Senator Sheldon Whitehouse (D-RI) and Senator Jon Kyl (R-AZ) have introduced legislation to pull back the veil of secrecy currently cloaking the extent of the cyber security threats faced by the nation.
Senator Whitehouse has been an outspoken critic of the government's tendency release little or no information regarding cyber threats, as well as the private sector's desire to hide details of cyber transgressions from regulators and investors.
“The government keeps the damage we are sustaining from cyber attacks secret because it is classified. The private sector keeps the damage they are sustaining from cyber attacks secret so as not to look bad to customers, to regulators, and to investors. The net result of that is that the American public gets left in the dark," Whitehouse had said last November.
The Cyber Security Public Awareness Act will require government agencies to increase the level of reporting concerning cyber threats, breaches of security, and other information deemed to be in the public's interest.
“The damage caused by malicious activity in cyberspace is enormous and unrelenting. Every year, cyber attacks inflict vast damage on our Nation’s consumers, businesses, and government agencies. This constant cyber assault has resulted in the theft of millions of Americans’ identities; exfiltration of billions of dollars of intellectual property; loss of countless American jobs; vulnerability of critical infrastructure to sabotage; and intrusions into sensitive government networks," Senator Whitehouse said last week.
“These massive attacks have not received the attention they deserve. Instead, we as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy. This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests," Whitehouse continued.
The legislation would seek to build the necessary mechanisms to properly characterize cyber security incidents to determine what information can and should be released to the public.
The legislation could also be an important step in requiring mandatory reporting of information security events by the private sector.
“As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form,” the legislation states.