Thread: Senate Approves Cybersecurity Bill Despite Flaws

Senate Approves Cybersecurity Bill Despite Flaws

By DAVID E. SANGER and NICOLE PERLROTH OCT. 27, 2015

WASHINGTON — After four years of false starts and strife over privacy protections, the Senate passed legislation by a vote of 74 to 21 on Tuesday that would help companies battle a daily onslaught of cyberattacks.

But there is one problem with the legislation, the Cybersecurity Information Sharing Act, or CISA: In the years that Congress was debating it, computer attackers have grown so much more sophisticated — in many cases, backed by state sponsors from Shanghai to Tehran — that the central feature of the legislation, agreements allowing companies and the government to share information, seems almost quaint. To many in the trenches of daily computer combat, it is a little like the insistence of some cavalry officers in the 1930s on sticking to horses, rather than investing in mechanized divisions.

The sponsors of the legislation concede that it would have done nothing to help Sony Pictures Entertainment, whose computers were melted down 11 months ago in a remarkably destructive attack for which the White House blamed North Korea.

That attack was not based on the kinds of previously seen computer viruses or tools that companies and the government could warn each other about. It would not have stopped the Chinese from cleaning out security records on 22 million Americans from the Office of Personnel Management, which failed to put in place the same basic computer-hygiene practices that the federal government urges companies and individuals to practice.

It would not have helped the State Department and the White House, whose unclassified emails were hacked by the Russians.

“We are talking about feel-good legislation,” said Senator Ron Wyden, Democrat of Oregon, who has long been a critic of the bill because he maintains it does not do enough to protect the privacy of information shared by companies. “It would not have prevented any major hacks.”

But he said that his colleagues “wanted to be able to say they voted for something to combat hacking” and this is what they came up with. At the White House, which has been pushing for cybersecurity legislation since President Obama took office in 2008, senior officials also acknowledged that the proposed legislation is “so 2009.”

That may be a little harsh: for low-level cyberattacks, the idea of companies and the government sharing data about the “signatures” of cyberspace intruders — the digital trail that shows where they came from and what their code looks like — may have some value. “If you took the position that no single thing solves the problem, then you would never do anything — it’s a defeatist attitude,” said Rajesh De, the former general counsel of the National Security Agency. “You have to start with something.”

Still, the lesson of the much-debated cybersecurity legislation, which was opposed by technology companies and supported by financial services firms that demanded liability protection in case they shared data that infringed on a customer’s privacy, is that cyberthreats move at digital speeds and Congress moves at, well, congressional speed.

Indeed, the Senate legislation faces more legal wrangling at a House-Senate conference at which conferees must reconcile the Senate bill with two similar, albeit slightly different, bills passed by the House last April: the Protecting Cyber Networks Act, or P.C.N.A., and the National Cybersecurity Protection Advancement Act, or N.C.P.A.A., which were eventually combined.

Both bills, like the Cybersecurity Information Sharing Act, establish a voluntary threat information-sharing vehicle, whereby companies and government agencies can share information about attackers’ code and techniques, and risk alerts. Both bills also include liability protections for private companies, shielding them from lawsuits for sharing certain types of data. And both also set up some privacy safeguards for customers’ personal information.

But the logistics of each bill are slightly different and will have to be hammered out by the conference. Lawmakers face a slew of criticism from stakeholders and privacy advocates, who worry the legislation could provide a new conduit for government surveillance, and that the liability protections could discourage companies from investing in better cybersecurity defenses.

The most vocal opposition has come from the Center for Democracy and Technology and the American Civil Liberties Union, which both argue that the Senate bill could be abused by the National Security Agency and Federal Bureau of Investigation to obtain information on Internet users, unrelated to cybersecurity threats, without a warrant. In its current form, any cyberthreat information shared with the Department of Homeland Security would be shared with the N.S.A., the F.B.I. and other agencies.

The bill “risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of cyberthreat indicators for a broad array of law enforcement purposes that have nothing to do with cybersecurity,” Greg Nojeim, a senior counsel at the Center for Democracy and Technology, wrote in a blog post.

The Computer and Communications Industry Association trade group, which represents Google and Facebook among others, wrote an open letter earlier this month saying the bill does not “sufficiently protect users’ privacy” and complaining that the bill may even “cause collateral harm to the systems of innocent third parties.”

The bill authorizes controversial “countermeasures”— retaliatory actions by companies, or security firms, aimed at disrupting or disabling the computers of adversaries. But critics argue that such measures could backfire.

The oddity of the legislation is that it focuses on what many in the cyberworld consider to be a diminishing form of defense: collecting and sharing those “signatures,” which the Department of Homeland Security and the F.B.I. periodically circulate to a select list of major corporations. The problem is that most sophisticated cyberattackers have figured that out.

“I think the fruits of detecting signatures and patterns of broad attacks are already picked,” said Jonathan Zittrain, a Harvard law professor. “The biggest threats,” he said, are far more customized, “with elements of social engineering or betrayal of an employee with access to data or code.”

In fact, the list of tasks that most cybersecurity experts describe as important to deterring attacks is largely missing from the bill. A 2012 cybersecurity bill, which would have required that companies meet certain standards in exchange for immunity from lawsuits, failed to pass after the U.S. Chamber of Commerce argued that the rules would be too onerous on companies.

http://www.nytimes.com/2015/10/28/us...ite-flaws.html