According to the Center for Strategic and International Studies, as of December 2021 there were about 150+ pieces of cybersecurity-related legislation advancing through Congress. While it’s overly ambitious and unnecessary to analyze all of them, there are a few Bitwarden will focus on in upcoming blogs.
There’s considerable momentum around the notion that personal security, privacy, and cybersecurity should become a key public policy focus. In his March article, MIT Tech Review’s Patrick Howell O’Neill cites the ‘specter of Russian hackers’ and an ‘over-reliance on voluntary cooperation from the private sector’ as motivating public officials to take stronger regulatory interest in consumer and business data security.
It’s one thing for officials to say ‘the time is now’ and it’s quite another to back it up with proactive and practical legislation. In shedding light on the first of a few key bills, we’re focused on whether the authors achieve this goal and acknowledge the common-sensical fundamentals - such as strong passwords, multi-factor authentication (MFA), and basic password management.
In June 2021, Representatives Adam Kinzinger, Gus Bilirakas, Anna Eshoo, and Mark Veasey co-sponsored H.R. 4055, or The American Cybersecurity Literacy Act. “It is the sense of Congress,” they wrote, “that the United States has a national security and economic interest in promoting cybersecurity literacy amongst the general public.” In the bill, they request that the “Assistant Secretary (Assistant Secretary of Commerce for Communications and Information) shall develop and conduct a cybersecurity literacy campaign to increase the knowledge and awareness of the American people of best practices to reduce cybersecurity risks.”
The bill goes on to call out examples of how government officials can reduce cybersecurity risks. Strategies for educating the American people on how to mitigate and prevent nefarious cyber activity includes:
Learning how to identify phishing emails, phishing messages, and secure websites
Understanding the benefits of changing default passwords on hardware and software technology
Encouraging the use of cybersecurity tools, such as MFA, complex passwords, AV software, patching and updating software, and virtual private networks (VPNs)
Identifying devices that could create risks, such as tablets, laptops, smartphones, and internet-connected devices
Encouraging the regular review of mobile application permissions, declining privilege requests that are unnecessary, downloading applications only from trusted vendors or sources, and considering a product’s lifestyle and the manufacturers commitment to personal security
Identifying the risks of using public Wi-Fi
This bill is solid. Its scope and approach are laudable. The recommendations it lays out are straightforward, practical, and comprehensive. There is, however, a notable miss. In its ‘cybersecurity tools’ section, the bill fails to include password managers in its coterie of consumer-friendly resources. And a critical tool it is. Password managers are the best way to securely and efficiently keep track of login information for the dozens and dozens of sites that consumers engage with. Most are free or low-cost. All reputable password managers use end-to-end encryption to protect private information. They save consumers the headache of having to write everything down, and they mitigate the risks that come from re-using the same passwords over and over.
While it’s heartening that the bill encourages MFA and complex passwords, taking advantage of these tools is made much easier by the use of password managers.
The other factor to consider is the actual execution of the cybersecurity literacy program. As covered in the Bitwarden “State of Password Security” report, the federal government has a number of agencies offering cybersecurity-related advice. Some of it is wise and accurate and some of it is dated, overly-complex, and inconsistent.
If the bill passes, its responsibility and purview would fall under the Department of Commerce. In the State of Password Security report, the Department of Commerce was given a ‘Fair’ rating. The website received points for linking to NIST guidelines, but the excess of links and PDFs that mark the cybersecurity section isn't an easily-digestible or consumer-friendly format. If the Department of Commerce is to take the lead here, it should start by overhauling its website and aligning its committed cybersecurity literacy objectives with other agencies.
Notably, last week the State Department launched a new cyberspace and digital policy bureau. According to the Washington Post, the bureau will “address the national security challenges, economic opportunities and implications for U.S. values associated with cyberspace, digital technologies and digital policy.” Given the attention and resources being put towards the new bureau, it seems like it would be a logical place to spearhead a campaign of this nature.
Have any cybersecurity-related bills in mind that you’re interested in seeing Bitwarden explore further? Give us a shout on Twitter.