What to know about potential incoming regulations
In a continued effort to strengthen national cybersecurity, the Biden administration has a fresh round of requirements incoming for tech-centric industries which house a majority of the nation’s data. Primarily, regulatory requirements aimed at software companies, establishing the responsibility their applications are both secure and resilient.
The administration also seeks to disable and disrupt hacker operations via cyber retaliation through agencies such as the FBI and Defense Department.
Part of this response stems from the Ukraine-Russian war, where the US has designated Russia as the source of numerous cyberattack campaigns. Additionally, as we grow reliant on digital infrastructure, remote resources, and IoT-based devices, establishing secure development is critical for future resilience and security.
It’s referred to as the New Cybersecurity Strategy. One of the mandated goals is to eliminate voluntary reporting for cybersecurity incidents, and instead replace them with required reporting. Before, national cybersecurity governance and policy were voluntarily, meaning an enterprise did not have to follow reporting structures or cybersecurity “best practices.” The Strategy aims to change this, instead holding the tech sector and important agencies responsible for following and reporting incident events.
How is the strategy different now?
Every administration has platformed some cybersecurity defense measure, each establishing robust guidelines to follow depending on the size of an enterprise. However, the guidelines were suggestions. In a time where ransomware, malware, and concentrated cyber attacks are executed on a daily basis, a voluntary model is no longer sufficient, the Biden administration finds.
The private sector relies heavily on IT infrastructure, hosting the largest share of confidential data and national digital infrastructure. Therefore, protecting it and securing said data remains priority. Mandating both reporting requirements and cybersecurity guidelines aims to mitigate the damage caused by a breach event. It’s a similar philosophy to other industries, where manufacturers, food distributors, and engineers must assure their products follow safety standards before released to the public.
Currently, the United States designates both Russia and China as the primary sources of focused cyberattack campaigns.
When will the changes occur?
The current Standards are not yet law, and will certainly see legislative alterations, proponents, and opponents before finalization. But there are likely core characteristics that will remain when and if the new guidelines become standardized. For example, relevant industries will have a required reporting time frame – currently within 72 hours – if data is compromised by ransomware or malicious third parties.
Affected industries encompass critical infrastructure – prompted by the Colonial Pipeline attack (and others). Those in the financial tech sector will also see mandates should the New Cybersecurity Strategy pass as-is.
Where the majority of attacks come from
Again, primary factors driving these decisions stem largely from international tensions. While the US and Russia shared lukewarm relations at best, the conflict in Ukraine destabilized most amicable terms and prompted a majority of cyber-attacks to originate from Russian actors. Since ransomware attacks are difficult to track and retaliate against, they’ve benefitted from open hostilities between the two nations. This to say nothing of the focus against Ukrainian infrastructure using cyber-attacks as well.
While mandating new requirement for both cybersecurity standards and reporting is one aspect of improved defense, long-term efforts will need to be made. International coordination to promote better awareness of ransomware attacks.
Steps to take now
The policies set forth will take some time before they see enforcement and adoption. However, even if it’s not within a short timeframe, the message is clear that a more proactive approach will be taken to better enforce cybersecurity standards. Therefore, an enterprise should prepare its infrastructure for both reporting mandates and data privacy laws.
For smaller SMBs and organizations, you may need help from third-party resources. Bytagig is ready to assist with any of your regulatory concerns.
Bytagig is dedicated to providing reliable, full-scale cyber security and IT support for businesses, entrepreneurs, and startups in a variety of industries. Bytagig works both remotely with on-site support in Portland, San Diego, and Boston. Acting as internal IT staff, Bytagig handles employee desktop setup and support, comprehensive IT systems analysis, IT project management, website design, and more. Bytagig is setting the standard for MSPs by being placed on the Channel Future’s NexGen 101 list.