Only 18% Of Cybersecurity Laws Passed In 2018, Despite Consumers Losing $1.4B In Cybercrimes

Cybercrime Is Booming

Cybercrime, an umbrella term for crime executed through the use of computer networks and the Internet, has ballooned in recent years as more and more of our daily lives are conducted online. In 2017, cybercrime in the US cost victims at least $1.4 billion, according to a May 2018 report from the FBI’s Internet Crime Complaint Center, better known as IC3.

That number is considered a conservative estimation, based on the 300,000 complaints the IC3 received during 2017. According to the FBI, many people don’t actually report cybercrimes. The month of October has been designated “National Cybersecurity Awareness Month”, and this year the Department of Homeland Security (DHS) launched an awareness campaign to promote cybersecurity principles among the public, urging citizens to be more careful with how they submit personal information online.

But the vulnerabilities posed by increasingly sophisticated cybercrimes aren’t limited to consumer actions. The largest and potentially most damaging data breaches that we saw in 2017 — such as the now-infamous Equifax breach — were the result of slack security protocols at big companies, something that consumers have no control over. Critical infrastructure is also at risk from attack. In 2017, a wave of electricity companies were struck by hackers who were able to take control of grid networks.

Election infrastructure is also at risk. 2018 saw a surge in cybercrimes related to federal, state and local elections across the US, following a similar surge in 2016.

Federal-level cybersecurity lags

Cybersecurity policies across agencies at the federal level lag behind European counterparts. In 2015, President Obama signed into law the Cybersecurity Information Sharing Act, referred to as CISA, which created a public-private framework for businesses and government agencies to voluntarily share valuable information about cybersecurity threats. The bill enjoyed widespread bipartisan support, and security experts agree that the legislation was a good first step in bolstering the country’s approach to cybercrime.

Among federal agencies, little progress has been made. A recent report released by the White House’s Office of Management and Budget (OMB) concluded that of the 96 federal agencies assessed, 74% were at risk to cyber attacks and needed immediate improvements to their cybersecurity infrastructure. The outlook worsened when President Trump eliminated the cybersecurity coordinator on the National Security Council, a position created by President Obama, fueling concerns that the country’s progress on cybersecurity was eroding.

Congress, meanwhile, successfully passed Rep. Michael McCaul’s Cybersecurity and Infrastructure Security Agency Act, which president Trump signed into law in November 2018. This bill establishes the DHS’s National Protection and Programs Directorate (NPPD) as a standalone federal Cybersecurity and Infrastructure Security Agency (CISA), charged with overseeing federal and civilian cybersecurity programs covering critical infrastructure, and will oversee various cybersecurity offices within the federal government, including the Federal Protective Service (FPS), the Office of Biometric Identity Management (OBIM), the Office of Cyber and Infrastructure Analysis (OCIA), the Office of Cybersecurity & Communications (OC&C), and the Office of Infrastructure Protection (OIP).The agency will remain under the purview of DHS, but will have more authority in its duties and will receive increased funding.

Statewide cybersecurity organizations: New Jersey

States are taking unique approaches to cybersecurity programs, but New Jersey stands out as a clear pioneer in effective cybersecurity measures. The state’s Cybersecurity and Communications Integration Cell was founded by executive order under Gov. Chris Christie in 2015 to act as a one-stop shop for cybersecurity information sharing, analysis, and incident reporting across the state. The program is based on the federal Department of Homeland Security’s National Cybersecurity Communications Integration Center (NCCIC).

Many of the cybersecurity bills proposed and passed across state legislatures are aimed at shoring up state government IT practices to protect against possible data breaches. The Kansas state legislature, for example, passed its Cybersecurity Act of 2018 during the most recent legislative session, formalizing some of the state’s current cybersecurity practices and laying the foundation for the creation of a statewide cybersecurity council.

Data breach rules to protect citizens: New York and California

States are also grappling with how to protect residents from businesses’ data breaches. Only a handful of states, including California and New York, have created laws aimed at governing cybersecurity requirements for companies that have access to sensitive data.

In 2016, New York Gov. Andrew Cuomo and the state’s Department of Financial Services proposed new regulations designed to require banks, insurance companies and other financial institutions to develop their own cybersecurity programs and designate CISOs. The regulations are considered an important first for state governments in dealing with cybercrime, though some experts disagree as to the effectiveness of the regulations in light of similar rules at the federal level.

More recently, California Gov. Jerry Brown signed the California Consumer Privacy Act of 2018 into law in June. The legislation, introduced by Assembly member Ed Chau (D) and state Sen. Robert Hertzberg (D) and approved with unanimous support, is widely considered the U.S.’s strictest online privacy law on the books. The law, which takes effect in 2020, is similar to the EU’s recently implemented GDPR rules: it gives consumers control over their personal data, granting them the right to know what data is being collected, how it is being collected and how it is being used.

Cybersecurity solutions: what needs to happen to stop the bleed

The 2018 cybersecurity infrastructure law (sometimes also referred to as “CISA”) may address some of the shortcomings of the 2015 CISA law, but it’s still too early to tell just how impactful the new legislation will be. On paper, it looks more like a organizational shuffle than anything else.

At the federal level, a more disciplined approach to IT network security, data policies and cybercrime monitoring would help the U.S. catch-up to European counterparts. The OMB report, for instance, recommends standardizing cybersecurity processes and IT capabilities across federal agencies.  

In the meantime, state governments will continue to shoulder the burden of cybersecurity. Recognizing this imperative, 39 state governors banded together in 2017 to sign an interstate cybersecurity compact. The “Compact to Improve State Cybersecurity” outlines a set of guidelines for states establishing cybersecurity programs. Recommendations include conducting risk assessments for critical infrastructure, developing integrated data governance policies aimed at better managing data within state networks and systems; incentivizing students and veterans to enter cybersecurity training programs, and creating information-sharing frameworks between state agencies.

And as data breaches become more common — and more devastating — state officials are taking measure to protect their residents. In December 2018, twelve state attorneys general filed suit against a group of healthcare IT companies in the wake of a data breach that occurred in 2015. We may see more of these types of lawsuits moving forward.