Cyber-security regulation

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks.[1] While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies. There are numerous measures available to prevent cyberattacks. Cybersecurity measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption, and login passwords.[2] There have been attempts to improve cybersecurity through regulation and collaborative efforts between the government and the private sector to encourage voluntary improvements to cybersecurity. Industry regulators, including banking regulators, have taken notice of the risk from cybersecurity and have either begun or planned to begin to include cybersecurity as an aspect of regulatory examinations. Recent research suggests there is also a lack of cyber-security regulation and enforcement in maritime businesses, including the digital connectivity between ships and ports.

== Background == In 2011 the US DoD released a guidance called the Department of Defense Strategy for Operating in Cyberspace which articulated five goals: to treat cyberspace as an operational domain, to employ new defensive concepts to protect DoD networks and systems, to partner with other agencies and the private sector in pursuit of a "whole-of-government cybersecurity Strategy", to work with international allies in support of collective cybersecurity and to support the development of a cyber workforce capable of rapid technological innovation. A March 2011 GAO report "identified protecting the federal government's information systems and the nation's cyber critical infrastructure as a governmentwide high-risk area" noting that federal information security had been designated a high-risk area since 1997. As of 2003 systems protecting critical infrastructure, called cyber critical infrastructure protection of cyber CIP has also been included. In November 2013, the DoD put forward the new cybersecurity rule (78 Fed. Reg. 69373), which imposed certain requirements on contractors: compliance with certain NIST IT standards, mandatory reporting of cybersecurity incidents to the DoD, and a "flow-down" clause that applies the same requirements to subcontractors. A June 2013 Congressional report found there were over 50 statutes relevant to cybersecurity compliance. The Federal Information Security Management Act of 2002 (FISMA) is one of the key statutes governing federal cybersecurity regulations.

== United States ==

=== Federal government === There are few federal cybersecurity regulations and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). The three regulations mandate that healthcare organizations, financial institutions, and federal agencies should protect their systems and information.[3] For example, FISMA, which applies to every government agency, "requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security." However, the regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies.[4] Furthermore, the regulations do not specify what cybersecurity measures must be implemented and require only a "reasonable" level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, the founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless the government forces them to do so.[5] He also states that successful cyberattacks on government systems still occur despite government efforts.[6] It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority to implement critical infrastructure protection regulations by the Administrative Procedure Act rulemaking process. The idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin.

=== State governments === State governments have attempted to improve cybersecurity by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act, which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number, driver's license number, credit card number or financial information.[7] Several other states have followed California's example and passed similar security breach notification regulations.[8] Such security breach notification regulations punish firms for their cybersecurity failures while giving them the freedom to choose how to secure their systems. Also, the regulation creates an incentive for companies to voluntarily invest in cybersecurity to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber attack. In 2004, the California State Legislature passed California Assembly Bill 1950, which also applies to businesses that own or maintain personal information for California residents. The regulation dictates for businesses to maintain a reasonable level of security and that they required security practices also extend to business partners.[9] The regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cybersecurity. However, like the federal legislation, it requires a "reasonable" level of cybersecurity, which leaves much room for interpretation until case law is established.[10]

