At a glance.
- Strengthening American Cybersecurity Act.
- US Senators urge SEC to push incident reporting transparency.
- The scope of rip-and-replace in the US.
US lawmakers introduce cybersecurity act.
The Strengthening American Cybersecurity Act, proposed last week by US senators Gary Peters and Rob Portman, combines three bills introduced last fall aimed at improving government agency and critical infrastructure cybersecurity. Security Week explains that the legislative package includes a seventy-two-hour reporting requirement for cyberattacks against critical infrastructure or civilian federal agencies, with notification of ransom payments within twenty-four hours. The Cybersecurity and Infrastructure Security Agency (CISA) would also be given increased authority in leading incident response, and the senators propose that the Federal Risk and Authorization Management Program (FedRAMP) be authorized for five years to help agencies adopt cloud technologies that could safeguard their systems against attack.
Transparency is the key to a lasting relationship.
On the topic of cyberincident reporting, last week a bipartisan group of US senators sent an early valentine to Securities and Exchange Commission head Gary Gensler pushing for increased transparency requirements for mandatory cybersecurity reporting in the private sector. Breaking Defense adds that the senators are co-sponsoring the Cybersecurity Disclosure Act, which would require companies to provide disclosure to investors, as that’s currently left to the company’s own discretion. The letter states, “Public companies and investment managers should pay attention to threats before they are realized. This is a better approach than scrambling to figure out what went wrong after investors have been harmed. America’s economic prosperity is linked to strong cybersecurity defenses in the private sector. The alternative unfortunately puts investors’ hard-earned savings and pensions at risk.” National Cyber Director, Chris Inglis was CC'd on the letter in the hopes that he’ll collaborate with the SEC on this effort.
FCC’s rip-and-replace program costs continue to climb.
As we noted last week, the Federal Communications Commission’s (FCC) effort to remove, replace, and dispose of all network equipment deemed a national security threat in the US’s wireless infrastructure is proving to be a far larger and more costly endeavor than anticipated. SDxCentral reports that the network currently contains at least 24,000 pieces of equipment manufactured by Chinese vendors Huawei or ZTE. This comes on the heels of the news that the cost of the “rip-and-replace” effort, initially estimated at $700 million, has already ballooned to a staggering $5.6 billion, with one hundred eighty-one eligible network operators, enterprises, health care providers, libraries, and learning institutions having submitted applications requesting funding. The costs per network vary widely, from smaller institutions estimated in the low tens of thousands of dollars, to one of the largest networks, Viaero Wireless, estimating the process will cost over one billion dollars, nearly the amount initially estimated to cover all of the organizations in the program. With applications rolling in until June, the FCC faces the arduous task of considering how realistic each organization’s cost estimates are, and requests determined to be “materially deficient” will have just fifteen days to resolve their issues or face denial.