Will the Colonial Pipeline Hack Spur Federal Cybersecurity and Data Privacy Action?
In many regions of the country this past weekend, it looked like the 1970s again. Drivers lined up to fill their tanks at gas stations all along the East Coast. Many pumps ran dry. But unlike the Carter era, it wasn’t an oil embargo that fueled this crisis.
A cyber gang called DarkSide managed to access and paralyze Colonial Pipeline servers, which meant the 5,500-mile pipeline (the largest system for refined oil products in the country) was forced to shut down. Colonial came back online after the company allegedly paid the hackers millions of dollars in ransom, but some consumers are still having trouble finding gas, days after the pipeline restarted its operations.
From a policy perspective, the timing of the ransom attack couldn’t have been more appropriate. U.S. lawmakers are considering a massive, once-in-a-generation infrastructure bill to fund pipelines, the electricity grid, broadband, and 5G. But given this most recent hack, will new data security measures move along with it in order to secure the country’s infrastructure? What are the chances that Congress will pass major cybersecurity or data privacy legislation this year?
At the moment, they are slim.
Due to longstanding ideological disputes on Capitol Hill, states still are likely to find themselves having to take the lead on this issue with the White House doing what it can to shore up federal defenses.
White House Issues Executive Order
On May 12, in the middle of the Colonial Pipeline crisis, the White House issued an executive order that outlines several steps to improve the nation’s cybersecurity defenses. (The order had been in the works before the Colonial crisis hit.) These steps include:
Requiring information technology (IT) service providers to tell the government about cybersecurity breaches that could impact U.S. networks;
Removing contractual barriers that could prevent those providers from flagging breaches;
Creating a playbook that outlines federal responses to cyber incidents;
Upgrading federal secure cloud services and other cyber infrastructure;
Mandating deployment of multifactor authentication and encryption with a specific time horizon;
Improving the security of software sold to the government;
Establishing a “Cybersecurity Safety Review Board” made up of public- and private-sector officials that will convene after cyberattacks to make recommendations; and
Improving information sharing within the federal government.
The White House stressed the private sector’s role in preventing cyberattacks. The order said, “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
While this executive order makes incremental improvements to U.S. cybersecurity policy, it is Congress that has the power to take more meaningful action on this issue.
Congress Could Come Together on Limited Cyber Measures
Indeed, even the White House’s executive order argued, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin” American life.
That’s political speak for “Congress must act.” The question is: will the Colonial Pipeline hack be the straw that broke the bipartisan logjam that has been preventing passage of data security legislation?
It has only been a week since the crisis, but it does not seem so, although Congress might take some small steps to improve America’s cybersecurity posture for critical infrastructure.
According to Politico, “The Colonial Pipeline cyberattack … is spurring new efforts in Congress to require critical companies to tell the government when they’ve been hacked.” The newspaper noted, “Even leading Republicans are expressing support for regulations after this week’s chaos — a sharp change from past high-profile efforts that failed due to GOP opposition.”
Democratic and GOP lawmakers told Politico “they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial.”
Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, said there also is room for new regulation from the executive branch. As The Washington Post reported, he recently told House lawmakers, “There are specific parts of the economy, highest risk critical infrastructures, that have enjoyed an enormous amount of success in the economy. And they have to step up from a corporate citizenship perspective and apply enhanced security requirements … And that’s an area to explore for regulation.”
Federal lawmakers’ appetite for cybersecurity legislation does not mean the two parties have abandoned their ideological stances on the issue of data security and privacy, however.
The Status of Federal Data Security Legislation
To recap: Democrats favor data security and privacy legislation that would give states primacy on this matter while Republicans want a uniform federal standard.
If that seems to be the reverse of where the two parties usually come down on questions of federal control, that is because it is. Democrats want to let states have their way so whatever standards Congress creates do not create a race to the bottom, which would see some states undo strong consumer protections that their legislatures have already put in place, as is the case in California. Republicans (and many business trade associations) oppose California’s legislation and would prefer something less interventionist and more consistent across the country.
Legislation that would preempt state regulations has the potential to undo the Golden State’s law in one fell swoop, which is why Democrats don’t want a federal standard.
The best chance for federal data security and privacy legislation this year may be Rep. Suzan Delbene’s (D-WA) Information Transparency and Personal Data Control Act, which the congresswoman introduced in March. The legislation would require businesses and websites to get users’ permission before sharing personal data and would give users the ability to opt-out of personal data collection, use, and sharing. Companies that collect data would have to tell users if and why their information is being shared and businesses and websites would have to provide “plain language” privacy policies.
Rep. Delbene told Vox in March that she was hopeful she could convince at least one Republican to cosponsor the legislation, especially since she agrees with GOP lawmakers that a “federal privacy law must be preemptive.”
How is the congresswoman doing in that endeavor? Rep. Delbene’s bill has 18 cosponsors, but not one is a Republican. The legislation would need 10 GOP senators – 20% of all Republicans in that chamber – to support it to proceed in the Senate. Given the scope and impact of the Colonial Pipeline hack, lawmakers could change their minds in the coming days, but at this writing, broad bipartisan support of Rep. Delbene’s bill still does not exist.
Dormer congressional staffer Dan Clarke nailed the current state of play in Congress on this issue when he recently told TechRepublic, “My experience was that Democrats and Republicans were very far apart in what they wanted. It wasn’t ‘do you want to privacy law?’ It was one step underneath that. Is there a private right of action and who enforces it? Is it the FTC? Is it a new agency? Is it pre-emptive?”
What Are States Doing about Data Security and Cybersecurity?
While federal lawmakers are having trouble coming together, the states are taking matters into their own hands. According to the International Association of Privacy Professionals (iApp), “State-level momentum for comprehensive privacy bills is at an all-time high.”
Lawyers from the firm Husch Blackwell also are tracking state legislation. According to their latest count, to date, lawmakers have introduced bills in 26 states: Alabama, Alaska, Arizona, Colorado, Connecticut, Florida, Illinois, Kentucky, Massachusetts, Maryland, Minnesota, Mississippi, Nevada, New Jersey, New York, North Carolina, North Dakota, Pennsylvania, Oklahoma, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and West Virginia.
Additionally, as of May 10, 2021, two states—California and Virginia—have signed comprehensive data security and privacy legislation. In two other states, Louisiana and Hawaii, task forces are working to examine and recommend laws and regulations for internet privacy; the collection, transmission, processing, protection, storage, and sale of personal data; hacking; data breaches; and other issues. According to iApp, ten states are still actively considering data privacy legislation this session.
Additionally, according to the National Conference of State Legislatures (NCSL), at least 44 states have introduced more than 250 bills or resolutions that deal with cybersecurity. That number is up from 38 states in 2020. States are considering efforts to:
Require government agencies to implement cybersecurity training, set up and follow formal security policies, standards and practices, and plan for and test how to respond to security incidents;
Regulate cybersecurity within the insurance industry or addressing cybersecurity insurance;
Create task forces, councils or commissions to study or advise on cybersecurity issues; and
Support programs or incentives for cybersecurity training and education.
Cyber and Infrastructure
Three weeks ago, well before the Colonial Pipeline crisis, Hawaii Gov. David Ige told members of the House Homeland Security Committee that any infrastructure package Congress passes should include funding for cybersecurity. In remarks after the House hearing, Ige also said, “I think the real threat to the American way of life is that no business is really prepared to deal with nation-state actors. The cyber terrorists from out of country have access to the networks in our country. The weakest link in the network is where those bad actors will enter the network and wreak havoc.”
While Gov. Ige’s comments were prescient, it does not seem as though Congress will heed his call in the foreseeable future.