11:27 AM
Connect Directly

Legislation Still Needed On National Cyber Security Standard

While the President’s executive order on cyber security last week brought public attention to the growing issue of cyber threats, legislation is still needed from Congress to help block attacks like those aimed at banks in recent months.

Although bankers reacted positively to the Obama administration’s executive order last week concerning cyber security, legislation is still needed from Congress to develop a national cyber security standard, says Mercedes Tunstall, the head of the privacy and data security group at Ballard Spahr LLP, a national law firm. Such legislation failed to pass the last Congress, and a similar version of the bill was recently re-introduced to both the House and the Senate, Tunstall reports. “The executive order is a necessary step to help raise the national conversation on cyber security,” Tunstall explains. “But it doesn’t carry the force of legislation. It can only affect the way things operate under the existing laws and give a directional focus.”

[See Related: Cyber Attacks More Frequent and Harder to Detect]

The executive order called on government agencies and private institutions - including banks - to share more information pertaining to cyber security threats. But legislation can further help in this area by shielding banks from liability to encourage them to share information about cyber attacks and data breaches targeted at them, Tunstall says. Banks are understandably concerned that information that they share with the government can later be subpoenaed and open them up to litigation, she explains. “We need to help banks with sharing that information,” she says, adding that anti-money laundering legislation can provide a blueprint for how banks can share that information without liability. Congress has already amended the Bank Secrecy Act to allow banks to voluntarily share information about money laundering without opening themselves up to possible litigation. Similar legislation would allay any hesitancy on the par of the banks in sharing cyber threat information with the government, Tunstall suggests.

On the other hand improvements can also be made through legislation to help the government share information with banks too, she points out. “Sometimes the government will have information about an impending cyber attack that banks might find useful but they can’t share it because of national security concerns,” Tunstall explains. Any cyber security legislation should include protocols that help the government share information with relevant institutions if it is known that a cyber attack is coming against them.

The executive order may help in passing the new version of cyber security legislation that has been put in to Congress as it raises the profile of the issue, Tunstall reasons. As government agencies explore new ways to work with the existing laws under the executive order it should help lead to a more informed discussion in Congress this time around, she adds. Given the high number of cyber attacks against banks in the last few months, it is certainly in the best interests of the industry to see the legislation passed this time around.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/19/2013 | 5:17:34 PM
re: Legislation Still Needed On National Cyber Security Standard
Tunstall makes a good point, I believe banks would want any information-sharing initiative to protect that information from being used in litigation against them.

Bryan Yurcan
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.