President Joe Bidensigned today the Better Cybercrime Metrics Act. The measure, which received bipartisan support from Congress, represents the federal government’s latest step to help bolster various aspects of the nation’s cyber defenses. The new law establishes requirements to improve the collection of data related to cybercrime and cybercrime.
The new law comes in the middle of the rise concerns and warnings on Russia’s increase in cyberattacks in response to US support for Ukraine.
New tools for law enforcement
Rep. Abigail Spanberger (D-Va.) who sponsored the legislationsaid in a Press release that it will improve how the federal government tracks, measures, analyzes and prosecutes cybercrime. Initiating the process of building an effective system to track cybercrime incidents, she said the legislation “will enable U.S. law enforcement to better identify cyber threats, deter attacks, and meet the challenge of cybercriminality”.
Spanberger, a former CIA and former federal agent, recalled that “a year ago this week we saw the ill effects of the ransomware attack on the colonial pipeline.
“In an instant, the American people understood how cybercrime – now America’s most common crime – could jeopardize the integrity of critical infrastructure, the American economy, and our national security.
“And as cybercriminals increasingly adapt their attack methods against vulnerable people and networks, the United States must improve its cybercrime classification system. Otherwise, we risk the safety and privacy of families, homes, businesses and US government agencies,” Spanberger warned.
Cybersecurity experts and observers shared their views and thoughts on the new law.
A top priority for the Biden administration
Lisa Plaggemier, Acting Executive Director, at National Cybersecurity Alliance, pointed out, “The Biden administration has made no secret that it has made cybersecurity one of its top priorities.
“On a purely cyber level, for too long the United States…has operated in an opaque and uncoordinated manner when it comes to cybersecurity. And unfortunately, it has made it much easier for US entities to be compromised and has led to a widespread erosion of public trust.
Boost collaboration and transparency
“So while this bill won’t solve everything on its own, by tackling reporting head-on – which is one of the most critical, yet under-reported areas of effective attack mitigation – it helps build collaboration and transparency between a multitude of business sectors and the public they serve.
“Furthermore, this is another fundamental part of US cybersecurity policy and strategy that many in the cybersecurity space believe. [are] probably late,” she said.
Michael Baher is the former Deputy Legal Counsel for the National Security Council and Director of Minority Staff and General Counsel for the House Intelligence Committee. He is now a litigation partner at global law firm Eversheds Sutherland and co-leads the global cybersecurity and data privacy practice.
Bahar said, “It’s not too little too late when it comes to strengthening the cybersecurity of a nation – or a company. Every little bit counts, and sometimes even seemingly small (and overdue) steps can have an outsized impact.
“This [new law] does not impose additional requirements on companies and does not directly fund national cyber defense efforts; on the contrary, it increases the quantity and quality of cybercrime measurements, which, together with advanced analytics, should reveal insights and trends that lead to better prevention and enforcement,” Bahar predicted.
The bill Biden signed into law today, “…gets to this point. Our cybersecurity solutions, both at the corporate and national levels, will benefit from a deeper understanding of the problem of cybercrime,” he concluded.
“A positive impact”
Michael Boulanger is vice president and chief information security officer for General Dynamics Information Technology. He believed the new law “will have a positive impact on combating the growing number of cyberattacks, as it will enable faster and more transparent sharing of cyberthreat intelligence between industry and government.
“We need to ensure that this collective intelligence is distributed widely and immediately to cyber defense teams to limit the impact and scale of modern cyberattacks,” he advised.
The United States must stay one step ahead of its adversaries
Baker said, “The ability of the United States to come together across public and private entities to quickly disseminate lessons learned and contribute to collective defense is critical. [for] to advance.
“The motivation and sophistication of our adversaries to gain a competitive or strategic advantage over the United States is only increasing; thus, the United States must act accordingly to stay ahead,” he warned.
He observed that “information sharing between victims of crime and law enforcement is always a good thing. Currently, statistics on cyberattacks are unreliable, as some companies report attacks immediately. »
But Turgal pointed out that “a large number of victimized companies refuse to report the attacks, because they see it as a weakness, a competitive disadvantage or they believe that the impact on share price, company value and , more important again, [the] brand, will be too big.
“This new legislation, coupled with the previously passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, will, in theory, allow for mandatory reporting of cyberattacks by victims in critical infrastructure industries within specified timeframes.”
Then, he said, “These reporting statistics would then be collected and reported annually by the Bureau of Justice Statistics, as required by the Better Cybercrime Statistics Act.
“While collecting cyberattack metrics is beneficial, unless the business is in a critical infrastructure sector, reporting is voluntary and unlikely to occur,” Turgal predicted.
Advice for entrepreneurs
Baker of General Dynamics Information Technology recommended that “companies should view cybersecurity risk as a business risk at the board level.”
He said that includes:
- Empower information security managers to guide their company’s cyber strategy.
- Hold themselves accountable for basics like patches and actively monitor their networks.
- Prioritize prudent investments to increase the maturity of their programs over time with steps such as two-factor authentication and other capabilities needed to thwart our adversaries and cybercriminals.