The Urgent Need for New, National Comprehensive Cybersecurity Regulation
By Miles Brinkley
Hacking, for better (e.g., Anonymous) or worse (e.g., your personal computer), has become a well settled norm of our modern lives. The threat of cybersecurity attacks permeates our course of living so much that it is at once omnipresent and invisible. We have come to treat its remedial options much like we have hurricane or fire insurance—we have it because we must. That is to say, the inevitability of an attack is so certain, as we know a hurricane or fire is bound to cross our paths at some point, that foregoing cyber defense altogether is not a tenable option. However, they happen so rarely (so we think) that we pay no mind to the robustness of our strategy.
Well, in lock step with the increasing frequency of both fires and hurricanes, cyber-attacks have become so frequent in occurrence and devastating in magnitude that the “insurance” mindset is no longer an option. Attackers have multiplied in allegiance and aim alike, and with the new sandbox of sophisticated machine learning and AI-powered tools, their damage capabilities have compounded into truly frightening—and highly feasible—prospects. Consider just two recent examples: Last month, two non-state-backed hacker collectives used cutting edge ransomware technology to breach the gaming operations of several MGM and Caesars-owned properties in Las Vegas, costing both gaming giants millions of dollars in valuable operation time and revenue, as well as falling stock prices in the wake of the news.[1] The significance of this is that these gaming institutions, for precisely the reasons you’d expect (the billions of dollars a month they process), traditionally have the most layered, complex, and impenetrable cyber defense postures of any private entity in the world—including investment banks and law firms. Even more threatening than that, in 2018, Russian-backed actors successfully carried out attacks on critical U.S. infrastructure targets, including a nuclear power plant in Kentucky.[2] While their success was mitigated and did not cause a domestic Chernobyl, the fact alone of a successful cyber penetration of a nuclear power plant should have been enough to trigger Congressional reform, given the present capabilities of hostile states to sponsor successful attacks and severity of what greater damage could look like if nuclear plants are vulnerable.
However, Congress continued to treat cybersecurity regulation just as it does insurance: leave it loosely regulated and up to private companies to craft and states to regulate. The current patchwork of unsuitable federal regulations and unbalanced state policies continue to leave the country woefully vulnerable to the modern threat landscape, both through private institutions like banks and public utilities like power. Currently, there is no uniform federal law that regulates cybersecurity in the U.S.[3] Section 5 of the Federal Trade Commission Act, which serves as the primary governing cybersecurity law, requires that all U.S. organizations must engage in all “reasonable and necessary” security practices yet does not specify any cognizable standard for reasonable and necessary, allowing companies to shortchange their posture for financial considerations.[4] Other Congressional measures, such as the Gramm-Leach-Bliley Act, ensure that specific industries—in this case, financial—adhere to similarly vague standards of security.[5] The Cybersecurity and Infrastructure Security Agency (CISA) is the federal agency under the Department of Homeland Security (DHS) primarily responsible for protecting critical infrastructure from cyber-attacks, while the National Institute of Standards and Technology (NIST) is a non-regulatory agency that provides chief cybersecurity posture guidance for many organizations.[6]
While the current administration has noted the importance of strengthening a federal stance on cybersecurity, executive orders for more oversight simply will not suffice.[7] The U.S. desperately must act from the legislative branch to enact sweeping national reform if it hopes to keep its infrastructure and citizens safe from the multifaceted and fast-developing threat landscape it faces. Congress should take heed of the European Union’s example, where its commission has passed a Cybersecurity Act that allows for a robust and uniform defense against the modern attack landscape.[8] Taking a strong national approach allows for information sharing and the expertise of agencies such as NIST to provide their expertise in crafting a binding national standard, while private companies may drive innovation and their own success in meeting and exceeding these frameworks for their clientele. Most importantly, it ensures quick and dynamic response from all sectors of the American economy and public utilities, such that by adhering to a Congressionally enforced standard, Americans may rest comfortably that no integral part of their lives, whether that be gaming, leisure, or crucial resources, be threatened even the most formidable weapons on the black market.
Miles Brinkley is a 2L at Vanderbilt Law School who will practice in Houston, Texas following graduation. Prior to law school, Miles spent four years working in the private cybersecurity sector for two startups focused on network, cloud, and endpoint defense.
[1] Zeba Siddiqui, Hackers Who Breached Casino Giants MGM, Caesars Also Hit 3 Other Firms, Okta says, Reuters (Sep. 19, 2023), https://www.reuters.com/technology/hackers-who-breached-casino-giants-mgm-caesars-also-hit-3-other-firms-okta-says-2023-09-19/.
[2] Katie Benner and Kate Conger, U.S. Accused 4 Russians of Hacking Infrastructure, Including Nuclear Plant, N.Y. Times (Mar. 24, 2022), https://www.nytimes.com/2022/03/24/us/politics/russians-cyberattacks-infrastructure-nuclear-plant.html.
[3] Federal Cybersecurity and Data Privacy Laws Directory, IT Governance USA, https://www.itgovernanceusa.com/federal-cybersecurity-and-privacy-laws.
[4] 15 U.S.C. § 45.
[5] 15 U.S.C. § 6801.
[6] Cybersecurity Laws and Regulations in US [2023], Enterprise Engineering Solutions, https://www.eescorporation.com/cybersecurity-laws-and-regulations-in-us/.
[7] See Exec. Order No. 14028, 86 Fed. Reg. 26633 (May 12, 2021).
[8] The EU Cybersecurity Act, European Commission, https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act.