Full Report
A separate piece of bipartisan Senate legislation would create a cyber insurance working group. The post National security risks in routers, modems targeted in bipartisan Senate bill appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: Proposed ROUTERS Act & Insure Cybersecurity Act Summary
## Overview
This summary covers details from two proposed bipartisan Senate bills: the **ROUTERS Act**, which mandates a study on the national security risks posed by communication devices (routers, modems) supplied by adversaries, and the **Insure Cybersecurity Act**, which mandates the creation of an NTIA-led working group to clarify and standardize cyber insurance information for consumers and issuers.
## Key Details (ROUTERS Act)
- Issuing Authority: U.S. Congress (Proposed legislation)
- Effective Date: Upon enactment into law.
- Jurisdiction: U.S. Federal/National scope concerning telecommunications infrastructure.
- Status: Proposed
## Key Details (Insure Cybersecurity Act)
- Issuing Authority: U.S. Congress (Proposed legislation)
- Effective Date: Upon enactment into law.
- Jurisdiction: U.S. Federal/National scope concerning cyber insurance market disclosures.
- Status: Proposed
## Requirements
### Mandatory Requirements (ROUTERS Act - Future Study Mandate)
1. **Study Commission:** The Commerce Department’s assistant secretary for communications and information (NTIA Administrator) must oversee a study on the national security risks posed by routers, modems, or combined devices designed, developed, manufactured, or supplied by persons "owned by, controlled by, or subject to the influence of a covered country" (defined as China, Russia, Iran, North Korea, Cuba, and Venezuela).
2. **Reporting:** The results of the study must be reported to the Senate Commerce, Science, and Transportation and House Energy and Commerce committees.
### Mandatory Requirements (Insure Cybersecurity Act - Working Group Mandate)
1. **Working Group Creation:** The NTIA Administrator must establish a dedicated working group focused on cyber insurance.
2. **Group Composition:** The working group must include representatives from CISA, NIST, FTC, the Treasury Department, the Justice Department, and at least one state insurance regulator with relevant experience.
3. **Public Resource Development:** The working group must develop and make public resources that prospective customers can easily understand regarding cyber insurance coverage.
4. **Analysis and Explanation:** The group must analyze and explain to the public technical jargon related to cyber insurance, how specific measures correlate with cyber incidents (like ransomware), and the constraints issuers face when covering large losses.
### Recommended Practices (Based on Contextual Warnings)
1. **Mitigation of Current Threats:** Organizations should heed the NSA/FBI/USCYBERCOM advisory regarding compromised SOHO routers linked to Chinese actors and implement immediate hardenin/replacement strategies where necessary.
2. **Policy Review:** Organizations should review existing cyber insurance policies for ambiguity, particularly concerning coverage for large or complex cyber incidents.
## Affected Organizations
- Industries: Telecommunications providers, ISPs, Small Office/Home Office (SOHO) technology manufacturers/suppliers, and any entity using or selling consumer routers/modems.
- Industries (Insure Act): Cyber Insurance issuers, agents, brokers, customers (especially small businesses).
- Organization Size: Small Office/Home Office (SOHO) is explicitly noted as a high-risk user group in related context.
- Geographic Scope: United States.
## Compliance Timeline (Based on Expected Study Passage)
- **TBD (Upon Enactment):** ROUTERS Act takes effect, study mandate becomes active.
- **T + 1 Year:** Deadline for the Assistant Secretary for Communications and Information (NTIA Administrator) to report the findings of the ROUTERS Act study to the relevant Congressional committees.
- **TBD (Upon Enactment):** Insure Cybersecurity Act takes effect, requiring the initiation of the cyber insurance working group.
## Implementation Guidance
### Assessment Phase (ROUTERS Relevance)
- **Supply Chain Review:** Organizations should begin preliminary assessments or inventories of network boundary devices (routers, modems) to identify potential manufacturers or suppliers linked to adversarial nations (pending final criteria from the study).
### Implementation Phase (Insure Act Relevance)
- **Stakeholder Engagement:** Prepare points of contact from IT/Security, Legal, Finance, and Risk Management to engage with the NTIA working group once formed.
- **Documentation Preparation:** Compile existing cyber insurance declarations and endorsements for review against the standards established by the working group.
### Validation Phase
- This legislation focuses on *studies* and *working groups* rather than direct compliance mandates on organizations at this stage. Validation will only occur after subsequent rulemaking based on the enacted findings.
## Technical Requirements
The current documents propose *studies* and *working groups* establishing future requirements, but **do not impose immediate technical controls.** The underlying threat (NSA Advisory) strongly implies necessary technical actions such as:
1. Router firmware patching or replacement.
2. Network segmentation to isolate SOHO devices.
3. Implementation of strong authentication and monitoring on network edge devices.
## Penalties & Enforcement
As both items are currently **Proposed Legislation**, specific penalties and enforcement mechanisms are not finalized. Enforcement in the context of the ROUTERS Act study would ultimately involve future rulemaking by the Commerce Department or oversight by Congress based on the study's findings.
## Related Standards
- **NIST:** Mentioned as a required participant in the Insure Cybersecurity Working Group, suggesting future alignment with NIST standards for risk management (e.g., CSF).
- **NSA/FBI/USCYBERCOM Advisories:** These existing advisories provide the technical backdrop justifying the necessity of the ROUTERS Act concerning SOHO device security.
## Resources
- Official Documentation:
- ROUTERS Act: [Link provided in context - defanged]
- Insure Cybersecurity Act: [Link provided in context - defanged]
- Guidance Documents: Context heavily references prior NSA/FBI/USCYBERCOM advisories concerning compromised SOHO router threats.
## Practical Recommendations
1. **Monitor Legislative Status:** Actively track the progress of both the ROUTERS Act and the Insure Cybersecurity Act through Congressional committees.
2. **Proactive Supply Chain Examination:** Begin efforts to map the origin/supply chain of critical network access equipment (routers/modems) used across operations, anticipating potential future restrictions on high-risk suppliers.
3. **Engage on Insurance Clarity:** For organizations concerned about cyber insurance clarity, prepare to participate in or monitor the proceedings of the NTIA working group once established to ensure clarification benefits are maximized upon resource publication.