Cyber attackers pick on small businesses because they often lack the internal resources or technical knowledge needed to implement and maintain cybersecurity defenses. While there has been some movement by lawmakers to help small businesses build stronger cyber defenses, much more is needed.
To that end, the legislative pot to better support small businesses may be heating up. It took two years but the House has managed to pass legislation to help smaller operations shore up their cyber flanks against escalating threats. The measure, which was first introduced in 2019 but failed, this time around passed by a vote of 423-0.
Legislators also passed a bill that would require counselors at small business development centers to be trained and certified in cybersecurity to better assist small businesses. It passed by 409-14. Both bills were also re-introduced in the Senate last May and involve the Small Business Administration’s (SBA) involvement and oversight.
Each measure could enable managed security services providers (MSSPs) and managed service providers (MSPs) that support small businesses more opportunities for further engagement in security breach reporting and training assistance.
Small Business Cybersecurity Legislation: Potential Implications
The SBA Cyber Awareness Act would require the SBA to report to Congress a cybersecurity breach that involves confidential information and inform lawmakers of the agency's cyber capabilities. The Small Business Development Center Cyber Training Act would require small business development centers to have employees certified in cyber strategy counseling for small businesses.
Specifically, the SBA’s report to Congress must include details on:
- SBA’s cybersecurity infrastructure.
- SBA’s strategy to improve cybersecurity protections.
- Any equipment used by the SBA and manufactured by a company headquartered in China.
- Any incident of cyber risk at the SBA and the agency’s actions to confront it.
“Cyberattacks are one of the biggest threats to our economy and small businesses and way of life,” Rep. Jason Crow (D-CO), said ahead of the House vote. He and Young Kim (R-CA) co-sponsored the legislation. “This bill would ensure we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st century threats,” Crow said.
The cyber training bill, sponsored by Andrew Garbarino (R-NY), the ranking member on the House Homeland Security Committee cyber subcommittee, will help provide small businesses with the resources they need to create strong cyber defenses, he said. “Nearly 50 percent of cyberattacks are directed at small businesses, which can result in devastating financial, intellectual property, and reputational loss,” Garbarino said. “This bill combats this by helping Small Business Development Centers become better equipped to assist small businesses with their cybersecurity and cyber strategy needs.”
Although not directly referenced by either bill’s sponsors, the Kaseya VSA supply chain cyber attack that hit some 50 MSPs in early July and spread to hundreds of small businesses, hopefully influenced lawmakers to pay more attention to strengthening their defenses.
Key U.S. Government Security and CISA Milestones
Along those lines, here are some other actions lawmakers and the Cybersecurity and Infrastructure Security Agency (CISA) have undertaken on behalf of MSPs and small businesses:
- In mid-July, in the wake of the Kaseya incident, CISA released a guidance document specifically designed to help MSPs and small businesses with their cyber defense strategies.
- In September, CISA named cybersecurity veteran Kiersten Todt as its new chief of staff. Among the potential benefits for MSPs and MSSPs: Todt has experience in the small business market where most organizations rely on service providers to shore up their cyber defenses.
- A year ago, House and Senate legislators proposed the Improving Cybersecurity of Small Organizations Act aimed at bumping up cybersecurity resources tailored for local governments, small businesses and nonprofit organizations.
Of note, the Small Business Cybersecurity Assistance Act of 2019 sat unattended by the 116th Congress (2019-2020) among many others.