Making Cybersecurity a Top Priority in Congress

By Congressman Dan Lipinski

Small businesses are the backbone of the American economy and employ almost half of the working population. Yet because of their size, they rarely have access to the same information security resources as large firms. Without significant IT departments or dedicated information security personnel, they may be more at risk of cyberattacks than large enterprises. According to data released last month, 53 percent of American businesses of all sizes suffered a cyberattack in the past year, and of those, 72 percent spent more than $5,000 to investigate and recover. A 2016 report found that 42 percent of small businesses suffered a cyberattack of some kind. These incidents not only hurt individual small business owners, employees and customers, they also hurt American competitiveness.

The National Institute of Standards and Technology (NIST) has developed valuable guidance to aid businesses in securing their networks, including the Cybersecurity Framework for Critical Infrastructure and the Small Business Information Security guide. But many small businesses don’t have the time or resources to figure out how to adapt these guidelines to their needs and implement them. They need more help. So as ranking member of the Research and Technology Subcommittee of the House Science, Space, and Technology Committee, I worked with Rep. Daniel Webster (R-Fla.) to introduce H.R. 2105, the NIST Small Business Cybersecurity Act.  This bill directs NIST to create clear guidelines, tools, best practices and methodologies specifically for small businesses. It also emphasizes off-the-shelf solutions so that businesses can protect their networked resources better and more cheaply.

In my district in the Southwest suburbs of Chicago, there is a fourth generation family manufacturing business that has suffered multiple sophisticated phishing attacks. Employees have received legitimate-looking emails containing alleged links to purchase orders or meeting agendas that actually connect to harmful sites. Although the employees are trained in basic information security practices, when attackers are persistent enough they eventually catch someone who has let their guard down. The few times the company has fallen victim to these attacks the costs have been significant. The owners have told me that they would welcome guidance on affordable, off-the-shelf resources to strengthen their cyber defenses so the company can focus more on business. This is a story repeated all across the country. 

Government plays an important role in protecting U.S. businesses from cyberattacks. When threat actors can be nation-states or criminals operating with impunity from their governments, it is important for the U.S. government to help domestic businesses defend themselves, just as it would in the case of a physical attack. The guidelines created under this bill, like the NIST Framework, will be voluntary, so we won’t be adding to the regulatory burden on small businesses. Instead, we will be offering them an opportunity to secure their networks so that they can compete on a level playing field.

In early October, the House passed the NIST Small Business Cybersecurity Act. Two weeks earlier the Senate passed a companion bill, S. 770, the MAIN STREET Cybersecurity Act, which was introduced by Sens. Brian Schatz (D-Hawaii) and Jim Risch (R-Idaho). I am hopeful that we can quickly move forward to reconcile the two versions so that it can be sent to the president for his signature.

It seems like every day we learn of more cyberattacks in our nation and around the world.  In the United States, these attacks have the potential to do a lot of damage to individuals, businesses, or the whole country.  That’s why it must be a top priority of Congress to put the necessary resources in place to help everyone prepare for and fend off future attacks.