On the reaction front, the Cyber Response and Recovery act has cleared committee and is now awaiting a full Senate vote.
Quoting Nextgov, “Key provisions in the legislation would allow the Homeland Security secretary to declare a significant incident and tap a Cyber Response and Recovery Fund—equipped with $20 million—to help pay for response and remediation efforts. The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency would coordinate efforts“
Chris Krebs, former director of CISA, believes the President’s Executive Order signed last week is a “dramatic game change.” “It dramatically increases security expectations of the software products that are sold to the federal government,” Krebs said, explaining that this would have a “cascading effect” for products sold to ordinary American customers.
In the UK, the Department for Digital, Culture, Media and Sport is making a call to managed service providers for input on tightening security in supply chains. The consultation period runs until July 11.
Why do we care?
$20 million doesn’t sound like much after the last round of stories, does it? I picture the Zamboni from the Austin powers movies here – the changes to come from legislation are coming but slowly. And at first glance, not well armed.
I’m all for a change here, because current behaviors aren’t making a dent. Until the incentives change, we’ll see more of the same. So IT services companies should be motivated to change the incentives, as they’re the ones who will feel the squeeze.