US cybersecurity bill wades into difficult waters of privacy
The US Senate is close in a vote on a cybersecurity bill that members of both parties and major corporations have backed, but significant concerns over privacy and its effectiveness in combatting attacks remain.
When it was revealed that data on more than 21 million government employees was hacked from the US Office of Personnel Management (OPM) in June, passing a law addressing cybersecurity quickly moved up the Senate’s priority list.
With the OPM data breach just another major hack in a long list which includes attacks against Sony, Home Depot, eBay, and Target, it seems confusing that Congress has not been able to enact a major overhaul in how the country deals with this major threat to the public and private sector.
The Senate is now considering and planning to vote on the Cybersecurity Information Sharing Act (CISA), which already passed the House of Representatives in April. Originally introduced by Democratic Senator Dianne Feinstein in 2014, the bill has been stalled by concerns over privacy and the Iran deal taking priority.
An October vote on the bill now looks realistic, along with the introduction of up to 22 amendments to address privacy concerns.
Information sharing & legal immunity
Despite the drama surrounding CISA, the bill’s content is relatively simple and straightforward. The bill would clear up the legal uncertainties clouding private companies’ ability to quickly share data related to a hack with the federal government, including information detailed enough to identify individuals. Currently, companies could be exposed to lawsuits for giving data to the federal government without expressed permission.
Handing this data over to federal agents, from one of several agencies, including the Department of Defense, is meant to help coordinate against and prevent cyberattacks on multiple entities. In addition, it should put the evidence in the hands of the most experienced experts in cybersecurity.
Companies and a wide range of industries have come out in support of the provisions at the core of CISA, including financial services trade groups, utility companies, and tech companies from Apple to Oracle.
In the event of a major hack, these companies will already be liable for significant spending to counteract it, replace systems, and reimburse customers, and are seeking to prevent additional liabilities from lawsuits stemming from information sharing.
Questions over privacy and bureaucratic territory
Privacy advocates have loudly objected to CISA for giving immunity to companies handing over vast amounts of personal data to the federal government without permission.
Two of the Senate’s top digital privacy advocates, Sens. Ron Wyden (D-OR) and Al Franken (D-MN), have submitted amendments to limit the events that qualify companies for the legal immunity to share information and reduce the ability for government agencies to share personally-identifiable information amongst themselves. Senator Rand Paul has also submitted an amendment, but it will not be among the twenty-two that Senate leaders will bring to the floor.
On the other hand, the Department of Homeland Security has raised questions over the bill because it allows other agencies to collect this data, potentially lessening the DHS’s role from where it currently stands. Deputy DHS Secretary Alejandro Majorkas has also expressed concern over privacy issues under the current version of the legislation.
Pragmatically, there is a case to be made for keeping the authority to coordinate prevention and response to major attacks with one agency. More cynically, DHS is unlikely to willfully cede ground to other agencies. With its current National Cybersecurity and Communications Integration Center already in place with a similar mission, the DHS and the Obama Administration seem keen to keep this kind of information sharing restricted to non-military areas of government.
Along with these formidable opponents is the formidable-in-its-own-right digital rights group Electronic Frontier Foundation (EFF). The EFF has fervently fought against provisions that enable the federal government to acquire and retain private data in the past, leading the successful campaigns to kill the Stop Online Piracy Act (SOPA) and PROTECT IP Act (PIPA) in 2011 and 2012.
The organization’s ability to mobilize the internet community against bills that would have otherwise easily moved through Congress makes it the third leg of an imposing opposition to the bill.
How powerful would CISA be?
For being a hallmark cybersecurity bill, there is relatively little substance to CISA. More than anything, it is a waiver for private companies to give customer data to the federal government without exposing themselves to lawsuits.
Getting this data into the hands of national cybersecurity officials is useful for several reasons, with determining and examining the methods of cyberattacks being the main appeal. Beyond laying a general foundation on which a more comprehensive and coordinated assault on cybersecurity could potentially be formed, there is little substance.
Cybersecurity experts, both in private industry and academia, point out that most cyberattacks are not the work of brilliant code executed by masterminds: most attacks target known, defensible weaknesses.
Unfortunately, coordinating the private sector to act on these known weaknesses is both necessary and difficult. Industry standards are still undefined, and CISA does not address this. At best, it is a precursor to these standards, letting authorities see how more attacks are conducted.
The debate over cybersecurity paints a breathless Hollywood picture of cyberattacks on Western targets by evil masterminds and Bond villains, but most attacks are preventable. They target weaknesses known by officials and companies.
A more productive way to manage the risks created by these attacks would be to build a set of regulations that incentivizes companies to proactively invest in the resources to remove known vulnerabilities, instead of simply removing corporate liability for sharing information.
As it stands now, it appears that the bill is on track to pass once it gets to the Senate floor. Allowing Sens. Wyden and Franken to put up their amendments, which have reasonable chances of being adopted, should alleviate the major opposition voices within the body enough for the bipartisan bill to move forward. The wild card is whether the EFF can mobilize the public against the bill, which has derailed similar legislation in the recent past.
While passing a bill with as much fanfare as CISA will seem like the crowning achievement of the effort to improve cybersecurity, CISA is at best just the start. At worst, it does very little while compromising privacy. Either way, the political risks created by cyberattacks are alive and well, and begging to be addressed in a systematic way.