Cybersecurity and electronic security breaches have routinely been in the headlines this year, even as cybersecurity legislation continues to stall on Capitol Hill. However, there is hope of the issue being seriously addressed this month, which also happens to be Cyber-Security Awareness Month. The leadership of the Senate Intelligence Committee has indicated that the Cybersecurity Information Sharing Act is set to come to the Senate floor for debate next week.
The proposal provides companies protection from anti-trust laws if they share information about cybersecurity threats with each other. The legislation also encourages the sharing of cyber-threat information between companies and government by protecting the companies from lawsuits by stockholders and customers. While this will not stop all attacks, it will provide for alerts to be sent when there is an attack so that others can take steps to protect themselves, hopefully resulting in fewer instances of consumer harm.
As became known earlier this year, a cyberattack against the federal Office of Personnel Management exposed the data of 21.5 million (and the fingerprints of 5.6 million) government workers, their family members and applicants for federal jobs. Hackers have also stolen data from the IRS about taxpayers, viewed sensitive information at the White House, and penetrated the State Department so egregiously that reports claim that federal law enforcement officials familiar with the incident say the State Department email intrusion is the worst cyberattack they've seen against a federal agency.
Guarding that data from hackers is a challenge, but what government itself would do with newly shared data has led many to be wary. So the legislation was changed to make clear that federal law enforcement officials would not be able to use the data to investigate crimes unless it is related to cybersecurity. But even then, the government's poor track record of lax security and illegal snooping does not inspire confidence.
While many in the industry are doing all that they can to protect their infrastructure and their customers, they do need more freedom to be able to communicate with their competitors, with government, and others, without fear of government prosecution.
An appropriate solution would encourage good behavior by the private sector, including guarantees that citizens are protected from "Internet eavesdropping" and other privacy-destroying schemes that avoid legal oversight. An adequate solution would also include clear definitions of the threats and what efforts can be made to defeat those threats, and more essentially, a clear thoughtful definition of "critical infrastructure." Constraining the granted power in such legislation is one means of exercising a measure of protection from the law becoming an instrument of tyranny.
Fundamentally, a strong partnership with the private sector and removing barriers to private sector solutions should be the goal rather than a new regulatory construct of bureaucracies and mandates, bogging down innovation and the ability to act and react, all guaranteed to further erode our liberties and still leave our security suspect.
Attempting to find ways to protect U.S. "critical infrastructure" from domestic or foreign cyberattacks is an urgent goal. A robust marketplace of ideas and experimentation to find the best security, free of government interference, is the surest way to build the layers of needed protection.
October 15, 2015