Cybersecurity regulations aim to secure computer systems and offer guidelines for companies to follow. Not following them can lead to penalties and legal action as maintained in the US cybersecurity regulations. While regulations vary among nations, they have transformed over time in response to the evolving threat landscape.
In the United States of America, federal and state laws form the basis of cybersecurity regulations. The Federal Trade Commission (FTC), the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) work to ensure the smooth enforcement of cyber laws.
The Federal Trade Commission Act is the main law that governs cybersecurity in the US, especially for businesses. The Gramm-Leach-Bliley Act (GLB) also guides organizations to protect customer data in keeping with the policy.
Decoding US Cybersecurity Regulations
Chuck Brooks, a recognized authority in cybersecurity with more than two decades of experience, shared insights on the cybersecurity evolution with The Cyber Express. “Since the formal establishment of the Internet in 1983, the digital landscape has greatly evolved in capabilities, speed, and connectivity,” said Brooks.
“It has also become more perilous from threat actors engaged in criminal and state-sponsored hacking,” he stated.
He noted that the United States developed a significant emphasis on cyberspace starting around 2003, marked by the formulation of the President’s National Strategy to Secure Cyberspace by the Department of Homeland Security (DHS).
The plan focused on expanding collaboration between government and industry and protecting critical infrastructure.
“Since then, there have been many regulatory initiatives and mandates across the globe, including Europe’s GDPR, the recent Security Exchange Commission’s requirements for breach disclosure in the US, India requiring CERT-In incident reporting, and many other countries having enacted regulations,” Chuck elaborated.
“Most of those regulations have been privacy-oriented, but that is now changing to be cybersecurity-oriented,” Chuck added.
Voted as one of the most influential women in Cyber & Diversity Champion, Holly Foxcroft conveyed her observations on the evolution of cybersecurity over time.
“We can date the beginning of ‘regulation’ back to the 1970s,” Foxcroft, a Committee Member of BCS NeurodiverIT Specialist Group, told The Cyber Express.
She reiterated that there was an increased focus on the use (or misuse) of data now than before. Addressing how conflicts can arise in terms of regulations, Foxcroft added, “Regulation of technology and the use of cyberspace is not only limited to nation-states but also the organizations who own platforms, which can cause conflict such as to the protection of freedom of speech.”
Keeping the present focus on AI technology, enhanced machine learning, and quantum, Foxcroft expressed concern over the lack of clarity in its regulations.
Foxcroft further said that the rapid growth and development of artificial intelligence without any clear regulation or clarity between companies and governments is worrying how these systems are being built, deployed, and monitored both ethically and responsibly.
Let us investigate the changing cybersecurity regulations in the US and what contributed to the modifications in policies.
In the United States, the California Consumer Privacy Act (CCPA) offers the most comprehensive cyber laws to secure the data of California residents.
Initially, CCPA promoted the right to know how one’s personal information was shared, and the right to delete the same. It noted that people can opt out of having their data shared and have the right to non-discrimination ensuring the CCPA protects all without discrimination on the basis of race, age, gender, etc.
With time, newer rights were added to the CCPA after getting approval and being amended on January 1, 2023. It entailed the right to correct one’s data, and the right to limit the disclosure of their information with those including third parties.
Industry-specific US cybersecurity regulations are the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for healthcare. Also called Kennedy-Kassebaum Act shares how personally identifiable information must be handled by healthcare and health insurance industries.
HIPAA amended the Employee Retirement Income Security Act, the Internal Revenue Code, and the Public Health Service Act. The various Titles of HIPAA were modified to make better group health plans, health insurance policies, and job locks.
Earlier job locks led employees to stick to their jobs or lose their health coverage which was amended in Title I of HIPAA. It offered protection to employees to keep their and their family’s health insurance coverage.
It was in July 2005, when a provision was announced to file electronic claims using HIPAA standards to be eligible for payment. In 2006, it was made mandatory to use a single new National Provider Identifier (NPI) by all the covered entities including hospitals, and insurance companies that used electronic communications.
The use of 10-character NPIs replaced all other identifiers while keeping the state license number and other critical identifiers intact.
In 2006 the Health and Human Services (HHS) which is the department of the US federal government for safeguarding the health of the American people issued a few critical rules for HIPAA compliance.
It included civil financial penalties for the violation of the HIPAA rules.
The Gramm-Leach-Bliley Act (GLBA) of 1999 regulates data privacy mainly in the financial sector. It changed and modified several barriers found in the Glass-Steagall legislation of 1933.
The Glass-Steagall legislation’s conflict of interest prohibition, which limited the concurrent service of specific officials in a bank or firm, was lifted. While the GLBA facilitated smoother mergers among financial services firms, it mandated these companies to comply with the Community Reinvestment Act (CRA).
Mergers were needed to pass the CRA exams of the regulatory bodies.
The GLBA covered the Financial Privacy Rule, The Safeguard Rule, and the Pretexting Protection. The Financial Privacy Rule made it mandatory for financial institutions to offer privacy notices and explain data usage to consumers.
The Safeguard Rule stated the need for organizations to develop a written information security plan detailing the handling of their clients’ personal information. Between 2021 and 2022, newer guidelines were created by the FTC asking the board of directors to be accountable and answerable for security.
HSA, FISMA and CISPA
The Homeland Security Act (HSA) of 2002 for securing the national security of the United States and its borders included the Federal Information Security Management Act (FISMA). FISMA is for all US government agencies to safeguard their systems and data.
