Cybercrime, Fraud Management & Cybercrime, Legislation & Litigation

Bills deal with criminal penalties, school district protection and more

Scott Ferguson (Ferguson_Writes) •
June 21, 2021

Republican and Democratic lawmakers recently introduced several cybersecurity-related bills aimed at addressing issues ranging from tougher penalties for cybercriminals to improved protection for school districts.

A Senate bill, the International Cybercrime Prevention Law, would increase criminal penalties for attackers who target critical U.S. infrastructure, such as power plants and hospitals. Meanwhile, a House bill, the Kindergarten to Grade 12 Cyber ​​Security Improvement Act, would provide funds to protect school district networks.

See also: Live Webinar | The role of passwords in the hybrid workforce

A third measure, the Data protection law, would create a federal agency to protect Americans’ private data.

Additionally, several senators are circulating a federal breach notification bill that would require government agencies and businesses that support critical infrastructure to report a cyber incident to the Cybersecurity and Infrastructure Agency within 24 hours (see: Senators draft federal breach notification bill).

Recent legislation

The legislative proposals follow President Joe Biden’s summit meeting on Wednesday with Russian President Vladimir Putin, where they discussed issues related to cybercrime, including concerns that the Russian government was allowing cybercriminals to operate within its borders (see: Analysis: The cyber impact of the Biden / Putin summit meeting).

Chris Pierson, CEO of cybersecurity firm BlackCloak, said legislative activity is a response to increasing ransomware and other cyber attacks. But he says that “many of these efforts are purely superficial, and while some may help prosecute cybercriminals, most will not actually address or mitigate the risk to the United States or its critical infrastructure.”

The government must create a broader strategy to improve cybersecurity, adds Austin Berglas, who was previously the deputy special agent in charge of cyber investigations at the FBI’s New York office.

“The increase in sanctions will play a role, but will not be effective without changes in other important areas,” said Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. “The United States has taken a big step forward in declaring ransomware attacks a threat to national security – raising the priority within the Department of Justice on par with counterterrorism and counterintelligence. using ‘bulletproof accommodation’ or infrastructure protected from law enforcement and legal proceedings will allow the increased penalties to have the appropriate deterrent effect.

Cybercrime Prevention Act

The International Cybercrime Prevention Act, which was introduced in the Senate last week, would give the US Department of Justice additional tools to prosecute cybercrime activities and create tougher penalties for attackers who target critical infrastructure, including dams, power plants, hospitals and electoral infrastructure.

The bill would also give federal prosecutors new powers to shut down botnets and other types of infrastructure used for cyber attacks and criminalize the sale of access to botnet networks.

“From a criminal enterprise perspective, we have to increase the cost of doing business here. These people are probably making millions of dollars, and the penalties are inadequate for the crime,” said Senator Lindsey Graham, RS. vs. of four senators supporting the bill, said on Thursday press conference required to present the bill.

Another sponsor, Sen. Sheldon Whitehouse, DR.I., said he hopes the bill will address some of the cybersecurity loopholes uncovered in recent ransomware attacks against Colonial Pipeline Co. and the Meat Processor. JBS.

Andrew Barratt, chief executive of security consultancy Coalfire, says that while the International Cybercrime Prevention Act is a step in the right direction, giving U.S. prosecutors and the FBI additional powers won’t help when there are many cybercriminals operating in the dark. abroad outside the domain of US law enforcement. .

“Giving the courts the power to shut down botnets is, in theory, a great provision. However, if those botnets are built from devices in other countries, the United States will be powerless to do anything but work. more closely with their allies in the UK, Europe and elsewhere, “Barratt says.” Some crime never happens on American soil, and as such it might be better to add a extra attention to extradition treaties and… alliances with other countries allowing the creation of a common standard that supports arrest, prosecution and extradition. “

School Safety Bill

The Enhancing K-12 Cybersecurity Act was introduced by Rep. Doris Matsui, D-Calif., And is supported by a bipartisan group of House members, including Rep. Jim Langevin, DR.I., and John Katko, RN.Y. , both of whom sit on the House Homeland Security Committee which has investigated several recent cyber incidents (see: House Probes Specifics of Colonial Ransomware Attack).

The bill would provide $ 10 million over the next two years to create a K-12 cybersecurity technology improvement program overseen by CISA to help school districts prevent attacks on their networks. The legislation would also create a voluntary registry to track these incidents and allow CISA to share best practices with school districts.

Since the start of the COVID-19 pandemic, several school districts in the United States have been affected by ransomware as well as distributed denial of service attacks that have disrupted in-person and virtual learning. In March, attackers posted 26,000 files belonging to the Broward County Public School District in Florida to a darknet site after authorities refused to pay a ransom (see: Ransomware attacks on schools: the latest developments).

“Cyber ​​attacks targeting schools have already forced class cancellations and exposed students’ sensitive personal information. As cybercriminals become more sophisticated and aggressive, we must provide the resources and information necessary to protect our schools. ” Matsui mentionned.

Confidentiality invoice

On Thursday, Senator Kirsten Gillibrand, DN.Y., reintroduced data protection law that would create an independent federal agency dedicated to protecting Americans’ data, protecting the privacy of citizens, and ensuring that businesses and government agencies follow certain personal data practices.

Gillibrand first introduced the bill in February 2020, but the bill was not put to a vote in the Senate (see: Senator calls for federal online privacy agency).

The latest version of the bill, Gillibrand noted, includes “updated provisions to protect against privacy breaches and discrimination, oversee the use of high-risk data practices, and to review and propose remedies for the social, ethical and economic impacts of data collection “.

The new agency created under the bill would also oversee mergers between large tech companies, including the transfer of data where the personal information of 50,000 or more people is involved.