Senate Approves Cybersecurity Bill Despite Flaws

28 Oct 2015 | Author: | No comments yet »

Senate Approves Controversial Cyber-Security Bill.

WASHINGTON — After four years of false starts and strife over privacy protections, the Senate passed legislation Tuesday that would help companies battle a daily onslaught of cyberattacks. The Senate today approved a controversial information-sharing bill that detractors argue is too vague and could put Web users’ personal information in the hands of the FBI and the NSA. The differences must now be reconciled with a similar House bill in conference before being sent to President Obama, who has indicated he will sign it.

But there is only one problem: In the years that Congress was debating it, computer attackers have grown so much more sophisticated — in many cases, backed by state sponsors from Shanghai to Tehran — that the central feature of the legislation, agreements allowing companies and the government to share information, seems almost quaint. To many in the trenches of daily computer combat, it is a little like the cavalry’s insistence in the 1930s on sticking to horses, rather than investing in mechanized divisions. Richard Burr, a North Carolina Republican and chairman of the Senate Select Committee on Intelligence, says the Cybersecurity Information Sharing Act (CISA) “helps protect personal privacy, by taking steps to stop future cyber-attacks before they happen, not after Americans personal, financial, and private information is stolen by foreign agents and criminal gangs.” “This legislation creates a cybersecurity information sharing environment that allows participants to get a better understanding of the current cybersecurity threats that may be used against them,” he continued. The Electronic Frontier Foundation (EFF) is similarly concerned. “The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links,” the group said. It would not have stopped the Chinese from cleaning out security records on 22 million Americans from the Office of Personnel Management, which failed to put in place the same basic computer-hygiene practices that the federal government urges companies and individuals to practice.

Indeed, the Senate legislation faces more legal wrangling at a House-Senate conference at which conferees must reconcile the Senate bill with two similar, albeit slightly different, bills passed by the House last April: the Protecting Cyber Networks Act, or P.C.N.A., and the National Cybersecurity Protection Advancement Act, or N.C.P.A.A., which were eventually combined. Lawmakers face a slew of criticism from stakeholders and privacy advocates, who worry the legislation could provide a new conduit for government surveillance, and that the liability protections could discourage companies from investing in better cybersecurity defenses. The bill “risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of cyberthreat indicators for a broad array of law enforcement purposes that have nothing to do with cybersecurity,” Greg Nojeim, a senior counsel at the Center for Democracy and Technology, wrote in a blog post. The Computer and Communications Industry Association trade group, which represents Google and Facebook among others, wrote an open letter earlier this month saying the bill does not “sufficiently protect users’ privacy” and complaining that the bill may even “cause collateral harm to the systems of innocent third parties.” The bill authorizes controversial “countermeasures”— retaliatory actions by companies, or security firms, aimed at disrupting or disabling the computers of adversaries.

But critics argue that such measures could backfire, notably because attackers tend to route attacks through other victims’ computers, and because they may provoke a foreign government to respond if their machines are disabled or attacked by American companies. The problem is that most sophisticated cyberattackers have figured that out. “I think the fruits of detecting signatures and patterns of broad attacks are already picked,” said Jonathan Zittrain, who directs the Berkman Center for Internet and Society at Harvard. “The biggest threats,” he said, are far more customized, “with elements of social engineering or betrayal of an employee with access to data or code.” In fact, the list of tasks that most cybersecurity experts describe as important to deterring attacks is largely missing from the bill. A 2012 cybersecurity bill, which would have required that companies meet certain standards in exchange for immunity from lawsuits, failed to pass after the United States Chamber of Commerce argued that the regulations would be too onerous on companies. As it turned out, even as the Chamber lobbied against strict cybersecurity standards, it was itself the victim of a sophisticated attack by Chinese hackers that infiltrated 300 of the Chamber’s machines, including an office printer and thermostat in a corporate apartment.

Our partners
Follow us
Contact us
Our contacts

About this site