Senate, House Versions of Cyber Hygiene Bill Introduced

NIST, FTC, DHS would work together on security best practices

Rep. Anna Eshoo (D-Calif.) has introduced a "cyber hygiene" bill, H.R. 3010, which would require the National Institute of Standards and Technology to come up with cyber security best practices.

The goal is to better protect from attacks that Eshoo said cost the economy almost $500 billion dollars a year. The same bill has been introduced in the Senate by Sens. Orrin Hatch (R-Utah) and Ed Markey (D-Mass.).

"The scary truth is that data security experts have suggested 90 percent of successful cyberattacks are due to system administrators overlooking two integral pillars of network security: cyber hygiene and security management," Eshoo said.

The Promoting Good Cyber Hygiene Act would "instruct the National Institute of Standards and Technology (NIST), in consultation with the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), to establish a baseline set of voluntary best practices for good cyber hygiene that are made available online. In addition, the bill instructs the agencies to consider the cyber hygiene benefits of standard cybersecurity measures such as multi-factor authentication and data loss prevention."

Specifically, Eshoo said, the bill would require establishing baseline voluntary practices, ensuring they are reviewed and updated annually as needed and making them available in plain English on a public website, and would direct Homeland Security to study the threats to the Internet of Things.

The bill comes in the wake of a recent ransomware attack, as the government ponders best practices for connected car cybersecurity and the Internet of Things raises the prospect of Internet connected "everythings."

"The Internet of Things era could morph into the Internet of Threats era if appropriate cybersecurity safeguards are not put in place now to protect consumers," Markey said.

“We thank Congresswoman Eshoo, Senator Hatch and their colleagues for introducing legislation that would develop and publicize accessible cybersecurity best practices," said Public Knowledge cybersecurity policy director Megan Stifel. "In particular, we support the collaborative and transparent approach required by the bill, which provides for a notice and comment period in the development of the practices. This approach is similar to the approach used to develop the National Institute of Standards and Technology Cybersecurity Framework, which has become recognized as a cybersecurity risk management baseline across industries."