017 - Appendix 6 Cybersecurity Legislation Overview

1 00:00:00,240 --> 00:00:04,839 Speaker 1: Section sixteen of Report on Securing and Growing the Digital Economy. 2 00:00:05,440 --> 00:00:09,199 This is a LibriVox recording. All LibriVox recordings are in 3 00:00:09,240 --> 00:00:13,080 the public domain. For more information or to volunteer, please 4 00:00:13,160 --> 00:00:18,719 visit LibriVox dot org. Recording by Colin McMahon. Report on 5 00:00:18,800 --> 00:00:22,359 Securing and Growing the Digital Economy by the Commission on 6 00:00:22,480 --> 00:00:30,960 Enhancing National Cybersecurity. Appendix six Cybersecurity Legislation Overview. This appendix 7 00:00:31,079 --> 00:00:34,600 gives an overview of selected efforts by Congress to address 8 00:00:34,640 --> 00:00:40,520 cybersecurity nineteen eighty through nineteen eighty nine. One Public Law 9 00:00:40,679 --> 00:00:44,960 ninety eight DASH four seven three Counterfeit Access Device and 10 00:00:45,000 --> 00:00:49,079 Computer Fraud and Abuse Act of nineteen eighty four October twelfth, 11 00:00:49,159 --> 00:00:52,439 nineteen eighty four. This law made it illegal to access 12 00:00:52,479 --> 00:00:57,439 and use computers and computer networks without authorization to do so. Two. 13 00:00:57,920 --> 00:01:02,000 Public Law ninety nine Dash fouris seventy four Computer Fraud 14 00:01:02,000 --> 00:01:06,040 and Abuse Act of nineteen eighty six October sixteenth, nineteen 15 00:01:06,079 --> 00:01:10,159 eighty six. Building on the Counterfeit Access Device and Computer 16 00:01:10,280 --> 00:01:13,319 Fraud and Abuse Act of nineteen eighty four, this law 17 00:01:13,359 --> 00:01:17,000 made additional actions illegal, such as destruction of data without 18 00:01:17,040 --> 00:01:22,719 authorization and distribution of stolen passwords three. Public Law one 19 00:01:22,799 --> 00:01:26,799 hundred Dash two thirty five Computer Security Act of nineteen 20 00:01:26,840 --> 00:01:31,799 eighty seven January eighth, nineteen eighty eight. The Computer Security 21 00:01:31,840 --> 00:01:35,239 Act of nineteen eighty seven was established to ensure that 22 00:01:35,280 --> 00:01:41,000 all federal agencies implemented basic cybersecurity measures for protecting sensitive information. 23 00:01:41,680 --> 00:01:45,159 The law designated the National Bureau of Standards now known 24 00:01:45,239 --> 00:01:49,040 as the National Institute of Standards and Technology or NIST, 25 00:01:49,599 --> 00:01:53,400 as the lead agency for developing cybersecurity standards, with the 26 00:01:53,480 --> 00:01:58,079 National Security Agency and Essay providing assistance. This law was 27 00:01:58,120 --> 00:02:01,680 replaced by the Federal Informations Security Management Act in two 28 00:02:01,719 --> 00:02:06,239 thousand and two nineteen ninety through nineteen ninety nine. Four. 29 00:02:06,799 --> 00:02:11,199 Public Law one oh four Dash thirteen Paperwork Reduction Act 30 00:02:11,280 --> 00:02:14,759 of nineteen ninety five, May twenty fifth, nineteen ninety five. 31 00:02:15,439 --> 00:02:18,840 This law designated the Office of Management and Budget OMB 32 00:02:19,400 --> 00:02:24,639 as the agency responsible for federal agency cybersecurity policies. Five 33 00:02:25,240 --> 00:02:28,479 divisions D and E. Public Law one oh four Dash 34 00:02:28,560 --> 00:02:31,879 one oh six Klinger Cohen Act of nineteen ninety six 35 00:02:32,439 --> 00:02:37,520 February tenth, nineteen ninety six. The Klinger Cohen Act designated 36 00:02:37,560 --> 00:02:43,840 agency responsibilities related to their cybersecurity policies and processes. Six 37 00:02:44,319 --> 00:02:47,520 Public Law one oh four Dash one ninety one Health 38 00:02:47,560 --> 00:02:52,319 Insurance Portability and Accountability Act of nineteen ninety six, August 39 00:02:52,400 --> 00:02:56,599 twenty first, nineteen ninety six. The Health Insurance Portability and 40 00:02:56,639 --> 00:03:01,400 Accountability Act HIPPA included provisions for ensuring the security of 41 00:03:01,439 --> 00:03:06,840 sensitive healthcare information. Seven Title II Public Law one oh 42 00:03:06,879 --> 00:03:11,800 four Dash two ninety four National Information Infrastructure Protection Act, 43 00:03:12,360 --> 00:03:16,199 October eleventh, nineteen ninety six. Title II of this law 44 