Warner-McCaul Cyber Act Becomes Law
Cybersecurity legislation is coming sooner than you think.
WASHINGTON – The Senate and the House of Representatives approved the Warner-McCaul Cyber Act of 2017 Tuesday, with overwhelming bipartisan majorities in both houses. The bill creates the first coordinated federal effort to reduce the nation’s cyber risk by uniting all federal efforts under centralized control within the Department of Homeland Security, and by mandating federal standards for managing cyber risk.
The sweeping Act will be signed into law by President Trump in a signing ceremony with key congressional sponsors in attendance at the White House on Friday. It is the culmination of efforts led by Senator Mark Warner (D-VA) and Representative Mike McCaul (R-TX), both long-time champions of more effective federal oversight of cybersecurity. Warner is a member of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus; McCaul has chaired the House Committee on Homeland Security since January of 2013.
The main provision of the Act defines a major reorganization and consolidation of domestic cyber risk management efforts into a single strong cybersecurity group at the Department of Homeland Security. The new DHS agency is tasked with bridging the information sharing gap that currently exists between the private sphere and federal government.
Another provision of the Act outlines a plan that enables commercial and governmental organizations to be eligible for reduced insurance premiums by certifying compliance with the Cyber Security Framework (CSF) developed by NIST. The program will be administered by a non-profit agency based in Texas, with certification handled by ANSI-accredited certifying groups.
“Cybersecurity is one of the most serious economic and national security challenges we face as a nation, and both the private and the public sector need to be better prepared to address the escalating threat from cyberattacks,” said Senator Warner in a recent interview. “Rifle shots targeting a massive, growing problem have been insufficient. We need a broad policy response that is adaptable to technological developments and the ever-changing cyber field. This is the next logical step toward a more resilient cybersecurity posture for the country.”
Congressman McCaul has long been an advocate of taking stronger cybersecurity measures nationwide. “The passage of this bill shows widespread recognition that network security is national security, and of the need to treat it as seriously as other threats. By consolidating our efforts toward a stronger defensive posture, we are increasing our ability to encourage both companies and agencies to make cyber risk a key part of their overall strategy,” said McCaul.
The Warner-McCaul Cyber Act is comparable to the Sarbanes-Oxley Act passed in 2002. Following a series of highly publicized financial fraud events by Enron, WorldCom, and others, Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH) sponsored passage of a far-reaching bill that deeply transformed the level and accuracy of financial reporting by U.S. corporations. The law increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements. The Cyber Act has evolved in a parallel fashion (see table below).
Other bills were introduced in recent years, but most never made it out of committee to the floor for debate. This time, the increase in the number and scope of cyberattacks drew the attention and commitment of leaders from both sides of the aisle. Massive breaches like Yahoo’s revelation in late 2016 that billions of customer accounts had been breached and gone unreported for two years highlighted the urgency to take broad action to curtail cyberattacks. The potential for Russian control of the nation’s power grid created additional pressure on Congress to act to mitigate cyber risk to the nation’s networks. Immediately after the Vermont utility was hacked, Senator Angus King (I-ME) said “The next Pearl Harbor will be cyber,” he said. “It’s a cheap way to attack. No bombers or submarines needed.”