Biden signs Better Cybercrime Metrics Act into law

The new law, which received bipartisan Congressional support, represents the latest step by the US federal government to establish requirements to improve the collection of data related to cyber crime and cyber-enabled crime.

According to Forbes, the Better Cybercrime Metrics Act comes in the midst of rising concerns and warnings about increased cyber attacks by Russia in response to the US’ support of Ukraine.

In a press release, Representative Abigail Spanberger who sponsored the legislation stated that it will improve how the federal government tracks, measures, analyses and prosecutes cyber crime.

By starting the process of building an effective system to track cyber crime incidents, Spanberger further explained that the legislation "will allow US law enforcement agencies to better identify cyber threats, prevent attacks, and take on the challenge of cyber crime.”

Spanberger, representing Virginia’s Seventh Congressional District in the US House of Representatives and a former CIA case officer and former federal agent, recalled the damaging effects of the ransomware attack on the Colonial Pipeline a year ago.

“In an instant, the American people saw how cyber crime – now the most common crime in America – could jeopardise the integrity of critical infrastructure, the American economy, and our national security.

“And as cyber criminals increasingly adapt their methods of attack against vulnerable people and networks, the United States must improve our cyber crime classification system.

“Otherwise, we are risking the safety and privacy of American families, homes, businesses, and government agencies,” Spanberger warned.

VIEW ALL

Additionally, Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, pointed out, “the Biden administration has made no secret about making cyber security one of its top priorities.

“On a purely cyber level, for far too long, the United States has operated in an opaque and uncoordinated manner when it comes to cyber security and unfortunately, this has made it much easier to compromise American entities and has resulted in a widespread erosion of public trust.

“So, while this bill will not fix everything on its own, by tackling reporting head-on – which is one of the most pivotal, yet under-reported areas of effective attack mitigation – it does stand to help boost collaboration and transparency between a host of business sectors and the public that they serve.

“Moreover, it is another key foundational building block in American cyber security policy and strategy that many within the cyber security space feel [are] likely overdue,” she said.

Businesses impact

Michael Bahar, the former deputy legal advisor to the National Security Council and minority staff director and general counsel for the House Intelligence Committee, added that there is no such thing as too little too late when it comes to shoring up the nation’s – or a corporation’s – cyber security.

“Every little bit helps, and sometimes even seemingly small (and overdue) measures can have an outsized impact,” Bahar said.

However, Bahar, who is now a litigation partner at global law firm Eversheds Sutherland and co-leads the global cyber security and data privacy practice, further explains that the new law does not impose additional requirements on businesses, nor does it directly fund national cyber defence efforts.

“It increases the quantity and quality of cyber crime metrics, which, coupled with advanced analytics, should reveal insights and trends that lead to better prevention and enforcement.

“Our cyber security solutions, both at the corporate level and the national level, will benefit from the more fulsome understanding of the cyber crime problem,” Bahar said.

Moving forward

Michael Baker, vice president and chief information security officer for General Dynamics Information Technology, commented that the new law, “will have a positive impact” on combating the growing number of cyber attacks as it will allow quicker and more seamless sharing of cyber threat intelligence across industries and government.

“We need to ensure that this collective intelligence is distributed broadly and immediately to cyber defence teams to limit the impact of and breadth of modern cyber attacks,” Baker said.

The US must stay ahead of adversaries Baker added, due to the increase in motivation and sophistication of adversaries set on gaining a competitive or strategic advantage over the US.

“The ability for the US to come together across public and private entities to quickly distribute lessons learned and contribute to a collective defence is essential to moving forward.

“The US must act accordingly to stay ahead,” Baker warned.

Limitations

James Turgal, a former executive assistant director for the FBI’s Information and Technology branch and now vice president of cyber risk, strategy and board relations for Optiv Security, observed that intelligence sharing between the victims of crime and law enforcement is always a good thing.

“Currently, cyber attack statistics are unreliable, as some companies report attacks immediately,” Turgal said.

A large number of victim companies refuse to report attacks, Turgal pointed out, as they see it as a weakness that could result in a competitive disadvantage due to the belief the impact on stock price, company value and brand, will be too great.

“This new legislation, coupled with the previously passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, will, in theory, allow for the mandatory reporting of cyber attacks by victims in the critical infrastructure industries within specified timeframes.

“Those reporting statistics would then be collected and reported on every year by the Bureau of Justice Statistics as mandated by the Better Cybercrime Statistics Act.

“While collecting the metrics of cyber attacks would be beneficial, unless the company is in a critical infrastructure industry, the reporting is voluntary and probably not going to happen,” Turgal predicted.

Advice For business leaders

According to Baker of General Dynamics Information Technology, companies must be viewing cyber security risk as a business risk at the board level.

Baker recommends the following for best practice:

• Empowering the chief information security officers to guide their company’s cyber strategy.
• Holding themselves accountable for the basics like patching and actively monitoring their networks.
• Prioritising prudent investments to grow the maturity of their programs over time with steps such as two-factor authentication and other needed capabilities to thwart adversaries and cyber criminals.

[Related: Pegasus spyware targets Spanish PM, defence minister]