=== Proposed regulation === The US Congress has proposed numerous bills that expand upon cybersecurity regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley Act to require disclosure of security breaches by financial institutions. Congressmen have also proposed "expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card."[11] Congress has proposed cybersecurity regulations similar to California's Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers "ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals."[12] In addition to requiring companies to improve cybersecurity, Congress is also considering bills that criminalize cyberattacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) was a bill of this type. It focused on phishing and spyware bill and was passed on May 23, 2005, in the US House of Representatives but died in the US Senate. The bill "makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software."[13] On May 12, 2011, US president Barack Obama proposed a package of cybersecurity legislative reforms to improve the security of US persons, the federal government, and critical infrastructure. A year of public debate and Congress hearings followed, resulting in the House of Representative passing an information sharing bill and the Senate developing a compromise bill seeking to balance national security, privacy, and business interests. In July 2012, the Cybersecurity Act of 2012 was proposed by Senators Joseph Lieberman and Susan Collins.[14] The bill would have required creating voluntary "best practice standards" for protection of key infrastructure from cyber attacks, which businesses would be encouraged to adopt through incentives such as liability protection.[15] The bill was put to a vote in the Senate but failed to pass.[16] Obama had voiced his support for the Act in a Wall Street Journal op-ed[17], and it also received support from officials in the military and national security including John O. Brennan, the chief counterterrorism adviser to the White House.[18][19] According to The Washington Post, experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack." [20] The act was opposed by Republican senators like John McCain who was concerned that the act would introduce regulations that would not be effective and could be a "burden" for businesses.[21] After the Senate vote, Republican Senator Kay Bailey Hutchison stated that the opposition to the bill was not a partisan issue but it not take the right approach to cybersecurity.[22]The senate vote was not strictly along partisan lines, as six Democrats voted against it, and five Republicans voted for it.[23] Critics of the bill included the US Chamber of Commerce,[24] advocacy groups like the American Civil Liberties Union and the Electronic Frontier Foundation,[25] cybersecurity expert Jody Westby, and The Heritage Foundation, both of whom argued that although the government must act on cybersecurity, the bill was flawed in its approach and represented "too intrusive a federal role."[26] In February 2013, Obama proposed the Executive Order Improving Critical Infrastructure Cybersecurity. It represents the latest iteration of policy but is not considered to be law as it has not been addressed by Congress yet. It seeks to improve existing public-private partnerships by enhancing timeliness of information flow between DHS and critical infrastructure companies. It directs federal agencies to share cyber threat intelligence warnings to any private sector entity identified as a target. It also tasks DHS with improving the process to expedite security clearance processes for applicable public and private sector entities to enable the federal government to share this information at the appropriate sensitive and classified levels. It directs the development of a framework to reduce cyber risks, incorporating current industry best practices and voluntary standards. Lastly, it tasks the federal agencies involved with incorporating privacy and civil liberties protections in line with Fair Information Practice Principles. In January 2015, Obama announced a new cybersecurity legislative proposal. The proposal was made in an effort to prepare the US from the expanding number of cyber crimes. In the proposal, Obama outlined three main efforts to work towards a more secure cyberspace for the US. The first main effort emphasized the importance of enabling cybersecurity information sharing. By enabling that, the proposal encouraged information sharing between the government and the private sector. That would allow the government to know what main cyber threats private firms are facing and would then allow the government to provide liability protection to those firms that shared their information. Furthermore, that would give the government a better idea of what the US needs to be protected against. Another main effort that was emphasized in this proposal was to modernize the law enforcement authorities to make them more equipped to properly deal with cyber crimes by giving them the tools they need in order to do so. It would also update classifications of cyber crimes and consequences. One way this would be done would be by making it a crime for overseas selling of financial information. Another goal of the effort is to place cyber crimes prosecutable. The last major effort of the legislative proposal was to require businesses to report data breaching to consumers if their personal information had been sacrificed. By requiring companies to do so, consumers are aware of when they are in danger of identity theft. In February 2016, Obama developed a Cybersecurity National Security Action Plan (CNAP). The plan was made to create long-term actions and strategies in an effort to protect the US against cyber threats. The focus of the plan was to inform the public about the growing threat of cyber crimes, improve cybersecurity protections, protects personal information of Americans, and to inform Americans on how to control digital security. One of the highlights of this plan include creating a "Commission on Enhancing National Cybersecurity." The goal of this is to create a Commission that consists of a diverse group of thinkers with perspectives that can contribute to make recommendations on how to create a stronger cybersecurity for the public and private sector. The second highlight of the plan is to change Government IT. The new Government IT will make it so that a more secure IT can be put in place. The third highlight of the plan is to give Americans knowledge on how they can secure their online accounts and avoid theft of their personal information through multi-factor authentication. The fourth highlight of the plan is to invest 35% more money that was invested in 2016 into cybersecurity.

