What Congress Can Do About Cybersecurity If CISA Fails

Lawmakers have focused almost exclusively on information-sharing to boost cybersecurity after a series of high-profile government data breaches.

Web servers are lined up inside a Facebook data center in Prineville, Oregon.
Bloomberg AFP/Getty
Sept. 7, 2015, 8 p.m.

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22 amend­ments that will also get a vote when the bill comes up, is the Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity short­com­ings in both the gov­ern­ment and the private sec­tor. Two sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy law­makers—have fought to delay the bill and would rather see it dropped com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity, which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the bill. “The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly be­lieves that CISA is the only game in town on cy­ber­se­cur­ity le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,” said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts have floated.

Incentives for vulnerability buybacks

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or she must de­cide what to do with the in­form­a­tion. Se­cur­ity re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will likely take a more prof­it­able route, turn­ing to the shadier corners of the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing on on­line black and gray mar­kets is by of­fer­ing to buy them from the people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its web­sites and apps. But it spe­cific­ally ex­cluded from the bounty pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture, like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams by of­fer­ing the private sec­tor grants or tax write-offs for the pur­chases. “If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black mar­ket or the gray mar­ket, then we’re go­ing to help them do that and en­cour­age them to do that,” said Laper­ruque.

Clarifications of anti-hacking laws

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long cri­ti­cized the law for be­ing overly broad and dis­cour­aging le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills like Aaron’s Law—named after a se­cur­ity re­search­er who took his own life after be­ing charged with data theft—which would cla­ri­fy when re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct re­search without fear­ing pro­sec­u­tion” would be a boon to cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don White­house, would al­ter the com­puter-hack­ing law, but pri­vacy ad­voc­ates are wor­ried that the change would make se­cur­ity re­search more dif­fi­cult rather than easi­er.

An end to government "stigmatization" of encryption

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has asked tech com­pan­ies to build in a way to de­code en­cryp­ted com­mu­nic­a­tion that com­pan­ies could use when asked by law en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies, cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance on the so-called “back­doors” that would al­low law en­force­ment to ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more busi­nesses from tak­ing up the prac­tice. “The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment, pro­tect con­sumers, and pro­tect busi­nesses.”

What We're Following See More »
Trump Signs Border Deal
1 weeks ago

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"

Trump Declares National Emergency
1 weeks ago

"President Donald Trump on Friday declared a state of emergency on the southern border and immediately direct $8 billion to construct or repair as many as 234 miles of a border barrier. The move — which is sure to invite vigorous legal challenges from activists and government officials — comes after Trump failed to get the $5.7 billion he was seeking from lawmakers. Instead, Trump agreed to sign a deal that included just $1.375 for border security."

House Will Condemn Emergency Declaration
1 weeks ago

"House Democrats are gearing up to pass a joint resolution disapproving of President Trump’s emergency declaration to build his U.S.-Mexico border wall, a move that will force Senate Republicans to vote on a contentious issue that divides their party. House Judiciary Committee Chairman Jerrold Nadler (D-N.Y.) said Thursday evening in an interview with The Washington Post that the House would take up the resolution in the coming days or weeks. The measure is expected to easily clear the Democratic-led House, and because it would be privileged, Senate Majority Leader Mitch McConnell (R-Ky.) would be forced to put the resolution to a vote that he could lose."

Where Will the Emergency Money Come From?
1 weeks ago

"ABC News has learned the president plans to announce on Friday his intention to spend about $8 billion on the border wall with a mix of spending from Congressional appropriations approved Thursday night, executive action and an emergency declaration. A senior White House official familiar with the plan told ABC News that $1.375 billion would come from the spending bill Congress passed Thursday; $600 million would come from the Treasury Department's drug forfeiture fund; $2.5 billion would come from the Pentagon's drug interdiction program; and through an emergency declaration: $3.5 billion from the Pentagon's military construction budget."

House Passes Funding Deal
1 weeks ago

"The House passed a massive border and budget bill that would avert a shutdown and keep the government funded through the end of September. The Senate passed the measure earlier Thursday. The bill provides $1.375 billion for fences, far short of the $5.7 billion President Trump had demanded to fund steel walls. But the president says he will sign the legislation, and instead seek to fund his border wall by declaring a national emergency."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.