Senate approves cybersecurity bill: what you need to know

Senate approves cybersecurity bill: what you need to know

President Obama, seen at a cybersecurity summit in Palo Alto, Calif., in February. The White House has called the Cybersecurity Information Sharing Act an

The latest clash in the cybersecurity vs. privacy debate played itself out in Congress on Tuesday when the Senate passed the Cybersecurity Information Sharing Act. Supporters say the bill, approved 74-21, will help stop hackers by getting companies that have been breached to share information about the embarrassing attack with federal law enforcement. The House passed its version in April.

But CISA is very controversial. While proponents call it common sense, critics say it’s just an excuse for intelligence officials to grab data on citizens without a warrant.

Before we get to the controversy, what is the bill supposed to do?

According to supporters, there’s a big problem: an information gap. When hackers hit a private company, that company is handcuffed or tongue-tied. It can’t readily tell people outside its legal walls what happened, what suspicious Internet — IP — addresses or malware code hit it. So other potential targets can’t defend themselves.

Supporters say CISA changes that by letting companies share “cyber threat indicators” with the Department of Homeland Security, which in turn can send out the red alert, share the code and warn others.

So that doesn’t happen right now?

Well actually, it does. There are existing initiatives, coordinated by Homeland Security and the National Institute of Standards and Technology, to share threat information. There are also subscription services in the private market.

"Over the period of five consecutive nights, excluding weekends, $100,000 a night had been taken out of our checking account, and we were down about $545,000." - Mark Patterson on his construction company PATCO's losses following its hacked email system. Patterson has since taken out cybercrime insurance to protect his company. (John Ydstie/NPR)

This bill creates a new pipeline. Homeland Security has to share the company’s report — which may include customers’ personally identifiable information — with the National Security Agency and other spy agencies.

The Senate bill is coming out of the Intelligence Committee, not the Commerce Committee. It had many amendments. One that failed Tuesday would have required the removal of personally identifiable information before a company shares information about threats.

Is privacy the main criticism?

Privacy is a huge issue. Tech giants, which have to rebuild trust with users following the Edward Snowden leaks, have come out against the bill for that reason.

Though another concern is simply effectiveness — or ineffectiveness. There’s a technical problem. Many companies don’t realize they’ve been attacked, either because they’re not investing in services to identify breaches or they’re not reading the data they’ve collected. According to a breach report by Verizon, this lag in detection is “one of the primary challenges to the security industry.”

In this Sept. 24, 2015 file photo, Senate Intelligence Committee Chairman Sen. Richard Burr, R-N.C., right, and Committee Vice Chair Sen. Dianne Feinstein, D-Calif. listen as Director of the National Security Agency (NSA) Adm. Michael Rogers testifies on Capitol Hill in Washington.The Cybersecurity Information Sharing Act is co-sponsored by Feinstein and Burr, who said it was critical to limit increasingly high-profile cyberattacks, such as one suffered by Sony Pictures last year. (AP Photo/Pablo Martinez Monsivais, File)

Lawmakers could have focused on creating mandatory cybersecurity standards for companies, to encourage the firms to invest more in data security. A group of professors who teach cyber law and cybersecurity — and oppose CISA — say in a statement:

“Rather than encouraging companies to increase their own cybersecurity standards, CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network. CISA creates new law in the wrong places.”

Does the bill require information-sharing?

No. Cooperation is voluntary. But there’s a nice incentive built in. Say a company shares too much about its users or customers. The bill eliminates legal liability, so the company can be shielded from private lawsuits and antitrust laws.

This isn’t the first time we’ve heard about an information-sharing bill to stop hackers. Another failed in 2012. What’s different?

CISA comes at a different time, politically.

Back when Democrats controlled the Senate, they blocked a bill with a similar acronym — CISPA (the Cyber Intelligence Sharing and Protection Act) — that had the same thrust. Now Republicans control the Senate.

And on President Obama’s watch, we’ve had megabreaches like Sony and the federal Office of Personnel Management. He feels pressure to do something. Five days ago, the White House came out in support of the latest bill, saying in a memo that it’s an “important building block.”

via NPR