The US Senate Commerce Committee recently advanced a bill, titled the MAIN STREET Cybersecurity Act of 2017 (the Bill), under which the National Institute of Standards and Technology (NIST) would disseminate “clear and concise resources for small business concerns to help reduce their cybersecurity risks.” Given that small businesses constitute a substantial portion of the economy, cyberattacks can ruin small businesses and spill over into related parties and critical infrastructure, and small businesses often have limited cybersecurity budgets and expertise, NIST would be charged with bringing Silicon Valley to Main Street.
Under the Cybersecurity Enhancement Act of 2014 (the Act), NIST’s expanded responsibilities include facilitating and supporting a voluntary public-private partnership to strengthen cybersecurity research, development, education, readiness, and implementation. In furtherance of its mission, NIST has developed and published numerous resources, including risk-based cybersecurity and privacy frameworks, as we discussed in a prior post. Although NIST has produced abundant research regarding cybersecurity issues, the Bill recognizes that needs and capabilities vary.
The Bill would amend the Act to specifically require NIST to consider the circumstances of small businesses and to circulate simple, apt guidance—like basic controls—to help small businesses defend against common cybersecurity risks. For added flexibility, the recommended measures would be technology neutral and commercially accessible. The Bill calls on NIST to coordinate its efforts with other federal agencies to ensure that the message, regardless of form or source, is “consistent, clear, and concise” and reaches this vital target audience.
At bottom, this new directive would fulfill the typical small business request: “Tell me what I need to know.” Although the Bill is an important step toward filling cybersecurity cracks in and around Main Street, the voluntary nature of the NIST guidance begs the question of whether small businesses will widely and effectively adopt cybersecurity measures. One possibility is that counterparties and insurers will leverage certain NIST recommendations as minimum standards for small businesses to meet. The driving force, though, could be consumers demanding adequate protection of their payment and other sensitive information—even the “buy local” movement has its limits. Luckily for local shopkeepers, cloud services are rapidly alleviating cybersecurity concerns and leveling the playing field—maybe small businesses aren’t that different after all.