In years past, cybersecurity news revolved around corporate hacks and credit card scammers. But today’s headlines have taken an alarming turn. News about Russian hackers and government breaches dominate the media.
If there is a silver lining to these attacks, it’s that cybersecurity issues are hitting close to home for legislators, prompting lawmakers to take action and create policies that will keep both corporate and government organizations safer.
Last year, the White House put cybersecurity legislation front and center when it issued Executive Order 13800, which demanded more rigorous regulation of sensitive data and stronger defenses against cyber threats. Meanwhile, over 240 cybersecurity bills and resolutions were introduced by lawmakers in 2017, with 28 states enacting new policies.
What does 2018 hold for cybersecurity regulation? Only time will tell, but some key legal motions are in the works.
Executive Order 13800 Finally Takes Off
It’s been nearly a year since the Trump administration issued its groundbreaking executive order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, in May of 2017. The order addressed current threats to national cybersecurity, from the use of outdated IT to the lack of adaptable, regularly updated operating systems. The executive order called for heads of executive departments and agencies to perform a risk management audits, as well as deliver a comprehensive report to the Department of Homeland Security and Department of Commerce within 90 days.
Agency heads took their time in 2017, gathering information for reports and consulting with stakeholders and experts. But in January of 2018, a draft report was finally released to President Trump.
The report — titled A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats — outlines everything from current threats to action plans and budgets.
The report categorizes six principal opportunities and threats:
- Automated, distributed attacks are a global problem.
- Effective tools exist, but are not widely used.
- Products should be secured during all stages of the lifecycle.
- Education and awareness is needed.
- Market incentives are misaligned.
- This is an ecosystem-wide challenge.
It also details five complementary goals designed to improve the resiliency of the internet and communications ecosystem:
- Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace.
- Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
- Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior.
- Build coalitions between the security, infrastructure and operational technology communities domestically and around the world.
- Increase awareness and education across the ecosystem.
For now, the report remains in its drafting stages, with the finalized report due to the President on May 11, 2018. In the meantime, it gives us a glimpse into the concerns of lawmakers, which are sure to influence U.S. cybersecurity legislation in 2018.
The Ripple Effect of GDPR
While sensational headlines about U.S. hacks dominate the news, Europe has had no shortage of cyberattacks. In June of 2017, what began as an attack on Ukrainian government and businesses rocked the world. The sophisticated attack started in Ukraine, where workers were forced to manually monitor radiation levels at Chernobyl, and spread all the way to Maersk shipping in Denmark, Merck in the U.S. and the Cadbury chocolate company in Australia.
With a history of vicious attacks, it’s no surprise that the European Union is leading the way in cybersecurity regulation. On May 25, 2018, the Union’s aggressive General Data Protection Regulation (GDPR) will go into effect. But while the rule was passed to protect European citizens from data breaches, the blurred boundaries of the internet mean that the GDPR will affect organizations around the world.
In short, the GDPR establishes data protection rules for any company that collects data from an EU citizen — whether or not that company is based in the European Union. This means that if an overseas organization collects data on even one EU individual, they must comply with GDPR regulations or face penalization.
The GDPR covers a wide range of regulations, most notably about data collection and transparency. Any company that collects data from EU citizens will need explicit, informed consent — meaning that terms and conditions will be clearer and users will be asked to check more boxes so that websites can access their data. Consumers will also have the right to revoke that consent, as well as ask companies to provide them with a copy of whatever data they have collected. Additionally, the GDPR sets out rules about how companies are allowed to share the data they’ve collected — a rule that is likely to please unsettled consumers after the Facebook and Cambridge Analytica scandal.
The GDPR also impacts breach reporting. When data is breached, the GDPR gives companies just 72 hours to notify authorities, and requires that organizations notify consumers of high-risk data breaches “without undue delay.” This means companies like Uber, which waited over a year to notify consumers of a major data breach, will no longer be able to keep hacks a secret.
The strict regulation mandates that businesses that don’t comply with GDPR may be penalized up to €20 million or 4 percent of annual global revenue — whichever is higher. With sky-high penalties and global reach, the GDPR is poised to shape the future of cyber defense and legislation around the world.
Secure Your Organization Against Cyberattacks
With new regulations underway, government entities and corporations alike are seeing the light at the end of the tunnel. But you don’t need wait for the next bill to pass before updating your cyber defenses. Bluefin is here to help you secure your networks and keep consumers safe from data breaches. For more information on payment security solutions, P2PE encryption, tokenization and more, contact a Bluefin representative today.