00:03:16,319 --> 00:03:19,400 revised the Computer Fraud and Abuse Act of nineteen eighty 45 00:03:19,439 --> 00:03:24,360 six by expanding the definitions of computer crime. Eight Title 46 00:03:24,479 --> 00:03:27,879 five Public Law one oh Sixdash one oh two Graham 47 00:03:28,000 --> 00:03:32,000 Leach Blidely Act of nineteen ninety nine, November twelfth, nineteen 48 00:03:32,039 --> 00:03:36,439 ninety nine. This law required financial institutions to protect the 49 00:03:36,479 --> 00:03:41,879 confidentiality of all sensitive data regarding their customers. Two thousand 50 00:03:42,039 --> 00:03:46,159 to two thousand nine. Nine Public Law one oh seven 51 00:03:46,280 --> 00:03:49,719 Dash two oh four Starbine's Oxley Act of two thousand 52 00:03:49,759 --> 00:03:54,080 two July thirty, two thousand and two. This law, directed 53 00:03:54,080 --> 00:03:58,520 at publicly owned US companies, contained requirements to produce annual 54 00:03:58,560 --> 00:04:04,759 assessments of internal control, including cybersecurity measures. Ten titles two 55 00:04:04,800 --> 00:04:07,719 and three. Public Law one oh seven DESH two ninety 56 00:04:07,759 --> 00:04:11,520 six Homeland Security Act of two thousand and two, November 57 00:04:11,560 --> 00:04:15,000 twenty five, two thousand and two. The Homeland Security Act 58 00:04:15,120 --> 00:04:20,120 established the Department of Homeland Security DHS to focus federal 59 00:04:20,120 --> 00:04:24,839 efforts on safeguarding the nation against threats, including cybersecurity threats, 60 00:04:25,240 --> 00:04:29,839 and to respond to disasters caused by those threats. Eleven 61 00:04:30,160 --> 00:04:33,839 Public Law one oh seven DESH three oh five Cybersecurity 62 00:04:33,879 --> 00:04:37,600 Research and Development Act, November twenty seventh, two thousand and two. 63 00:04:38,439 --> 00:04:40,839 The purpose of this law was to increase the federal 64 00:04:40,879 --> 00:04:46,199 government's funding of cybersecurity research and development. Several ways to 65 00:04:46,240 --> 00:04:51,839 do so were specified, including National Science Foundation NSF research grants, 66 00:04:52,519 --> 00:04:57,759 research fellowships awarded by NSF and NIST, the development of 67 00:04:57,800 --> 00:05:03,120 security configuration checklists by NIST to help agencies secure their 68 00:05:03,160 --> 00:05:08,160 computer hardware and software. The creation by NIST of the 69 00:05:08,199 --> 00:05:12,959 Computer Systems Security and Privacy Advisory Board, which was subsequently 70 00:05:13,000 --> 00:05:19,199 renamed the Information Security and Privacy Advisory Board ISSPAB. A 71 00:05:19,240 --> 00:05:23,720 study by the National Academy of Science of Critical Infrastructure cybersecurity, 72 00:05:24,439 --> 00:05:28,839 coordination of federal cybersecurity are and D efforts between NSF 73 00:05:28,959 --> 00:05:35,279 and NIST twelve, Title three Information Security Public Law one 74 00:05:35,319 --> 00:05:39,399 oh seven DH three forty seven. The Federal Information Security 75 00:05:39,439 --> 00:05:42,920 Management Act of two thousand and two December seventeenth, two 76 00:05:42,959 --> 00:05:46,399 thousand and two, also known as the e Government Act 77 00:05:46,439 --> 00:05:50,519 of two thousand and two. The Federal Information Security Management 78 00:05:50,560 --> 00:05:54,399 Act of two thousand and two FISMA was intended to 79 00:05:54,519 --> 00:05:59,000 ensure that all federal agencies implemented basic cybersecurity measures at 80 00:05:59,040 --> 00:06:03,680 a minimum fa LI. FISMA designated NIST as the agency 81 00:06:03,720 --> 00:06:07,680 responsible for developing security guidelines and guidance to be used 82 00:06:07,680 --> 00:06:13,160 for securing federal civilian agency systems. Section thirteen Public Law 83 00:06:13,279 --> 00:06:16,519 one oh nine DASH fifty eight Energy Policy Act of 84 00:06:16,519 --> 00:06:20,759 two thousand five, August eight, two thousand five. This law 85 00:06:20,839 --> 00:06:26,279 required the Federal Energy Regulatory Commission FEERC to develop standards 86 00:06:26,319 --> 00:06:30,079 for the reliability of certain types of electric power facilities. 