House Repubs Call For More Cyber Regulation of Federal Contractors
The Chair of the House Oversight Committee’s cybersecurity subpanel says the bill, titled the Federal Cybersecurity Vulnerability Reduction Act, would play a crucial role in protection the nation’s digital infrastructure.
The bill doesn’t actually require federal contractors to improve security. Instead, it will require all federal contractors, potentially even 1 person companies, to set up and manage a formal documented vulnerability disclosure program.
I assume this is an unfunded mandate on government contractors which will make it more expensive to do business with the government. Likely this will cause even more small businesses to leave the government contracting space, allowing the mega government contractors to have even more of a monopoly than they already do, costing the government even more money as the big companies typically charge higher prices due to more overhead to comply with regulations.
This is just a bill at this point, but if the government is serious about this, then the government should set up and manage the program at the government’s cost and let companies use that program for free or for a nominal cost.
But that is not the way the government works.
The objective is to fix bugs before the hackers can use them, but this bill does not require companies to fix the bugs; only to have a program that allows researchers to report bugs.
The core of these programs is for companies to pay a bounty for reported bugs and give researchers credit, but where does the money for that come from? The average bounty paid for bugs found was $3,000 in 2022. Multiply that by the number of bugs reported.
Also consider the labor required on the part of companies to review bug reports and respond to them. Not simple. Not cheap.
If the bill exempts small companies, which at one level makes sense, then breaches like the Target breach would still happen, since the source of that breach was a very small air conditioning repair company.
Good idea, but more complex than it looks. Credit: The Record