Shortcomings of cybersecurity bills
A series of brazen hacking attacks against companies like Sony Pictures, Target and Anthem have spurred lawmakers in Congress to propose cybersecurity legislation. These bills could help make American networks somewhat less vulnerable to hackers, but they would do so at a cost to the privacy of individuals.
Last month, the House passed two bills that aim to foster greater sharing of information about cybersecurity threats between businesses and the government. The Senate could vote on a similar measure before its Memorial Day recess. And the Obama administration has indicated support for such legislation, which suggests that some variation on the three bills could become law this year.
Legislators say their hope is to persuade companies and government agencies to exchange detailed information about how hackers are trying to steal secrets from their computer servers. This, they argue, could help businesses secure their systems while helping government identify the attackers. Under all three bills, in exchange for sharing information voluntarily, companies would receive immunity from lawsuits. The bills would also authorize businesses to take defensive steps to protect themselves from hackers.
But many public interest groups like the American Civil Liberties Union and the Center for Democracy and Technology are concerned that these bills could become a way for government agencies to increase surveillance on individuals. The bills would allow businesses to share data that include some personal
information about customers, employees and Internet users. They would also allow government agencies like the National Security Agency and the Federal Bureau of Investigation to use that information in investigations that are not related to cybersecurity without having to obtain a search warrant as they are normally required to do.
In addition, the bills would allow businesses to defend themselves against hackers through software that could remotely disable or disrupt the computers or networks suspected of being behind the attack. But this kind of license could create big problems. The Obama administration, which supports other security efforts, has warned that authorizing companies to engage in such defensive measures could lead to more harm if the retaliation disables the wrong computers. This would certainly create tensions with foreign governments if their computers are mistakenly targeted by American businesses.
A broader failing of these bills is that they will not push corporations to make their computer systems more secure from hackers, something that is clearly needed given recent high-profile attacks. For one thing, giving companies immunity from lawsuits even when they fail to respond to credible threats reduces their incentive to invest in more secure systems.
A 2012 bill sponsored by former Senator Joseph Lieberman, independent of Connecticut, and Senator Susan Collins, Republican of Maine, tried to address this problem by giving immunity only to companies that agreed to adopt new standards to reduce their digital vulnerabilities. Their bill did not pass because of opposition from the US Chamber of Commerce, which argued that the proposal would be too burdensome for corporations.
When cybersecurity legislation comes to the Senate floor, lawmakers should fix the shortcomings of these bills.