Small business cybersecurity act becomes law, but is it enough?
- President Donald Trump signed the NIST Small Business Cybersecurity Act into law Tuesday, an amendment to the National Institute of Standards and Technology Act that provides an avenue of resources for small business to reduce cybersecurity risk. The bill has been in the works since March 2017, and a reconciled version was passed August 1.
- The Commerce Department's NIST has to publish technology-neutral resources for small businesses that are also based on international standards, consistent with national cybersecurity programs and scalable to various business sizes and data sensitivities.
- The president also reportedly walked backed restrictions set by an Obama-era directive on the deployment of U.S. cyberweapons against opponents, according to The Wall Street Journal. The 2012 directive had called for an intricate interagency process before carrying out a cyberattack, especially against foreign adversaries. The administration's replacing framework remains unknown.
Recent attacks on critical infrastructure by foreign actors threw the cybersecurity discourse back into prominence.
While the administration set aside billions for IT and cybersecurity earlier this year, including $1 billion for the Department of Homeland Security to coordinate action between levels of government and the private sector, it also cut the national cybersecurity coordinator position in May, adding to an exodus of cyber talent from the administration.
The Department of Homeland Security has renewed efforts to work with industry on cybersecurity with the recently launched National Risk Management Center and a national cybersecurity summit. A "collective defense" strategy is critical for real-time data sharing and action as digital interdependence deepens, according to DHS Secretary Kirstjen Nielsen.
Yet the collaboration has to extend beyond the resources and power of big tech. Small and mid-size businesses with fewer resources and weaker defenses can make easier targets for hackers. Efforts to mitigate the high costs and barriers to entry in implementing security and recovery programs can protect against the high economic cost of breaches.
But many businesses neglect seeking out cybersecurity solutions because of a lack of understanding, and the act does not specify how to engage with small businesses to change course and seek out NIST resources, according to Francis Dinha, CEO and cofounder of OpenVPN, in a statement provided to CIO Dive. Just making guidelines won't be enough if businesses aren't more actively engaged.
Although cybersecurity has remained top priority in the DNI's Worldwide Threat Assessment report for several years, many experts fear the U.S. is losing the cyberwar as a machine learning arms race heats up between defenders and hackers.
Deeper ties between public, private and academic spheres are critical to pool resources and intelligence. If big tech alone shared its data on cyberattacks, it would have a set greater than any malicious actor, said Jason Matheny, director of Intelligence Advanced Research Projects Activity at the Office of the Director of National Intelligence.
Follow Alex Hickey on Twitter