Cybersecurity is not just a concern for very large companies but instead should be on the radar of all companies. While the breaches experienced by Target, The Home Depot, or even Equifax may garner much of the press, small businesses are increasingly the target of choice for cyber criminals. With less budget to focus on IT protections, a belief that they are not “targets,” and, increasingly, significant stores of personal or sensitive information on their systems, small businesses are ripe targets for criminals and opportunists.
This increase in cybersecurity attacks on small businesses has gotten the attention of Congress. On October 11, the House of Representatives passed a cybersecurity bill requiring the government to provide cybersecurity resources and guidance to small businesses. The bipartisan bill, known as the “NIST Small Business Cybersecurity Act of 2017,” was sponsored by Rep. Daniel Webster (R-Fla.), 13 other Republicans and four Democrats. It requires the Director of the Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity resources to small businesses to help fight rising cybersecurity threats.
The bill is intended to bring basic cybersecurity knowledge and solutions to small businesses —an area of commerce that often does not have the time or resources to devote to such topics. The resources required by the bill would include “guidelines, tools, best practices, standards, methodologies,” and other information that could assist small businesses in identifying, assessing, managing, and reducing their cybersecurity risks. To assemble this information, the Director of NIST is required to consult with the heads of other government agencies and within a year of the enactment of the law, disseminate clear and concise resources to assist small businesses with their cybersecurity efforts.
In addition to informing and educating small businesses, the bill is focused on widespread implementation and adoption. The bill specifies that the resources should be generally applicable so as to be usable by a wide range of small businesses. The resources are also required to be flexible with the size and type of small business at issue as well as with the sensitivity of the data collected, stored, and used by that small business. Importantly, the bill also specifies that the resources should be technology-neutral — that is focused on functionality and not on a particular provider or particular technological solution. And, the bill requires the resources to be directed at solutions that are implementable using off-the-shelf and readily obtainable technologies — allowing for solutions that are cheaper and more available to small businesses with limited resources.
The Senate passed a similar, bipartisan bill, the MAIN STREET Cybersecurity Act of 2017, on September 28. With the earlier executive order from the current administration addressing cybersecurity had bipartisan support in both houses of Congress, this law may be a rare political topic with universal support that could see rapid progress to enactment. However, in the past Congress has struggled to pass a federal bill that incorporates security measures applicable across all industries. Many states have aggressively lobbied against such legislation, preferring to control such requirements at the state level and not at the federal level.
Another issue is funding. The bill anticipates that it will be implemented within the current budget. With substantial tax cuts on the table for discussion, this bill may go where its predecessors have gone – nowhere.