U.S. Cybersecurity State Coordinator Act: Spotlight on our Shortcomings
We are no strangers to the divisive tragedy of extreme political polarization. We have watched the consequences spill over Capitol Hill and through government buildings via the recent insurrection. Many of us question how people can coexist and progress can prevail when faced with such radical differences. Luckily, there are some instances in which Republicans and Democrats — unencumbered by the fringe — converge for the collective security of our nation.
Often, this happens with cybersecurity interventions.
In the United States, we live under a looming shadow of cyberattack on infrastructure, organizations, and personal devices. Cybersecurity legislation helps companies, individuals, and systems protect themselves from cyberattacks and manage the consequences.
In 2020, U.S. Senator Maggie Hassan (New Hampshire) introduced the Cybersecurity State Coordinator Act (CSCA), to be included in the 2021 National Defense Authorization Act. The act has the potential to greatly improve coordination between state and federal governments in the instance of a cyberattack. In response to growing threats and the high cost of defense, collaboration between branches may provide a more efficient and effective response.
Hassan’s commitment to cyber safety
The bill employs bipartisan support within the Senate Cybersecurity Caucus. Hassan’s cosponsors include Republican senators John Cornyn (Texas) and Rob Portman (Ohio) as well as fellow Democrat Gary Peters (Michigan).
The CSCA is part of the 2021 National Defense Authorization Act, which allocates defense funding for the United States Military on an annual basis. The act exists alongside attempts to restore a cybersecurity director at the federal level, as the position was eliminated under the Trump Administration.
Hassan’s enduring passion for cybersecurity fueled her endorsement of several other pieces of legislation over the years such as the Department of Homeland Security (DHS) Cyber Hunt and Incident Response Teams Act calling for private sector cybersecurity specialists to be included in the federal response. She notes that there is sufficient effort to “mitigate damage”, but not enough emphasis on prevention and response to sophisticated attacks:
“Cyberattacks can be devastating for communities across our country, from ransomware attacks that can block access to school or medical records to cyberattacks that can shut down electrical grids or banking services,” -Sen. Maggie Hassan
(Ransomware is malware that encrypts files to block access/threatens to publish information unless a ransom is paid. Read more about hospital attacks here.)
This is a crisis that Hassan knows firsthand.
In 2018 and 2019, soon after her time as governor, she observed the ransomware attacks on New Hampshire’s Strafford County and the Sunapee School Districts. Since, she has been adamant that resources are allocated to local officials to deal with these threats.
With the Cybersecurity State Coordinator Act, the focus extends from public-private sector coordination to the state-federal level partnership that would have allowed for a swifter and more thorough response to this type of attack.
The quick & dirty of the act
The CSCA positions states as the “front line of communication and response”, while including localities/municipalities and tribal entities in the provisions. Currently, The Department of Homeland Security’s Cybersecurity Advisors Program encompasses 11 advisors among 10 regions. They advise local government officials with regards to risk, security programs/processes, and partnerships. Under the CSCA, a cybersecurity coordinator would be appointed by the U.S. Cybersecurity and Infrastructure Agency of the DHS for each state to address threats and take an active role in the nationwide response.
State coordinators will have four main responsibilities:
1) Improved coordination between state, federal, and non-government agencies to direct attention to international threats on a state-level basis.
2) Active prevention, defense, and damage control in response to threats.
3) Information disclosure
4) Improving knowledge of federal resources for non-federal entities.
Additionally, federal authority in the presence of cyberattacks will remain consistent, with no modifications as a result of the act.
What’s missing?
Assistance from a coordinator can only go so far. The bill does not necessarily propose interventions with regard to user IT hygiene (individual level efforts to maintain privacy and data security) or address internal organizational/ governmental threats. As stated in Verizon’s Data Breach Investigations Report, “in the corporate world, a known internal attack is typically more common than an external one.”
While this may surpass the scope of CSCA, individual mitigation of security breach risks remains a loophole in many new legislation proposals. Increased communication with an advisor may help, but complicating the solution (allowing for more potential gaps) without addressing user autonomy in the solution may allow for adverse effects.
Despite the clear mandate to maintain consistency in federal authority, the CSCA bill does not explicitly discuss the extent of surveillance that exists within the State Coordinator’s risk advisor duties.
As a result, some may ask: would increased state and federal intelligence sharing have negative implications for surveillance and if so, is this worth increased security? Many agree that communication about security threats ultimately increases privacy. Nonetheless, there is always the question as to whether surveillance, especially in the hands of the government, could surpass the scope of ethical duty.
Can humanID help solve the remaining need for user IT hygiene?
While legislation supporting increased coordination in response to threats addresses certain needs, there are clearly loopholes in terms of individual autonomy in risk mitigation. humanID circumvents a key gap around micro (individual)-level and internal threats. The role of state-level coordinators does not directly address the problematic ability to create multiple digital identities. Such a capability helps to instigate untraceable attacks in the first place.
However, humanID can also go beyond an individual method for risk management to provide a community based solution. When all Personal Identifiable Information is deleted from servers within seconds and accountable digital identity is maintained, threats of data leakage in a ransomware attack become futile.
The CSCA is likely a solid addition to the legislative arsenal against cyberattack. Regardless, we cannot wait for policy interventions to take charge of our digital destiny.
The fear surrounding social control via surveillance goes beyond government policy. To learn more, check out Jacob Hanna’s article Civilian Deputies: Ring, the New Surveillance, and Risks.
What’s humanID?
humanID is a new anonymous online identity that blocks bots and social media manipulation. If you care about privacy and protecting free speech, consider supporting humanID at www.human-id.org, and follow us on Twitter & LinkedIn.
All opinions and views expressed are those of the author and do not necessarily reflect the position of humanID.