Among the earlier cyber laws in the United States of America, the Department of Defense released the Cyber Intelligence Sharing and Protection Act (CISPA) 2011. The CISPA was formed by making specific amendments to the National Security Act of 1947.
CISPA instituted the Cybersecurity National Security Action Plan the Cyber Intelligence Sharing and Protection Act. These US cybersecurity regulations and others focused on threat intelligence sharing with the private sector.
Procedures were outlined with criteria for sharing security and threat information between federal departments and agencies.
Collaborative Efforts Between Government Organizations for Cybersecurity
A cybersecurity regulation may pass through several stages to be passed into law besides garnering votes and negation from involved departments, organizations, and people. Cybersecurity regulations impose fines when policies are not followed up to set standards and hence are often considered costly by companies.
However, information security regulations cannot be based on the acceptance of a handful of individuals, organizations, and departments. This is why key government agencies propose, safeguard, enhance, and uphold US cybersecurity regulations with the power vested in them.
Some of the US government organizations working around cybersecurity and security
Federal Trade Commission
The Federal Trade Commission (FTC) is a government agency in the US that works toward consumer protection and enforcing consumer protection laws. The website of FTC states – “Every day we: Pursue strong and effective law enforcement against deceptive, unfair and anticompetitive business practices,” defining its mission.
“Develop policy and research tools through workshops conferences, and hearings,” the FTC website further adds.
Department of Homeland Security
The United States Department of Homeland Security (DHS) ensures public security. Among the list of incorporated agencies within the DHS includes the Federal Computer Response Center and the National Communications Systems.
These offices within the DHS are entrusted with the responsibility of maintaining national security, and communications among other duties.
Government Accountability Office
The U.S. Government Accountability Office (GAO) is tasked with auditing, and investigating for the United States Congress. The mission team – Information Technology and Cybersecurity (ITC) is part of the GAO.
The reports by GAO in the field of security and data protection have contributed to increased awareness and development of science and technology policies.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) agency is a part of the United States Department of Commerce. The team of NIST promotes innovation via physical science laboratory programs.
NIST is a non-regulatory agency that creates voluntary guidance however, do not draft laws or cybersecurity regulations.
The Cybersecurity Framework provided by NIST helped organizations handle threats and defend against online threats.
The Cybersecurity Maturity Model offered deep insights into compliance and help in assessing performance and zero trust architecture based on set parameters.
Cybersecurity and Infrastructure Security Agency
The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the US Department of Homeland Security with a prime focus on the nation’s cybersecurity. CISA records software vulnerabilities, cybercriminals, and cybercrimes to improve security posture across all levels of the US government.
CISA was established in 2018 and is a continuation of the National Protection and Programs Directorate (NPPD) that worked for national security defending threats to critical infrastructure.
These organizations collaborate and synchronize their efforts as needed, recognizing that no country is immune to cyber threats.
The Cyber Express contacted industry experts and veterans to find out more about the impact of collaboration for the sake of better cybersecurity.
In response to The Cyber Express, a spokesperson from the U.S. Embassy emphasized the nation’s dedication to partnering with allies and stakeholders to cultivate a secure, open, and dependable Internet environment.
This commitment aims to facilitate secure and inclusive online participation, ensure access to vital services and government information, uphold human rights, and stimulate economic progress.
“The United States is committed to working with allies and partners to promote an open, interoperable, secure, and reliable Internet in order to enable people to safely and openly engage online, reliably receive critical services and information from their governments, exercise their human rights and fundamental freedoms, and drive inclusive economic growth.”
“We were pleased to hold the Cyber Dialogue with India last September, during which we discussed ongoing cooperation in cybersecurity and cyber policy, including efforts to advance the framework for responsible state behavior in cyberspace and strengthen responses to cybercrime threats, including ransomware.”
Furthermore, the U.S. administration’s National Cybersecurity Strategy, introduced earlier this year, underscores the promotion of substantial changes, as emphasized by the spokesperson.
“The Biden Administration’s National Cybersecurity Strategy calls for two fundamental shifts:
- Calling for the digital ecosystem’s biggest, most capable, and best-positioned actors – be they in the public or private sectors – to assume a greater share of the burden for mitigating cyber risk; and
- A shift to realign incentives to favor long-term investments.”
An important facet of the U.S. approach is the urging of prioritizing trusted suppliers for 5G infrastructure and across the broader ICT ecosystem. This stance aims to fortify the security and integrity of critical technology networks.
The message by the US Embassy comes with a promise that a joint cybersecurity collaboration is the need of the hour with which the threat to privacy and data must be stopped.
Such malicious activities must be curbed with nations, organizations, governments, and people joining hands with one mission – to fight cybercrime. The history of cybersecurity shows that global collaboration and an evolution in regulations is the answer to deter threat actors.
Cybersecurity regulations and jointly working towards their effective application is a must to keep a watch on any happenings across the globe.
Cybersecurity regulations have been modified and will continue to be updated based on changing threat landscape.
Addressing the same, Chuck Brooks stated, “Common regulatory themes are now centered on cybersecurity awareness, threat detection and information sharing, resilience, and incident response.”
Chuck concluded with his analysis of how regulations are expected to transform in the near future. He said, “As the ecosystem grows and is further enabled by emerging technologies such as artificial intelligence, the need for government/industry collaboration will grow and strategies such as security by design, and zero trust will become bigger pillars for directing regulations and policies.”
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.