The Cybersecurity Act of 2015: Can We Legislate Effective Data Security?

Chris Reffkin
| 2/25/2016

The Cybersecurity Act of 2015 has been signed into law. The most heralded section of the act concerns cybersecurity information sharing between the federal government and industry, which potentially will help to improve the cybersecurity posture of the nation over the long term. Here’s a brief overview of each title in the act:

  • First, Title I, "Cybersecurity Information Sharing," was the most anticipated. Title I describes how the U.S government may communicate and share cyber threat intelligence with the private sector and state governments and vice versa.
    • Pros: In theory, this part of the act will help the government tap into a much broader knowledge base of cyber threat intelligence and give the most exposed private sector organizations additional information that may help them better anticipate cybersecurity threats.
    • Cons: The success of Title I will be measured by (1) the manner in which the act permits monitoring and sharing of data and (2) the effectiveness of that information sharing. Some practical issues that have yet to be addressed and that raise concern include:
      • Who will share information first?
      • What information will be shared?
      • When will the information be shared?
      • How will the information be used?
    • Prediction for Success: Long shot. First, a process has to be established to facilitate sharing. Then, a registration or identification process needs to occur because information sharing is not open to the public. The goal of the legislation is to facilitate and promote the timely sharing of “classified cyber threat indicators” with “cleared representatives of relevant entities.” Therefore, the success of Title I will be judged on the successful execution of information sharing and a long-term analysis of its effectiveness.
  • Title II, National Cybersecurity Advancement, is slightly less exciting – although it may have a more direct impact on improving the cybersecurity posture of the federal government.
    • Pros: Title II makes intrusion detection systems and intrusion prevention systems, as well as better network security tools, available to all federal entities (excluding defense and intelligence agencies). It also requires a slew of reporting by the Government Accountability Office (GAO), the Office of Management and Budget, and the Department of Homeland Security to see how well this does or does not work.
    • Cons: The law does not provide a dollar amount for procuring these systems and tools. Also, according to the September 2015 report, “Federal Information Security,” from the GAO, all 24 government agencies evaluated demonstrated persistent information security weaknesses in 2013 and 2014. Providing tools to better monitor the weak control environments described in the report will not fix the problem.
    • Prediction for Success: Hopeful. Title II requires agencies to “identify sensitive and mission critical data” and encrypt that data. Also, agencies are required to identify the effect of an information security compromise on an unclassified system. These are very practical tasks that will improve the foundation of the overall cybersecurity posture of the federal government even if root-cause issues are not being addressed.
  • Title III, "Federal Cybersecurity Workforce Assessment," requires exactly what the title says.
    • Pro: Title III requires the identification and classification of all cyber-related personnel, including the identification of cyber-related roles of “critical need” in the federal workforce.
    • Con: This tremendous undertaking to classify the federal cybersecurity workforce will be challenging, as distinctions will need to be drawn between roles that affect cybersecurity and those that do not. This will be hard because one could argue that all employees, regardless of skill, could affect cybersecurity.
    • Prediction for Success: Hopeful. This could be the initial effort to organize and promote collaboration between all related cyber personnel working in the government.
  • Title IV, "Other Cyber Matters," is a catch-all for the most beneficial parts of the act, including requirements to:
    • Study threats to mobile devices used by the government.
    • Establish an international cyberspace policy strategy. This is well overdue.
    • Improve cybersecurity in the healthcare industry. Title IV requires the establishment of another voluntary cybersecurity framework for healthcare. Also, a healthcare industry cybersecurity task force will be convened to study:
      • What other industries are doing for cybersecurity
      • Challenges of adopting cybersecurity controls for private entities
      • Challenges covered entities and business associates have in securing medical devices and other interconnections of electronic medical records (EMRs). This is significant because most legislative and incentive efforts to secure medical devices to date have only focused on the data in EMRs, not medical devices themselves.
      • Establishment of a process for the healthcare industry and the federal government to share cyber intelligence. It remains to be seen if and how this will differ from Title I.

A few other sections related to federal computer security, apprehension of cyber criminals, and enhancement of emergency services with respect to cyberattacks round out Title IV and have the potential to produce positive changes in the domain of cybersecurity for the federal government.