A bipartisan group of legislators in the House and Senate last week introduced a bill in both chambers that directs the National Institute of Standards and Technology (NIST) to establish baseline voluntary cyber hygiene best practices for the private and public sectors and individuals.
The Promoting Good Cyber Hygiene Act (H.R. 3010, S. 1475) calls for NIST, working with the Federal Trade Commission and the Department of Homeland Security, to create a list “of simple, basic controls” for use against common cyber security threats, commercial off-the-shelf technologies that meet international standards, and that to the degree possible, the list be consistent with the agency’s Cybersecurity Framework of voluntary standards and best practices.
“With cyber criminals growing bolder in their attacks, strengthening our cyber security infrastructure remains of my top priorities in the Senate,” Sen. Orrin Hatch (R-Utah), chairman of the Senate Republican High Tech Task Force and one of the bill’s sponsors, said in a statement. “Cyber attacks threaten our economy and inflict untold damage on thousands of Americans. “Fortunately, proper cyber hygiene can prevent many of these attacks.”
Sen. Ed Markey (D-Mass.) joined Hatch in introducing the bill in the Senate. In the House, the bill was introduced by Reps. Susan Brooks (R-Ind.) and Anna Eshoo (D-Calif.).
“As technology evolves and becomes even more integrated in our daily lives, the number of cyber attacks hurting Americans will only increase if action is not taken,” Brooks said in a statement. “Having strong passwords, regularly installing software updates, and establishing a set of online security best practices are the kind of cyber hygiene necessary to protect private and sensitive information.”
The legislators pointed to the recent WannaCry ransomware virus that afflicted millions of computers worldwide as the kind of attack that could have been prevented had users take advantage of a known software vulnerability that was patchable.
The proposed bill also directs NIST to update the list of best practices annually and for the list to be published in prominent spots on the websites of the FTC and Small Business Administration. It also calls for DHS to conduct a study on cyber security threats related to the Internet of Things and report the finding and recommendations to Congress within a year of enactment.