The cyber threats America faces range from potential disruptions and catastrophic failure of the nation’s electric grid, utility plants, and telecommunications and financial networks; to theft of national security secrets and cyber corporate espionage; to simple hacking and identity theft. The magnitude of the cybersecurity threats America faces is great and it is increasing. Government agencies and American businesses, including critical infrastructure, are under attack on a daily basis.
Over the past several years, cybersecurity has become an increasingly pressing issue for those at the top levels of government and in the private sector. Numerous pieces of legislation on cybersecurity have been proposed by both the Obama Administration and recent Congresses. Issues addressed include facilitating cyber threat information sharing; requiring baseline cybersecurity practices for critical infrastructure; creating a federal standard for data breach notification; investing in cybersecurity research and development, education, and workforce training; and updating cyber crime statutes.
CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government and amongst private firms. Cyber crime laws should be updated to address today’s threats, but must not inadvertently criminalize trivial user behavior. A federal data breach standard should be implemented to reduce compliance costs for businesses and make privacy protections more transparent for consumers. Increased research and development, education, and workforce training will create new tools to address cyber threats and a workforce trained to use them, and will also lead to new cybersecurity products and skilled professionals for the private sector. Finally, policymakers should work with the international community to address cyber threats. News laws relating to cybersecurity should include a sunset period so policymakers can evaluate what policies are effective and which are not. Any standards should be results, rather than process oriented, and technology-neutral.