Federal Involvement in Cybersecurit
The federal regulations mentioned above were created with the concept of information security at their core. That being said, each of these regulations have components to them that are related to cybersecurity somewhat indirectly. These regulations mandate that healthcare organizations, financial institutions, federal agencies, etc. should protect their systems and information found within those systems. This is a fairly broad approach to security as these rules are prescriptive in nature and basically mandate that organizations must secure the data they collect and require a “reasonable” level of security. Of course, these regulations do not address numerous computer-related industries, such as Internet Service Providers (ISPs) and software companies specifically. They also do not provide a great deal of guidance that are directly related to cybersecurity. Furthermore, the vague language of these regulations leaves much room for interpretation.
To provide more guidance with regard to cybersecurity, the federal government will pass a number of other laws. The Cybersecurity Information Sharing Act passed in 2014 has the objective to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The Cybersecurity Enhancement Act of 2014 provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development, and education and public awareness and preparedness. The Federal Exchange Data Breach Notification Act of 2015 requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach. The National Cybersecurity Protection Advancement Act of 2015 amended the Homeland Security Act of 2002 to allow the Department of Homeland Security's (DHS's) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.
Lastly, the Cybersecurity and Infrastructure Security Agency (CISA) was established in November 2018 when the Cybersecurity and Infrastructure Security Agency Act of 2018 was passed and signed into law. The Cybersecurity and Infrastructure Security Agency (CISA) describes itself as “the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future.” The agency was created with the understanding that the threats against the national security of the United States had become more complex and, potentially, technological and/or digital in nature.
CISA’s website markets the organization as being able to carry out its mission by developing a partnership between both the public and private sector. CISA’s website states that it seeks to help organizations, “better manage risk and increase resilience using all available resources, whether provided by the federal government, commercial vendors, or their own capabilities.”
As one of the newest federal agencies, it is difficult to determine the reach of CISA in becoming involved with the cybersecurity of organizations outside the purview of the United States federal government. What we do know is that the number of cyberattacks are increasing on all aspects of American life. Because of the increasing risk of these attacks, CISA was created by the federal government to lead in the effort to CISA mobilize a collective national defense to understand and manage risk to our critical infrastructure.
The CISA website also says that the organization’s partners span both public and private sectors. The programs and services provided by CISA have been developed from the perspective of an advanced understanding of the risk environment and designed with the corresponding needs of stakeholders. CISA seeks to help organizations better manage risk and increase resilience using all available resources, whether provided by the federal Government, commercial vendors, or their own capabilities.
To provide more guidance with regard to cybersecurity, the federal government will pass a number of other laws. The Cybersecurity Information Sharing Act passed in 2014 has the objective to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The Cybersecurity Enhancement Act of 2014 provides an ongoing, voluntary public-private partnership to improve cybersecurity and strengthen cybersecurity research and development, workforce development, and education and public awareness and preparedness. The Federal Exchange Data Breach Notification Act of 2015 requires a health insurance exchange to notify each individual whose personal information is known to have been acquired or accessed as a result of a breach of security of any system maintained by the exchange as soon as possible but not later than 60 days after discovery of the breach. The National Cybersecurity Protection Advancement Act of 2015 amended the Homeland Security Act of 2002 to allow the Department of Homeland Security's (DHS's) national cyber security and communications integration center (NCCIC) to include tribal governments, information sharing, and analysis centers, and private entities among its non-federal representatives.
Lastly, the Cybersecurity and Infrastructure Security Agency (CISA) was established in November 2018 when the Cybersecurity and Infrastructure Security Agency Act of 2018 was passed and signed into law. The Cybersecurity and Infrastructure Security Agency (CISA) describes itself as “the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future.” The agency was created with the understanding that the threats against the national security of the United States had become more complex and, potentially, technological and/or digital in nature.
CISA’s website markets the organization as being able to carry out its mission by developing a partnership between both the public and private sector. CISA’s website states that it seeks to help organizations, “better manage risk and increase resilience using all available resources, whether provided by the federal government, commercial vendors, or their own capabilities.”
As one of the newest federal agencies, it is difficult to determine the reach of CISA in becoming involved with the cybersecurity of organizations outside the purview of the United States federal government. What we do know is that the number of cyberattacks are increasing on all aspects of American life. Because of the increasing risk of these attacks, CISA was created by the federal government to lead in the effort to CISA mobilize a collective national defense to understand and manage risk to our critical infrastructure.
The CISA website also says that the organization’s partners span both public and private sectors. The programs and services provided by CISA have been developed from the perspective of an advanced understanding of the risk environment and designed with the corresponding needs of stakeholders. CISA seeks to help organizations better manage risk and increase resilience using all available resources, whether provided by the federal Government, commercial vendors, or their own capabilities.