A bill introduced Thursday by the chairman of the Senate Republican High-Tech Task Force is intended to establish voluntary cyber hygiene best practices for companies and consumers.
“With cybercriminals growing bolder in their attacks, strengthening our cybersecurity infrastructure remains one of my top priorities in the Senate,” according to a statement from Sen. Orrin Hatch, R-Utah, who unveiled the bipartisan bill. “Cyberattacks threaten our economy and inflict untold damage on thousands of Americans. Fortunately, proper cyber hygiene can prevent many of these attacks. This bill will establish best practices for cyber hygiene that will help Americans better protect themselves from enemies online.”
The Promoting Good Cyber Hygiene Act would create a baseline of best practices, ensure those practices come under annual review and update and are published on a publicly accessible website and direct the Department of Homeland Security (DHS) to investigate the cybersecurity threats raised by the proliferation of the Internet of Things (IoT).
While Michael Overly, cybersecurity lawyer at Foley & Lardner LLP, said “this type of legislation could be argued to create a de facto standard that if a business follows it, they will be protected from potential liability,” he said that in total the “bill will have absolutely no impact whatsoever on the problem” of getting businesses to improve their cyber hygiene.
“For the last twenty years, two of the most fundamental precepts of good information security practices have been: (i) prompt patch management for security issues; and (ii) proper employee training. Notwithstanding the fact that every single treatise, white paper, best practice, industry group, security standard, etc. has made clear that those two practices form the foundation of good security, WannaCry, Golden Eye, and the myriad of other malware attacks and social engineering attacks have shown that some business are not taking the necessary steps to protect their business,” Overly said. “So while it would certainly be fine to have yet another rendition of those and other basic security principles, the bottom line is that many, many businesses just aren't following them – regardless of how many times malware attacks make the front pages of newspapers. I see no amount of voluntary guidances that reiterate those principles as having a dramatic impact on the problem.”