Federal scientists at the National Institute for Standards and Technology would be tasked — in consultation with the Department of Homeland Security and the Federal Trade Commission — to develop concise voluntary guidelines for basic online security measures, called cyber-hygiene, under a new bipartisan bill introduced in both chambers of Congress.
The bill also would mandate DHS to investigate the cybersecurity risks posed by the burgeoning number of small, cheap devices connected to the web as part of the mushrooming internet of things or IoT.
In the Senate, S.1475 — “A bill to provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes” — was introduced Thursday by Republican Orrin Hatch of Utah, chairman of the powerful Finance Committee, and Democrat Ed Markey of Massachusetts, a veteran of tech-policy debates.
The House version, HR.3010, the Promoting Good Cyber Hygiene Act of 2017, was introduced last week by California Democrat Anna Eshoo and Indiana Republican Susan Brooks. Eshoo introduced similar legislation in 2015, but it went nowhere in that Congress. Now, with a companion bill in the Senate backed by Hatch, its chances look much better.
The bill would give NIST a year to consult with the other agencies and publish drafts for public comment before finalizing the guidance, which should give special consideration to “emerging technologies and processes that provide enhanced security protections, including multi-factor authentication, data loss prevention, micro-segmentation, data encryption, cloud services, anonymization, software patching and maintenance, phishing education, and other standard cybersecurity measures to achieve trusted security in the infrastructure.”
The resulting guidelines would be reviewed and updated annually.
“The scary truth is that data security experts have suggested 90 percent of successful cyberattacks are due to system administrators overlooking two integral pillars of network security: cyber hygiene and security management,” Eshoo said in a statement. “By instituting commonsense best practices, system administrators can better protect their networks and consumer data from a majority of known cyber threats.”
“Proper cyber hygiene can prevent many [cyber] attacks,” Hatch said in a separate statement. “This bill will establish best practices for cyber hygiene that will help Americans better protect themselves from enemies online.”
In a third statement thanking his cosponsors, Markey highlighted the bill’s Internet of Things provisions, warning that the IoT era “could morph into the internet of threats era if appropriate cybersecurity safeguards are not put in place now to protect consumers.”