RSA 2021 Panel Calls for Federal Breach Notification Law and More
More than a year after the U.S. Cyberspace Solarium Commission issued a report on how to improve cybersecurity, most of its recommendations have yet to be implemented.
In a session at RSA Conference 2021, three cybersecurity experts said top priorities among the Solarium Commission’s recommendations that have not yet been carried out are adopting a federal data breach notification law and improving public-private partnerships.
In March 2020, the Solarium Commission issued its latest report, which contained more than 80 recommendations, 27 of which the government has codified into law (see: Commission Calls for Revamping US Cybersecurity).
Panelist Frank Cilluffo, a member of the Solarium Commission and the Department of Homeland Security Advisory Council, highlighted the importance of creating a collaborative environment between government agencies and the private sector organizations that are on the front lines of defending against cyberattacks.
“So one of the first recommendations we’re looking at is establishing a joint collaborative environment. This is to actually bring the private sector in – not as a secondary afterthought – but for it to actually have a seat at the table in terms of implementing some of our operations and implementing some of our cyber defense measures,” Cilluffo said.
Tom Corcoran, head of cybersecurity for Farmers Insurance, said the government has to supply cyber intelligence to those on the front lines, who can act upon it quickly.
“I would like to see the government providing more real-time threat intelligence to those companies so that they can automatically feed it into their tools,” said Corcoran, who was formerly a senior staffer on the House and Senate Intelligence Oversight committees during the Obama administration.
Bureau of Cyber Statistics
Paul Rosenzweig, a senior fellow at the nonprofit public policy research organization R Street Institute, said the government should prioritize establishing a Bureau of Cyber Statistics. As noted in the March 2020 Solarium report, such a bureau would gather and provide statistical data on cybersecurity and the cyber ecosystem to support policymaking and government programs.
“If we’re going to actually have a significant effort to systematize America’s approach to cybersecurity, the bureau of cyber statistics is likely to be a venue for creating those types of metrics,” he said. Such statistics would enable the creation of an accurate picture of looming cyberthreats and sketch out where the dangers lie.
Cilluffo and Corcoran highlighted the commission’s call for creating a federal data breach notification law. Over the years, Congress has repeatedly failed to enact such legislation.
“We need to make sure that we have the reporting structures in place in terms of a breach,” Cilluffo said. “I think there’s finally awareness that we need to be able to move forward on law.”
Corcoran added that having data breach reporting standards in place would make it simpler for companies, particularly those firms that do not have a regulatory team in-house, to know what details must be included when filing a data breach notification.
Widely varying breach notification laws at the state level make it difficult for companies to comply, Corcoran said. A model for a federal law, he said is the New York Department of Financial Services’ Stop Hacks and Improve Electronic Data Security, or SHIELD Act.