Rep. Anna Eshoo (D-Calif.) has introduced a "cyber hygiene" bill, H.R. 3010, which would require the National Institute of Standards and Technology to come up with cybersecurity best practices.
The goal is to better protect from attacks that Eshoo says costs the economy almost a half-trillion dollars a year. "The scary truth is that data security experts have suggested 90 percent of successful cyberattacks are due to system administrators overlooking two integral pillars of network security: cyber hygiene and security management," she said.
The Promoting Good Cyber Hygiene Act would "instruct the National Institute of Standards and Technology (NIST), in consultation with the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), to establish a baseline set of voluntary best practices for good cyber hygiene that are made available online. In addition, the bill instructs the agencies to consider the cyber hygiene benefits of standard cybersecurity measures such as multi-factor authentication and data loss prevention."
According to Eshoo, the bill would establish baseline voluntary practices, make sure they are reviewed and updated annually as needed, make the best practices available in plain English on a public website, and direct Homeland Security to study the threats to the Internet of Things.
The same bill has been introduced in the Senate by Sens. Orrin Hatch (R-Utah) and Ed Markey (D-Mass.).
The bill comes in the wake of a recent ransomware attack, as the government ponders best practices for connected car cybersecurity and the Internet of Things raises the prospect of internet-connected "everythings."
"The Internet of Things era could morph into the Internet of Threats era if appropriate cybersecurity safeguards are not put in place now to protect consumers," said Markey.
“We thank Congresswoman Eshoo, Senator Hatch and their colleagues for introducing legislation that would develop and publicize accessible cybersecurity best practices," said Public Knowledge cybersecurity policy director Megan Stifel. "In particular, we support the collaborative and transparent approach required by the bill, which provides for a notice and comment period in the development of the practices. This approach is similar to the approach used to develop the National Institute of Standards and Technology Cybersecurity Framework, which has become recognized as a cybersecurity risk management baseline across industries."