What Congress Can Do About Cybersecurity If CISA Fails

Lawmakers have focused almost exclusively on information-sharing to boost cybersecurity after a series of high-profile government data breaches.

Web servers are lined up inside a Facebook data center in Prineville, Oregon.
Bloomberg AFP/Getty
Kaveh Waddell
Add to Briefcase
Kaveh Waddell
Sept. 7, 2015, 8 p.m.

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22 amend­ments that will also get a vote when the bill comes up, is the Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity short­com­ings in both the gov­ern­ment and the private sec­tor. Two sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy law­makers—have fought to delay the bill and would rather see it dropped com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity, which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the bill. “The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly be­lieves that CISA is the only game in town on cy­ber­se­cur­ity le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,” said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts have floated.

Incentives for vulnerability buybacks

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or she must de­cide what to do with the in­form­a­tion. Se­cur­ity re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will likely take a more prof­it­able route, turn­ing to the shadier corners of the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing on on­line black and gray mar­kets is by of­fer­ing to buy them from the people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its web­sites and apps. But it spe­cific­ally ex­cluded from the bounty pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture, like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams by of­fer­ing the private sec­tor grants or tax write-offs for the pur­chases. “If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black mar­ket or the gray mar­ket, then we’re go­ing to help them do that and en­cour­age them to do that,” said Laper­ruque.

Clarifications of anti-hacking laws

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long cri­ti­cized the law for be­ing overly broad and dis­cour­aging le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills like Aaron’s Law—named after a se­cur­ity re­search­er who took his own life after be­ing charged with data theft—which would cla­ri­fy when re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct re­search without fear­ing pro­sec­u­tion” would be a boon to cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don White­house, would al­ter the com­puter-hack­ing law, but pri­vacy ad­voc­ates are wor­ried that the change would make se­cur­ity re­search more dif­fi­cult rather than easi­er.

An end to government "stigmatization" of encryption

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has asked tech com­pan­ies to build in a way to de­code en­cryp­ted com­mu­nic­a­tion that com­pan­ies could use when asked by law en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies, cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance on the so-called “back­doors” that would al­low law en­force­ment to ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more busi­nesses from tak­ing up the prac­tice. “The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment, pro­tect con­sumers, and pro­tect busi­nesses.”

What We're Following See More »
Mnuchin Meets with MBS
14 hours ago
Saudis Admit Khashoggi Killed in Embassy
3 days ago

"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."

Mueller Looking into Ties Between WikiLeaks, Conservative Groups
3 days ago

"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."

Mueller To Release Key Findings After Midterms
3 days ago

"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.

FinCen Official Charged with Leaking Info on Manafort, Gates
3 days ago
"A senior official working for the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has been charged with leaking confidential financial reports on former Trump campaign advisers Paul Manafort, Richard Gates and others to a media outlet. Prosecutors say that Natalie Mayflower Sours Edwards, a senior adviser to FinCEN, photographed what are called suspicious activity reports, or SARs, and other sensitive government files and sent them to an unnamed reporter, in violation of U.S. law."

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.