=== Recent federal and sectoral developments (2023-2025) === In July 2023, the SEC adopted rules that require public companies to report “material” cybersecurity incidents on Form 8-K and to describe risk management and governance practices in periodic reports; the incident disclosure is due four business days after a registrant determines materiality. Most registrants began complying in December 2023. At the state level, the New York Department of Financial Services amended its cybersecurity regulation (23 NYCRR Part 500) with a second set of changes that became effective on 1 November 2023. The amendments expand requirements for governance and incident handling, and introduce heightened obligations for larger “Class A” firms. The Federal Trade Commission amended the Safeguards Rule to add a breach-notification obligation for certain non-bank financial institutions. The requirement is now in effect and calls for notification to the FTC as soon as practicable and no later than 30 days after discovery when an incident involves the information of at least 500 consumers. In health care, the HIPAA Security Rule has been the subject of a modernization proposal. The U.S. Department of Health and Human Services released a notice of proposed rulemaking in late 2024 with publication in the Federal Register on 6 January 2025, seeking updates to strengthen requirements for safeguarding electronic protected health information. Following the 2021 Colonial Pipeline incident, the Transportation Security Administration issued and later revised pipeline cybersecurity Security Directives. A redacted version of SD Pipeline-2021-02E was posted in July 2024, and the agency maintains a page listing current security directives for pipelines and other modes.

=== Other government efforts === In addition to regulation, the federal government has tried to improve cybersecurity by allocating more resources to research and collaborating with the private sector to write standards. In 2003, the President's National Strategy to Secure Cyberspace made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry "to create an emergency response system to cyber-attacks and to reduce the nation's vulnerability to such threats "[27] In 2004, the US Congress allocated $4.7 billion toward cybersecurity and achieving many of the goals stated in the President's National Strategy to Secure Cyberspace.[28] Some industry security experts state that the President's National Strategy to Secure Cyberspace is a good first step but is insufficient.[29] Bruce Schneier stated, "The National Strategy to Secure Cyberspace hasn't secured anything yet." [30] However, the President's National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem.[31] However, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions. In the United States, the US Congress is trying to make information more transparent after the Cyber Security Act of 2012, which would have created voluntary standards for protecting vital infrastructure, failed to pass through the Senate. In February 2013, the White House issued an executive order, titled "Improving Critical Infrastructure Cybersecurity," which allows the executive branch to share information about threats with more companies and individuals. In April 2013, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), which calls for protecting against lawsuits aimed at companies that disclose breach information. The Obama administration said that it might veto the bill.

== India == In the light of the hacking of the website of the Indian Space Agency's commercial arm in 2015, Antrix Corporation and government's Digital India programme, a cyberlaw expert and advocate at the Supreme Court of India, Pavan Duggal, stated that "a dedicated cyber security legislation as a key requirement for India. It is not sufficient to merely put cyber security as a part of the IT Act. We have to see cyber security not only from the sectoral perspective, but also from the national perspective." More on India, Their cyber-security framework is built primarily on the Information Technology Act, 2000 (IT Act) and its 2008 amendments, which give legal recognition to electronic records and digital signatures and create offenses for unauthorized access, data tampering and certain forms of online content. The Act also designates the Indian Computer Emergency Response Team (CERT-In) as the national agency for incident response under section 70B, with functions that include collecting and analyzing incident information, issuing advisories and coordinating technical response. Under the IT Act, a series of rules and notifications provide more detailed obligations. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 place due diligence requirements on “intermediaries” such as social media and messaging services, including provisions on content take down and for certain categories of content, traceability of the originator. In April 2022, CERT-In issued binding directions under section 70B that require service providers, intermediaries, data centers, virtual asset service providers and virtual private network (VPN) providers to report specified cyber incidents to the agency within six hours of detection and to retain certain system logs for 180 days. The directions also call for maintaining accurate subscriber or customer information that can be furnished to authorities on request.

== China == China has developed a comprehensive framework of laws and regulations that govern cyber security, data and personal information. The core instruments are the Cybersecurity Law, which entered into force in 2017, the Data Security Law, effective in 2021, and the Personal Information Protection Law (PIPL), effective in November 2021. Together they regulate ...

(Article truncated for display)

Source

This content is sourced from Wikipedia, the free encyclopedia. Read full article on Wikipedia

Category

Cybersecurity - Computer Science