Application Security , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
What's on the 2024 Legislative Wish List for Congress?
Security Experts on Hopes for Smart AI Regulations, New Cyber PartnershipsThe White House, Congress and federal agencies raced to keep up with a rapidly evolving cybersecurity landscape throughout 2023, a year characterized by the introduction of new artificial intelligence tools, record-breaking ransomware attacks and emerging threats to critical infrastructure sectors across the country.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The administration issued a wave of guidance - most notably the national cybersecurity strategy issued by the Office of the National Cyber Director in March. The plan seeks to fundamentally shift the bulk of cybersecurity responsibilities from end users to the organizations most capable and best positioned to mitigate threats, while realigning cybersecurity incentives to favor long-term investments in "secure by design" principles (see: White House Unveils Biden's National Cybersecurity Strategy).
Millions of Americans nationwide also began harnessing the power of AI technologies in 2023, from ChatGPT to the explosion of new machine learning tools and services available across the web. The White House meanwhile secured voluntary commitments from big tech firms leading AI development to follow a set of best practices, and it worked with international partners to form a G7 Code of Conduct for AI development (see: G7 Unveils Rules for AI Code of Conduct - Will They Stick?).
But so far, the recent AI guidance and cybersecurity requirements remain largely voluntary and unenforceable. Congress has signaled plans to introduce bipartisan, comprehensive legislative to begin regulating AI, as well as new cybersecurity mandates to secure the supply chain. As lawmakers gear up for a new year of legislative priorities, Information Security Media Group spoke with cybersecurity professionals and AI experts about what they hope to see come out of Washington in 2024.
Collaboration and Coordination
"One actionable recommendation may be to build agencywide stakeholder working groups to understand the use cases that are necessary to supporting mission needs," said Todd Helfrich, vice president of the federal sector at Censys. "Another would be to identify the data sources that comply with federal mandates and directives as outlined in the White House EO on AI and align with agency objectives, which we're starting to see made transparent coming out of CDAO and NIST."
But Katharina Sommer, associate director of government affairs and analyst relations for NCC Group, said the system is too fragmented and needs to be fixed.
"It will be crucial to successfully implement the various announcements and commitments to date," Sommer said. "It will be equally important to understand the interconnectedness between the different proposals and harmonize domestically and internationally. We are entering a period of intense legislative action that will see requirements layered upon requirement, with potential to lead to fragmentation and confusion and, at worst, conflicting requirements."
'Secure by Design' Software
Mike Wilkes, senior security advisor for CYE, told ISMG he is "very much a fan of CISA's efforts to require companies who make software and offer internet-based services to adopt 'secure by design' and help us shift from 'hardening systems' - which means that they are vulnerable by default - to 'softening systems' where someone has to actively work to lower their security posture - which they likely won't do."
Agency Funding
Many experts said that 2024 is an election year, suggesting it could be difficult to pass significant cybersecurity legislation or advance critical funding measures for cyber agencies and initiatives.
"In an election year, the most realistic legislative agenda we can hope Congress will achieve would include finally updating the Federal Information Security Management Act, continued efforts to improve supply chain cybersecurity and providing consistent and robust funding for the Technology Modernization Fund to replace outdated, vulnerable IT," said Robert DuPree, manager of government affairs at Telos. "Congress should also support FedRAMP efforts to promote adoption and use of Open Security Controls Assessment Language."
Supply Chain Security
Helfrich told ISMG that securing critical infrastructure, election security and security in the supply chain were among the most important issues lawmakers need to address in 2024. Also, he added, "A greater emphasis must be placed on secondary and tertiary suppliers and partners through the collaborative support of the federal government and the larger systems integrator community."
Training and Information Sharing
When it comes to legislative measures that Congress could enact to enhance collaboration and information sharing among industry stakeholders, government agencies and international partners, Dupree called on lawmakers to "push the federal government to, where practicable, harmonize cybersecurity requirements and standards for the private sector," including certifications as well as breach notification and disclosure requirements."
Helfrich said that Congress could work toward implementing "more cyber exercises, domestically and internationally," adding that "continued participation in national and international cyber exercises is key to solving the latest challenges and ever-evolving adversarial threats."
Wilkes urged Congress to "provide strong incentives for companies to join the sector ISAC," adding, "There are 27 national ISACs. Information Sharing and Analysis Centers are a great way to increase our collective resilience to attack and disruption by bad actors."
Facing the Political Headwinds
As we approach an uncertain and polarizing election year, Grant Schneider, senior director of cybersecurity services at Venable and an ISMG contributor, said of his legislative wish list, "I would start with funding the government."
"It's an election year with a very contentious, very divided Congress," Schneider said. "Hopefully, cyber will stay nonpartisan, and we'll be able to get some things on the books."