- President Donald Trump signed the NIST Small Business Cybersecurity Act into law Tuesday, an amendment to the National Institute of Standards and Technology Act that provides an avenue of resources for small business to reduce cybersecurity risk. The bill has been in the works since March 2017, and a reconciled version was passed August 1.
- The bill mandates the Commerce Department's NIST to publish technology-neutral resources for small businesses that are also based on international standards, consistent with national cybersecurity programs and scalable to various business sizes and data sensitivities.
- The president also reportedly walked backed restrictions set by an Obama-era directive on the deployment of U.S. cyberweapons against opponents in a separate order Wednesday, according to The Wall Street Journal. The 2012 directive had called for an intricate interagency process before carrying out a cyberattack, especially against foreign adversaries. The administration's replacing framework remains unknown.
Recent attacks on critical infrastructure by foreign actors threw the cybersecurity discourse back into prominence.
The new bill directs the director of NIST to issue resources to "help small business concerns identify, assess, manage, and reduce their cybersecurity risks," within one year. Verisign and IBM lobbied on the bill.
Small and mid-size businesses with fewer resources and weaker defenses can make them easier targets for hackers. Efforts to mitigate the high costs and barriers to entry in implementing security and recovery programs can protect against the high economic cost of breaches.
But many businesses neglect seeking out cybersecurity solutions because of a lack of understanding, and the act does not specify how to engage with small businesses to change course and seek out NIST resources, according to Francis Dinha, CEO and cofounder of OpenVPN, in a statement provided to CIO Dive. Just making guidelines won't be enough if businesses aren't more actively engaged.
"This new act is a great move in the right direction," Dinha said. "But while I'm glad to see the government taking steps to protect small businesses, I will be curious to see how this plan is carried out. Many small businesses neglect cyber security because they aren't aware and don't understand the risks — so they don't seek out solutions."
The administration set aside billions for IT and cybersecurity earlier this year, including $1 billion for the Department of Homeland Security to coordinate action between levels of government and the private sector. But it also cut the national cybersecurity coordinator position in May, contributing to an exodus of cyber talent from the administration.
The Department of Homeland Security has renewed efforts to work with industry on cybersecurity with the recently launched National Risk Management Center and a national cybersecurity summit. A "collective defense" strategy is critical for real-time data sharing and action as digital interdependence deepens, according to DHS Secretary Kirstjen Nielsen.
Although cybersecurity has remained top priority in the DNI's Worldwide Threat Assessment report for several years, many experts fear the U.S. is losing the cyberwar as a machine learning arms race heats up between defenders and hackers.
Deeper ties between public, private and academic spheres are critical to pool resources and intelligence. If big tech alone shared its data on cyberattacks, it would have a set greater than any malicious actor, said Jason Matheny, director of Intelligence Advanced Research Projects Activity at the Office of the Director of National Intelligence.