87 00:06:30,920 --> 00:06:34,680 Fourteen Public Law one oh nine DASH two ninety five 88 00:06:35,279 --> 00:06:40,560 Department of Homeland Security Appropriations Act two thousand seven, October four, 89 00:06:40,680 --> 00:06:44,639 two thousand and six. This law required new regulations for 90 00:06:44,759 --> 00:06:52,319 chemical facility security, including cybersecurity requirements. Fifteen Public Law one 91 00:06:52,480 --> 00:06:56,560 ten DESH one forty Energy Independence and Security Act of 92 00:06:56,600 --> 00:07:01,319 two thousand seven December nineteen, two thousand seven. This law 93 00:07:01,439 --> 00:07:05,399 designated ANIST as the agency leading the effort to create 94 00:07:05,480 --> 00:07:11,639 interoperability standards for the smart grid. Sixteen Division A Title 95 00:07:11,680 --> 00:07:15,879 thirteen and Division B Title iov Public Law one eleven 96 00:07:16,000 --> 00:07:20,839 DASH five Health Information Technology for Economic and Clinical Health Act, 97 00:07:21,240 --> 00:07:25,639 February seventeen, two thousand nine. This law built on HIPPA 98 00:07:25,759 --> 00:07:30,040 by requiring notifications for health care data breaches and strengthening 99 00:07:30,079 --> 00:07:35,279 penalties for insufficient protection of healthcare data. Twenty ten to present. 100 00:07:36,199 --> 00:07:41,079 Seventeen Public Law one thirteen DASH two forty six Cybersecurity 101 00:07:41,160 --> 00:07:46,519 Workforce Assessment Act, December eighteenth, twenty fourteen. This law required 102 00:07:46,560 --> 00:07:52,519 regular assessments of the DHS Cybersecurity Workforce. Eighteen Public Law 103 00:07:52,600 --> 00:07:57,079 one thirteen DASH two seventy four Cybersecurity Enhancement Act of 104 00:07:57,120 --> 00:08:02,519 twenty fourteen, December eighteenth, twenty five fourteen. This law encouraged 105 00:08:02,560 --> 00:08:05,600 the public and private sectors to work together to improve 106 00:08:05,639 --> 00:08:10,040 cybersecurity in terms of research and development, workforce preparedness, and 107 00:08:10,079 --> 00:08:15,360 public awareness. Nineteen Public Law one thirteen two eighty two 108 00:08:15,639 --> 00:08:21,399 National Cybersecurity Protection Act of twenty fourteen, December eighteenth, twenty fourteen. 109 00:08:22,160 --> 00:08:25,319 The purpose of this law was to codify the responsibilities 110 00:08:25,360 --> 00:08:32,080 of the National Cybersecurity and Communications Integration Center NCCIC. Twenty 111 00:08:32,399 --> 00:08:37,320 Public Law one Thirteenash two eighty three Federal Information Security 112 00:08:37,360 --> 00:08:42,639 Modernization Act of twenty fourteen, December eighteenth, twenty fourteen. This 113 00:08:42,840 --> 00:08:48,679 law modified FISMA to revise cybersecurity incident reporting requirements for 114 00:08:48,799 --> 00:08:55,200 federal agencies, clarify certain federal agency cybersecurity authorities, and streamlined 115 00:08:55,240 --> 00:09:00,600 cybersecurity reporting. Twenty one Public Law one thirteen DESH ninety 116 00:09:00,679 --> 00:09:04,960 one National Defense Authorization Act for Fiscal year twenty fifteen 117 00:09:05,360 --> 00:09:09,600 December nineteenth, twenty fourteen. Title eight Subtitle D of this 118 00:09:09,720 --> 00:09:13,600 law contains portions of what was originally HR twelve thirty 119 00:09:13,600 --> 00:09:20,039 two Federal Information Technology Acquisition Reform Act FITARA. The law 120 00:09:20,080 --> 00:09:24,440 required some changes to federal information technology practices that had 121 00:09:24,519 --> 00:09:29,559 implications for cybersecurity, most notably quote consolidation of federal data 122 00:09:29,559 --> 00:09:34,519 centers end of quote twenty two division n Public Law 123 00:09:34,600 --> 00:09:39,039 one fourteen sh one thirteen Cybersecurity Act of twenty fifteen, 124 00:09:39,320 --> 00:09:43,960 December eighteenth, twenty fifteen. The Cybersecurity Act of twenty fifteen 125 00:09:44,519 --> 00:09:51,200 contains the Cybersecurity Information Sharing Act CISA. CISA encouraged the 126 00:09:51,240 --> 00:09:56,519 sharing of cybersecurity threat information among public and private sector organizations. 127 00:09:57,799 --> 00:10:02,840 End of section sixteen recording by Colin McMahon. End of 128 00:10:02,919 --> 00:10:06,399 Report on Securing and Growing the Digital Economy by the 129 00:10:06,399 --> 00:10:09,159 Commission on Enhancing National Cybersecurity