Cybercrime will carry a global price tag of $6 trillion by 2021, according to a Cybersecurity Ventures annual report. The National Security Agency warns that cybercriminals are “becoming more sophisticated and capable every day in their ability to use the Internet for nefarious purposes.” Yet many companies fail to take basic precautions, such as deleting expired accounts. Still, the United States lacks a comprehensive set of laws to protect information and critical systems from hackers. And meaningful, comprehensive cybersecurity legislation isn’t on the immediate congressional radar.
Unfortunately, cybersecurity has taken a backseat to privacy in our current national debate, in part because policymakers often conflate the issues and claim to be addressing both. Privacy and cybersecurity, however, are distinct. Privacy provides users with control over how businesses collect, use, and share their information. Cybersecurity prevents unauthorized parties from accessing, altering, or rendering unavailable their data, information systems, or connected devices.
Congress is focused on passing a national privacy law, allowing individuals to access, correct, and request deletion of their personal information. Many proposals are on the table, and the Senate Commerce Committee is holding a privacy hearing on Wednesday.
A national privacy law is long overdue. But I fear that the intense focus on privacy has overshadowed cybersecurity. For Congress to protect individual safety and national security, it must devote equal attention to the security of information and systems.
Consider an app that collects precise geolocation data. Privacy laws would restrict the app provider from selling the data or using it for marketing without the individual’s consent. Security laws would impose specific requirements for the company to protect the data from hackers, such as encrypting it and using multifactor authentication to access its systems.
If the company’s lax cybersecurity leads to a data breach, its promises about marketing and data sharing would be of little consolation to consumers. Hackers in China or Russia would still have a virtual map of their whereabouts.
In addition to focusing on personal information, cybersecurity helps to protect the confidentiality of other valuable information such as trade secrets. Cybersecurity laws also aim to prevent ransomware and other attacks that render data inaccessible. They also seek to prevent criminals from remotely accessing internet-connected devices, such as vehicles, and critical infrastructure such as the power grid.
Many of the recent bills proposed in Congress bill themselves as addressing both privacy and security, but largely focus on privacy. For instance, the Information Transparency & Personal Data Control Act, which was introduced in the House in April, begins with a discussion of the need “to protect consumers from bad actors in the privacy and security space,” but contains few provisions that address security. The Consumer Online Privacy Rights Act, introduced Nov. 26 by Senate Democrats, is a bit more robust, with roughly two of its 59 pages containing broad cybersecurity requirements for private companies, but still mostly focuses on privacy. Last week, the Senate Commerce Committee majority circulated a 25-page discussion draft of the United States Consumer Data Privacy Act of 2019, which broadly requires companies to “maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of sensitive covered data.” (The bill contains some useful provisions, primarily by allowing the Federal Trade Commission to issue security regulations and guidance.)
I applaud any attempts to address cybersecurity, but we should view these efforts as only a starting point. To the extent that these bills deal with cybersecurity, they typically focus on imposing vague and broad requirements to secure personal information and don’t meaningfully address other vital cybersecurity concerns, such as ransomware, trade secret theft, and security of internet-connected devices.
The United States lacks a comprehensive, nationwide approach to cybersecurity. No federal law imposes explicit cybersecurity requirements across all sectors, though a few laws address the cybersecurity of certain industries, such as health care and financial institutions. The FTC has brought some data breach–related enforcement actions under its relatively weak and vague consumer protection powers. The FTC has a tiny staff dedicated to privacy and security, and, as a practical matter, it lacks the authority to enact cybersecurity regulations.
Because Congress has done little to address cybersecurity, state legislatures have stepped in and passed their own cybersecurity laws. Although their efforts are well-intentioned, they have led to a scattershot approach of uncoordinated and occasionally conflicting laws. For instance, all 50 states have enacted laws that require companies to notify their residents of breaches of personal information. The types of breaches that trigger the notification requirements vary by state, as does the required content for the notices. In the critical days after a breach, a company must sort through the morass of state breach notice laws when it could devote that time to preventing further harm.
About half of the states require companies to secure their residents’ data, but most of the laws merely require “reasonable” security policies. A few are more specific. Perhaps the most comprehensive requirements come from the New York Department of Financial Services. The companies that it regulates must abide by more than a dozen specific requirements, including encryption of nonpublic information, penetration testing, vulnerability assessments, and oversight of service providers’ cybersecurity.
Although some of the state laws, such as New York’s, are particularly effective, the state-by-state approach has led to a patchwork of laws that lack a uniform approach. Because many companies have customers and employees nationwide, they must comply with all of the requirements.
That’s why a cohesive national policy would be better for consumers and for businesses. This policy should include a single procedure for notifying individuals and regulators of data breaches, and specific nationwide requirements for securing personal and confidential data, similar to what the New York financial regulator requires of its regulated companies. Ideally, as part of this, Congress would give enforcement authority to a well-funded expert agency, along with the ability to adjust the requirements to emerging cybersecurity threats.
Federal law should not be entirely punitive; it should include cooperative efforts, such as public-private cybersecurity partnerships and tax incentives for investing in cybersecurity. (The last substantial such attempt was a 2015 law that facilitates the private sector’s sharing of cyberthreat information.) A national cybersecurity law should focus not only on breaches of personal information, but also ransomware and other damaging incidents, such as attacks on the power grid and internet-connected devices. While we’re at it, let’s update computer hacking laws to better address current cybersecurity threats such as botnets. Congress should also ensure that military strategies focus on modern cyberthreats, something the national Cyberspace Solarium Commission is currently studying. And because cybersecurity is a global challenge, the United States should coordinate its cybersecurity requirements with allied nations with a goal of uniform standards.
That’s a long wish list, but it’s a vital one. In the meantime, Congress should continue its work on a national privacy law, but it should not be under any illusions that a privacy bill will address the many growing threats to the security of data and systems.
The views expressed in this article are only those of the author and do not represent the Naval Academy, Department of Navy, or Department of Defense.