Why the US Needs Comprehensive Cybersecurity Legislation – Source: securityboulevard.com

Taking a hands-off approach to cybersecurity is no longer good enough for any organization. In 2023, cyberattacks against public sector services rose 40% in the second quarter compared to the first. Schools have become the fifth most-targeted industry for data breaches, according to a 2023 report, just behind entertainment, technology, and retail businesses. 

There certainly should be limits on government oversight in the United States, but when we’re talking about successful cyber attacks targeting essential human needs such as drinking water, something needs to be done. 

Since the US introduced the Cybersecurity Information Sharing Act (CISA) in 2000, there have been multiple debates about exactly what the specific provisions and scope of cybersecurity legislation should comprise. 

One thing is clear, though: cybersecurity has reached a critical tipping point. Whatever the chosen cybersecurity protections might ultimately look like in the end, they have to be robust enough to ensure the security and privacy of US citizens, as well as government and private organizations. 

For many years, private businesses have had to deal with cyber incidents largely on their own with very little legislative protection. However, the sheer volume and impact of cyber incidents and their fallout have made it harder for Congress to turn a blind eye. 

Growing Public Safety Concerns 

In March of last year, the Environmental Protection Agency voiced its concerns that cyberattacks against public water systems were on the rise. These incidents have the potential to contaminate or even disable the delivery of safe drinking water across the US. While many public water systems have made improvements to their cybersecurity, others have barely managed to put basic best practices in place, if at all. 

The US Safe Drinking Water Act requires states to review public water systems every few years to ensure safe water delivery. In March 2023, the EPA interpreted this to include cybersecurity evaluations, prompting lawsuits from states and water groups claiming it exceeded their authority.

In October 2023, the EPA withdrew the memo due to litigation. Shortly after, a joint advisory revealed Iranian hackers are actively targeting US water systems through exposed devices with default passwords. This underscores the vulnerabilities the EPA aimed to address.

Despite legal setbacks, the current administration continues seeking ways to improve critical infrastructure cybersecurity. The Department of Health and Human Services plans to enforce cybersecurity requirements for hospitals. And now, the American Water Works Association and National Rural Water Association, which challenged the EPA’s original cybersecurity enforcements, support a collaborative approach to federal legislation with industry-led standards.

Public drinking water is just one example of an area where everyone involved seems to know there’s a need for some sort of industry-wide cybersecurity standard, but a difference in opinion on how to proceed slows down progress. The problem is attackers are not sitting on the sidelines during these debates. 

Why Comprehensive Legislation Is Required

Protecting essential systems like water infrastructure requires robust measures, whether through agency action or legislative solutions, for a number of reasons. In the second quarter of 2022, the number of attacks targeting the government sector essentially doubled. In 2023, cyberattacks against public sector services rose 40% in the second quarter compared to the first. These attacks target critical infrastructure, government agencies, businesses, and individual citizens, disrupting operations, stealing sensitive data, and causing economic and societal harm.

Currently, the US cybersecurity legal framework is a patchwork of disparate federal and state laws, regulations, and executive orders. This fragmented approach creates confusion, inconsistencies, and gaps in coverage, making it difficult to effectively deter, prevent, and respond to cyberattacks.

It’s also important to bear in mind that critical infrastructure—including power grids, financial systems, and healthcare networks—are increasingly interconnected and digitized. This makes them vulnerable to cyberattacks that could have devastating consequences, including widespread disruption and significant economic damage. 

Strong legislation will not only mitigate the fallout of these attacks but also establish clear channels for communication and collaboration between government agencies, the private sector, and the public during and after cyberattacks. It will also incentivize businesses and organizations to adopt strong cybersecurity practices, which would improve overall cyber hygiene across the country.

Taking Action

In the meantime, what can people do about the lack of clear guidelines on cybersecurity? For starters, they should ask their elected officials to push for change. Public support and pressure will help move the needle. Anyone who uses public tap water (pretty much everyone in the United States) should consider making an effort.

Cybersecurity is an issue that goes far beyond individual safety though. What organizations do and don’t do impacts all of us.

That’s why private and public sector organizations shouldn’t wait for legislation to be written and implemented before taking measures to protect themselves. Everyone needs to proactively strengthen their cybersecurity stance; not just in anticipation of stricter compliance requirements that may be imposed in the near future, but to protect their customers and their business right now. This does not have to be a complex and time-consuming process with the right cybersecurity partner in your corner. 

As mentioned earlier, cyber criminals aren’t waiting for everyone to bring their protections up to speed before launching attacks. The sooner everyone implements protections for what we can control, the safer we’ll all be.

A Word from Our Sponsor

There are a lot of cybersecurity solutions out there that can help protect you and your organization. If you’re interested, we humbly ask you to check out Coro, as we offer a range of security modules that will fit just about any organization’s needs, whether it’s  email, cloud apps, or devices and data. We also offer 24/7 monitoring and AI-powered threat detection to safeguard sensitive information and thwart phishing, ransomware, and malware attacks. 

Thanks to these holistic defense measures, both public and private organizations can address the urgent need for robust cybersecurity across critical operations quickly and efficiently. 

*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/why-the-us-needs-comprehensive-cybersecurity-legislation