There’s likely to be a “pause” in Congress with respect to any statutory change around cybersecurity regulations, according to Rep. Jim Himes, D-Conn.
Himes, the ranking member of the NSA and Cybersecurity Subcommittee of the House Permanent Select Committee on Intelligence, gave the keynote speech during a recent cybersecurity summit hosted by NCS Regulatory Compliance in New York.
“It’s not that there isn’t a high level sense of urgency around evolving our overall cybersecurity defenses — including law, including our own federal government protections,” he explained. “Almost a day doesn’t go by that we don’t see an Equifax, a Sony, a Target or an SEC [hack].”
Equifax recently announced a cybersecurity breach may have affected 143 million U.S. consumers’ personal information, sparking outrage in the financial services community.
Then, last week, Securities and Exchange Commission Chairman Jay Clayton announced in a sweeping cybersecurity statement that the agency learned in August that a 2016 cyber breach incident involving its Electronic Data Gathering, Analysis and Retrieval corporate filing system “resulted in access to nonpublic information.”
“Despite that sense of urgency, despite the acknowledgement that we have a real problem here, there’s a bunch of things that are causing friction in terms of statutory change,” Himes told the small crowd.
One reason is that the Cybersecurity Information Sharing Act (CISA), which passed in December 2015, never received full support from big tech and media companies and civil liberties groups.
CISA was supported by financial services groups and banks, but companies like Google, Microsoft, Apple, Twitter, Yahoo, Yelp, Netflix, Amazon, eBay and Wikipedia saw the bill as a threat to Americans’ privacy.
CISA encourages the sharing of critical cyber threat information between financial institutions, among and between sectors, and with the federal government in order to protect consumers and the nation’s financial infrastructure.
A second reason there’s likely to be stasis in terms of legislative action is that no one is hearing much feedback on the information sharing mechanisms that were established byCISA, Himes said.
Another reason is that the focus tends to be on sovereign attacks, which “takes a little bit of the eye off the ball with respect to domestic cybersecurity legislation,” he said.
“There is a robust dialogue as you know publicly with respect to the Russian hack of our election. But we have as you probably know a fairly aggressive multilateral discussion that includes the Chinese and others who have made a business for a very long period of time of violating our networks,” Himes said.