Cybersecurity Measures Inch Forward, but Critics Doubt Their Effectiveness
Lawmakers are pushing measures they say will help boost the nation’s security from cyber-attacks, but experts warn the efforts will do little to shield the country from increasingly sophisticated online hacking.
The growing need to protect the government’s computers and private databases from cyber-theft and espionage grabbed headlines this month after the Office of Personnel Management revealed that the records of more than 4 million current and former government employees had been compromised by hackers. That attack, the latest in a series to hit federal systems, private health care providers, retailers and even Sony Pictures, has put pressure on the Obama administration and Congress to bolster Internet security.
On Capitol Hill, senators have traded barbs about a bill that would encourage private companies and the government to share information about cyber-threats and data breaches, and create liability protection for firms that do so. The House passed similar legislation earlier this year.
The theory behind these measures is simple: If companies are able to share cyber-threat indicators, other firms and the government can move quickly to secure their systems from the same threat.
The sponsor of the Senate bill, Intelligence Chairman Richard M. Burr, has touted the legislation as a way to thwart cyber-attacks while also ensuring privacy rights.
“We can no longer simply watch Americans’ personal information continue to be compromised,” the North Carolina Republican has said. “This bill is long needed and will help us combat threats to our country and our economy.”
Critics of the information-sharing legislation, including Internet-security experts and privacy-rights advocates, contest both of those premises.
On the security side, many argue that information sharing will do little to plug gaps in the nation’s cyber-defenses.
“This really only addresses only a fraction of a fraction of the problem,” said Martin Libicki, senior management scientist at the Rand Corp. “What I think is more troubling is that this [information sharing] is being treated as a panacea.”
Libicki challenged the basic premise of information sharing: that if one company can detect and capture the threat signature of an attack, then it can share it with others. One of the problems with that idea, Libicki said, is it presumes hackers won’t change the threat signatures — the unique components of malicious computer code — to evade detection.
“That’s a big presumption,” he said.
It also assumes companies will want to share information about cyber-threats. But with reputations and stock prices at stake, that’s not always the case — even if a company enjoys the sort of liability and anti-trust protections offered by the legislation.
In April, more than 60 Internet-security researchers and professionals sent a letter to the leaders of the House and Senate Intelligence committees to express their opposition to all three information-sharing bills. They said the legislation permits overly broad sharing and would not contribute to greater cybersecurity.
Some in the Internet-security field, however, don’t paint information sharing in entirely dark tones.
Denise Zheng, a senior fellow the Center for Strategic and International Studies, said having access to the contextual information of an attack — the intent, the motive, the general tactics — is useful.
“It’s a step in the right direction. It will encourage or incentivize information sharing. But information sharing is just one piece of the equation,” Zheng said. “After you get access to the information about the threat, you have to take action, and the bill doesn’t do anything to compel action.”
In the wake of the Edward Snowden leaks about the National Security Agency’s programs, a cloud of privacy and civil liberties concerns invariably hangs over any cybersecurity legislation.
Lawmakers tried to address some of the privacy concerns by mandating personal information be scratched out of any data before it is sent to a government agency. One of the House bills even calls for two rounds of personal information scrubbing.
Despite those measures, concerns remain over where the information shared with the government will end up and to what purpose it will be put.
Privacy Concerns Remain
The Senate bill would permit the government to channel the cyber-threat information it receives from companies toward run-of-the-mill law enforcement investigations unrelated to cybersecurity, said Greg Nojeim, chief counsel at the Center for Democracy and Technology, which advocates for Internet privacy rights and legal controls on government surveillance.
“So for example, the Department of Justice could pool the information it receives under this program and mine it repeatedly for use in criminal investigations,” Nojeim said.
Among Congress’ sharpest critics of the bill is Sen. Ron Wyden. The Oregon Democrat was the sole member of the Senate Intelligence Committee to vote against the measure at the committee level.
“If you have a cyber bill without real privacy protections, it’s not really a cybersecurity bill, it’s a surveillance bill,” Wyden told reporters this week.
On the Senate side, the information-sharing bill made its way to the floor this month, where Majority Leader Mitch McConnell allowed it to be offered as an amendment to the annual defense policy bill (HR 1735).
That infuriated many Democrats, who want the bill presented as stand-alone legislation so it can be the subject to debate and amendments. Senate Armed Services Chairman John McCain, R-Ariz., eventually withdrew the amendment after it failed to achieve the 60 votes needed to overcome a Democratic filibuster.
So if information sharing is imperfect and nothing more than a small step forward, why is Congress barreling ahead on it?
Part of the answer lies in the limited political wiggle room in Washington to tackle an issue encompassing almost every sector of the economy as well as national security and privacy rights.
“There’s immense pressure on Congress to do something, and the zone of political feasibility is very, very narrow,” said Jonathan Mayer, a cybersecurity fellow at Stanford University. “Given the immense pressure, what can move does wind up having a bunch of weight behind it, and that is legislation that provides immunity to the private sector and does not seem to have much security upside. But it also does not have much opposition, besides privacy concern.”