In September 2018, the White House released its 2018 National Cyber Strategy. The primary goal of this strategy is to ensure cyberspace remains the driving engine of the digital economy. The policy document outlines the steps the U.S. federal government is taking to advance transparency, security, and reliability in cyberspace. It also demonstrates the commitment of the U.S. government to build cyber capacity with their international partners through direct efforts. It covers policy elements such as assisting partners in establishing and executing national cybersecurity strategies and addressing cybercrime. These policy statements indicate the federal government’s commitment to engage with the private sector and U.S. allies in creating and implementing cybersecurity. However, like all strategies, the proof of intent will lie in the actual implementation of the strategic policies stated in the document.
Policy Enforcement Against Foreign Companies
Another factor that will have an impact on federal cybersecurity trends in 2019 is the U.S. government’s current foreign policy position. The federal government’s ban on the use of Huawei and ZTE products in August 2018 is a prime example. U.S. lawmakers also introduced a bipartisan bill that proposes banning the sale of U.S. technology to Huawei and ZTE. These measures by the federal government have been put in place to protect the national security of the nation, but with the current state of trade, there may well be other underlying motives behind these moves.
Huawei and ZTE are not the only companies that have felt the effects of this policy. In December 2017, President Trump signed the legislation into law banning the use of Kaspersky Lab technology in the U.S. government. This ban was subsequently upheld by the Washington DC Court of Appeals in November 2018. Every supplier sanctioned in this way has vehemently denied any wrongdoing. Kaspersky Lab even went so far as to move a number of their core operations to Switzerland. However, distancing themselves from Russia failed to change the minds of the U.S. government and some of its allies.
Growing Security and Privacy Concerns
As the Internet has evolved and entrenched itself into every industry, the amount of personal data stored online has increased exponentially. With information being the currency of the digital age, data breaches have increased dramatically over the past few years with some high-profile names making the headlines. Yahoo, eBay, and Equifax are just some of the major U.S. companies that have been compromised. Even the U.S. government has not been spared: the Office of Personnel Management suffered a data breach that was discovered in 2015. Recently, a woman admitted in federal court to using identities of the OPM breach victims to take out fraudulent loans. With citizens demanding action, the federal government will need to strengthen privacy legislation.
International trends illustrate this momentum as governments around the world put measures in place to protect the private information of their citizens. The European Union’s enactment of the General Data Protection Regulation (GDPR) that came into effect in May 2018 is a prime example of this. Even though the GDPR is legislation enacted by the European Union (EU), U.S. companies processing the personal data of EU citizens still need to comply. With Google recently fined 50 million euros by the French data regulator for breaching the EU’s data protection rules, the GDPR is already being used as a tool to enforce security and privacy in U.S. corporations. While the U.S. may not have legislation that requires similar privacy requirements, the evolving threat landscape may force the government to pass similar regulations. With technology leaders like Apple demanding federal data privacy regulations, pressure from the industry is mounting on U.S. lawmakers.
The emergence of new technologies like Artificial Intelligence (AI) and the Internet of Things (IoT), may also force the U.S. federal government to pass regulations. Some U.S. states have already passed cybersecurity laws to strengthen the security of emerging technologies. For example, California’s new SB327 law requires all connected devices to have reasonable security features. The Fundamentally Understanding the Usability and Realistic Evolution (FUTURE) of Artificial Intelligence Act is another example. Introduced by a bipartisan group of U.S. senators and representatives in December 2017, this bill, currently referred to the Subcommittee on Research and Technology, hopes to define rules for the deployment and security of AI.
Will 2019 Be the Year for Cybersecurity Legislation?
With cybersecurity becoming ever more relevant in today’s digital age, the trend from the U.S. federal government is to take steps to protect the nation and its citizens from cyber threats. With the U.S. National Cyber Strategy and the recent sanctions against foreign technology companies, lawmakers are starting to enact cybersecurity legislation. Growing security and privacy concerns are also beginning to gain traction, starting with technology companies testifying before Congress in 2018.
Emerging technologies continue to be closely monitored with legislation on AI and IoT on the cards at both the state and federal levels of government. All these factors indicate that cybersecurity is starting to get the attention it deserves from the federal government. It may, however, take some time before U.S. lawmakers pass any meaningful legislation to protect U.S. citizens from what have become everyday onslaughts from cyberspace.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, IT Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information