FORBES, EDWARD SEGAL

President Joe Biden today signed the Better Cybercrime Metrics Act into law. The measure, which received bipartisan Congressional support, represents the latest step by the federal government to help beef up various aspects of the country’s cyber defenses. The new law establishes requirements to improve the collection of data related to cybercrime and cyber-enabled crime.

The new law comes in the midst of rising concerns and warnings about increased cyberattacks by Russia in response to the U.S.’ support of Ukraine.

Rep. Abigail Spanberger (D-Va.) who sponsored the legislation, said in a press release that it will improve how the federal government tracks, measures, analyzes, and prosecutes cybercrime. By starting the process of building an effective system to track cybercrime incidents, she said the legislation “will allow U.S. law enforcement agencies to better identify cyberthreats, prevent attacks, and take on the challenge of cybercrime.”

Spanberger, a former CIA case officer and former federal agent, recalled that “One year ago this week, we saw the damaging effects of the ransomware attack on the Colonial Pipeline.

“In an instant, the American people saw how cybercrime —now the most common crime in America—could jeopardize the integrity of critical infrastructure, the American economy, and our national security.

“And as cybercriminals increasingly adapt their methods of attack against vulnerable people and networks, the United States must improve our cybercrime classification system. Otherwise, we are risking the safety and privacy of American families, homes, businesses, and government agencies,” Spanberger warned.

Cybersecurity experts and observers shared their insights and thoughts about the new law.

Lisa Plaggemier, interim executive director, at the National Cybersecurity Alliance, pointed out, “The Biden administration has made no secret about making cybersecurity one of its top priorities.

“On a purely cyber level, for far too long the United States…. has operated in an opaque and uncoordinated manner when it comes to cybersecurity. And unfortunately, this has made it much easier to compromise American entities and has resulted in a widespread erosion of public trust.

“So, while this bill will not fix everything on its own, by tackling reporting head-on —which is one of the most pivotal, yet under-reported areas of effective attack mitigation— it does stand to help boost collaboration and transparency between a host of business sectors and the public that they serve.

“Moreover, it is another key foundational building block in American cybersecurity policy and strategy that many within the cybersecurity space feel [are] likely overdue,” she said.

Michael Bahar is the former deputy legal advisor to the National Security Council and minority staff director and general counsel for the House Intelligence Committee. He is now is a litigation partner at global law firm Eversheds Sutherland and co-leads the global cybersecurity and data privacy practice.

Bahar said, “There is no such thing as too little too late when it comes to shoring up the nation’s — or a corporation’s cybersecurity. Every little bit helps, and sometimes even seemingly small (and overdue) measures can have an outsized impact.

“This [new law] does not impose additional requirements on businesses, nor does it directly fund national cyber defense efforts; rather, it increases the quantity and quality of cybercrime metrics, which, coupled with advanced analytics, should reveal insights and trends that lead to better prevention and enforcement,” Bahar predicted.

The bill Biden signed into law today, “…. gets to that point. Our cybersecurity solutions, both at the corporate level and the national level will benefit from the more fulsome understanding of the cybercrime problem,” he concluded.

Michael Baker is vice president and chief information security officer for General Dynamics Information Technology. He thought the new law, “will have a positive impact on combating the growing number of cyberattacks as it will allow quicker and more seamless sharing of cyber threat intelligence across industries and government.

“We need to ensure that this collective intelligence is distributed broadly and immediately to cyber defense teams to limit the impact of and breadth of modern cyberattacks,” he counseled.

Baker said that “The ability for the U.S. to come together across public and private entities to quickly distribute lessons learned and contribute to a collective defense is essential [for] moving forward.

“The motivation and sophistication of our adversaries to gain a competitive or strategic advantage over the U.S. is only increasing; thus, the U.S. must act accordingly to stay ahead,” he warned.

James Turgal is a former executive assistant director for the FBI’s Information and Technology branch and now vice president of cyber risk, strategy and board relations for Optiv Security.

He observed that “Intelligence sharing between the victims of crime and law enforcement is always a good thing. Currently, cyberattack statistics are unreliable, as some companies report attacks immediately.”

But Turgal pointed out that, “a large number of victim companies refuse to report attacks, as they see it as a weakness, a competitive disadvantage or they believe the impact on stock price, company value, and more importantly, [the] brand, will be too great.

“This new legislation, coupled with the previously passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, will, in theory, allow for the mandatory reporting of cyberattacks by victims in the critical infrastructure industries within specified timeframes.”

Then, he said, “those reporting statistics would then be collected and reported on every year by the Bureau of Justice Statistics as mandated by the Better Cybercrime Statistics Act.

“While collecting the metrics of cyberattacks would be beneficial, unless the company is in a critical infrastructure industry, the reporting is voluntary and probably not going to happen,” Turgal predicted.

Baker of General Dynamics Information Technology recommended that “Companies must be viewing cyber security risk as a business risk at the board level.”

He said that includes:

Empowering the chief information security officers to guide their company’s cyber strategy.
Holding themselves accountable for the basics like patching and actively monitoring their networks.

Prioritizing prudent investments to grow the maturity of their programs over time with steps such as two-factor authentication and other needed capabilities to thwart our adversaries and cybercriminals.