What impact will the Cybersecurity State Coordinator Act have? [Q&A]
The US is currently considering new legislation that would require each state to appoint a cybersecurity leader.
The proposed Cybersecurity State Coordinator Act has cross-party support and would, say its backers, improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyberattack.
We spoke to Sachin Bansal who is general counsel at SecurityScorecard to find out more about about what this new law could mean.
BN: What is the main purpose of this legislation?
SB: What this is intended to do is to is to is to create federal funding for a Department of Homeland Security employee whose title would be 'cybersecurity state coordinator' and those would be in all 50 states.
The primary responsibilities of the cybersecurity state coordinator would be to become the principal federal advisor to the state on cybersecurity related issues. They would also coordinate with the state and the federal government because the federal government have more resources and more funding when it comes to combating cybersecurity and in preparing for and managing and recovering from cyber attacks.
There are four primary responsibilities in the wake of a cyberattack. One of them is to coordinate with the with the state and federal government. The second is to facilitate the sharing of cyber security related information between both federal and state entities. The third to raise awareness of the federal government's resources on cyber security, which range from financial resources, technical, and also operational. And then the fourth one is to support training for the business continuity of the state to allow it to recover from an attack. The bill actually enumerates eight responsibilities, but these are the big ones.
BN: How does this fit in with the recently introduced CCPA legislation?
SB: It's different for two reasons, CCPA is a state law that's intended to protect the data privacy and security information of California residents. So if your business, wherever you may operate in the United States, if you if you hold information about California residents then you need to have essentially GDPR like compliance with that information. So that means that you need to have internal governance structure, you need to allow them to opt out if they're receiving information, you need to update your website with cookies consent. I would think about this in terms of a growing amount of legislation at the US federal level on cyber.
BN: Why are these coordinators needed?
SB: Cities and local government have increasingly been the victim of cyber attacks, because they're underfunded. And they're not as technically advanced, their infrastructure doesn’t the have technical protections that are necessary and software and other measures that the federal government level has, and so as a result, there is a vulnerable target.
One of the lead sponsors of this bill is Congresswoman Maggie Hassan from New Hampshire. In her state there have been two major attacks by ransomware with 500 computers affected. We're also in an election year and every state is concerned about vulnerability of their election processes. In New York, for example, the governor actually commissioned a Florida cybersecurity company to make recommendations on election security.
BN: Is this an indication that government at all levels is taking cybersecurity more seriously?
SB: The federal government always has, they got ahead of the curve quite early, they've also been much more funded as a result, because cyber resilience can be costly, which is why we've seen in private companies their IT budgets have increased as a result.
The sophistication of the attacks keeps getting better and the number of attacks is increasing each year, so it's expensive. There's also a lack of expertise in the market to address that it's a combination of both of human talent that you need as well as the technical and operational side. There's also an increasing need to budget for third party resources, like SecurityScorecard, to provide an objective, outside in analysis on cyber health. A company needs us, and other tools and people, to really have a robust cyber program and that applies to the federal government as well.
BN: Assuming this passes through all of its stages relatively relatively unscathed, how long is it going to be before it starts to have an impact?
SB: Very quickly, because people are behind it. The talent is already already there within the Department of Homeland Security. So essentially, there is the ability to have the staff and be ready to go. It's a matter of getting this approved and the funding and then the sourcing people in the States.
I think, operationalizing this is easy and I don't think that there's going to be resistance because there are not a lot of bills that get proposed that are bipartisan legislation. Cybersecurity is one thing that both republicans and democrats agree on. They're very aligned that there's an urgent need for reducing the impact on state and local governance of cyberattacks. The threats and the attacks to state and local government is one of the most urgent problem facing government entities at all level in the United States.