From Idea to Cyber Law
Security researcher Roy Shomake takes a closer look into how cyber laws begin and the process by which they become law.
I recently searched for 'cybersecurity' at congress.gov and it returned 965 results for both law and proposed bills containing the word. This article will provide some insight into how a cyber law starts with an idea and becomes law, it is meant to provide some level of awareness of the legislation process and what cyber laws exist.
Legislation Process
A paper written by J. Cousteau provides a good understanding of the legislation process. This article will summarize the research completed by Cousteau, along with information found at house.gov and votesmart.org.
A bill first begins with an idea and ideas can stem from many places. A legislator might see a problem or the public might bring it to their attention. A public official, state employees, or many organizations might suggest ideas. Only members of congress can introduce a bill and that includes The House of Representatives or The Senate. In order for the process to begin a legislator or legislative committee must sponsor the idea. The legislative assembly cannot draft their own bills according to the rules.
The Office of the Legislative Counsel is made up of attorneys and other professionals who will prepare the bill in the proper format and language and all of the work being drafted by the Legislative Counsel is confidential. While the Legislative Counsel is drafting the bill, the public may not be aware what the bill entails.
Once the Legislative Counsel goes through the draft process the bill is given back to the sponsor. At this time the sponsor can obtain additional sponsors or provide the draft bill to the chief’s legislative officer, which for The Senate is the Secretary. The chief legislative officer for the House of Representatives is the Chief Clerk. A member will introduce the bill in the chamber they serve. At this time the bill is still a draft and the chief legislative officer ensures the process has been completed correctly. The bill is then issued the appropriate filing numbers and goes through precession, then first reading. The first reading is where the public will hear the proposed law for the first time.
Once the bill is read it will then be provided to the presiding officer. The Senate’s President or the Speaker for the House of Representatives. The next step is a fiscal and revenue review. This step looks at what impact the bill will have on taxes and how much it will cost to support the act.
After this step the bill is referred to a committee of subject matter experts. Depending on the subject matter there might be more than one committee. The committee will hold public actions and hearings on the proposed bill. The committee can pass, pass with amendments, or do not pass. This is also where the public can testify regarding the bill. If the bill passes the committee it will move onto the House floor. Generally, the House is given a limited amount of time to debate the bill. Once the bill passes the House it moves onto The Senate. The Senate has an unlimited amount of time to debate a bill. If the bill passes the Senate it is then sent to the President who can sign the bill into law, veto it, or send it back to congress.
Even in summarized form that is a long process to have an idea converted to a bill, but it does hopefully provide some insight into what and where the public needs to voice their concerns with a bill. It seems the best place to voice concern about a bill is during the committee review. The public could also voice their concern with the House or the Senate, who can then further debate the bill.
Not all rules are law
Not all rules created to protect privacy, infrastructure, or data are law. For example, PCI-DSS protects credit card holder information, but is not a law. PCI-DSS is an example of a standard, which is discussed briefly in this article. Even though PCI-DSS is not law, some states can impose laws which establish liability for not following PCI-DSS. The Minnesota law requires merchants to reimburse banks and other entities for not protecting credit card PCI data. Furthermore, it is important to understand the difference between a statue and regulation (or administrative law).
Statue versus Regulation
A statue is law which has been passed by congress or the legislature, as already described. A statue can be at the state or federal level. When a bill goes through the legislative process and is signed into law, it becomes a statue. A regulation details how a statue will be enforced, and has the same force of law. A statue must be passed first, then congress will assign a regulatory body to enforce that law. This is important to know since without enforcement we may not have compliance.
A few current laws
This will definitely not be an exhaustive list or a deep dive to understand cyber laws in detail. A search for cyber security at congress.gov returned 965 results for both law and proposed bills. Adding the filter “became law” reduces the search to 98.
The objective is to provide a high-level overview of a few common laws or a few that caught my attention. I encourage all readers to review the laws out there in more depth and stay current on proposed legislative.
A good resource for state laws is:
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2018.aspx
Interested in finding your state law on what is considered illegal hacking? Check-out:
http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
For a list proposed legislative or laws that have passed take a look at:
https://www.congress.gov
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is one law that is probably familiar to many. HIPAA requires covered entities and their business associates to protect the privacy of patient information. This information can be paper or electronic format.
HIPAA has a privacy and security rule. The privacy rule was first introduced into law April 2003 and the security rule introduced in April 2005. The HIPAA security rule focuses the confidentiality, integrity, and availability of data.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act imposes regulations for financial institutes to protect the privacy and security of financial information. Similar to HIPAA the Gramm-Leach-Bliley has both a privacy and security provision. The security provisions are where one would find the most information regarding protection from cyber security.
Both the HIPAA and Gramm-Leach-Bliley Act impose regulations to protect the privacy and security of a person and their data.
Homeland Security Act
The homeland Security Act became law in 2002 with the primary goal to protect all critical infrastructure. Part of the act has a specific focus on information security, which is section 225 or the Cyber Security Enhancement Act of 2002. Similar in nature to HIPAA and the Gramm-Leach-Bliley act, it also focuses on confidentiality, integrity, and availability of data. The Act also imposes penalties in cases involving fraud in connection with computer access to protected information or restricted access. Another law was introduced to broaden the homeland security act, which is the National Cybersecurity Protection Advancement Act of 2015.
Cyber Security Enhancement Act of 2014
As the name suggests the Cyber Security Enhancement Act of 2014 became law in 2014. The purpose is to enhance the sharing of cyber threats through public-private partnerships. This law is voluntary and covers the sharing of internet traffic. This law also mandates agencies such as the DoD, USDA, NASA to develop, and update federal cybersecurity research and development strategic plan. There are also provisions in the law for education and workforce development, cybersecurity awareness and preparedness, and advancements of cybersecurity technical standards.
Cyber Intelligence Sharing and Protection Act
The Cyber Intelligence Sharing and Protection Act, signed into law in 2015, presents a law that allows the sharing of enhanced information. The Cyber Intelligence Sharing and Protection Act is aimed to share information between private entities and the Government. The idea with the law is to protect the major infrastructure of the United States. Private entities includes state, tribal, or local governments performing electric or other utility services.
Summary
There are so many laws or bills out there with provisions related to cyber security and I hope this article provides the reader some insight and the interest to dig a little deeper. I encourage everyone working in information security to proactively watch what bills are about to become law and think about how they can impact upon you.