|
 |
 |
|
Don’t SOPA cyber
The House of Representatives has dubbed this week “Cyber Week.” Today and tomorrow, they will vote on a handful of cybersecurity bills. Unfortunately, none of the proposals that will be considered include important provisions on a key aspect of any effective cyber bill: information sharing.
The battle over information sharing legislation harkens the ghosts of SOPA. That bill, which resulted in a groundswell of internet-driven backlash, showed how volatile internet privacy and censorship issues can become on Capitol Hill. In a matter of days, companies such as Google, Wikipedia, and Facebook killed legislation that previously looked to be on an easy road to passage.
Many believe that the same actors who joined forces last winter to freeze SOPA may join together this spring to drown a critical piece of national security legislation.
Internet privacy groups are rightfully concerned with some of the information sharing proposals in the House bills. It’s important to note, however, that not all information sharing is alike. Proposals differ in how the federal government receives information and what handling requirements are placed on those transactions. In essence, there is bad information sharing and good information sharing.
The House proposals are also structured so that private owners share information on cyber breaches with the federal government on a voluntary basis. Most companies would share information in a voluntary scheme because they want to protect their own systems and contribute to the security of the nation. A few, however, may choose not to share information on attacks or intrusions. In an interconnected world, one weak link in the chain is a sufficient entry point for intruders to cause real damage.
If a company can choose not to share information on an intrusion because the system is voluntary, our intelligence and security leaders will have an incomplete picture of the cyber risks to our country. In short, this makes it harder for them to do their jobs and that is unacceptable.
While the House considers legislation with these bad proposals, the Senate is considering another option that includes a better system of information sharing and critical infrastructure protection. A bipartisan group of Senators—Joe Lieberman, Susan Collins, Jay Rockefeller, and Dianne Feinstein—is leading an effort to pass legislation that requires the owners of core critical infrastructure to share information on attacks and intrusions with a single federal entity: the National Center for Cybersecurity and Communications.
This is a common-sense approach. In an interconnected world we should have a consistent plan for reporting attacks so that we can mitigate the damage of ongoing attacks and stop them from happening again.
The Senate’s bill also includes language to protect “Personally Identifiable Information”. Imagine a scenario where a hacker gains access to email accounts at a major financial institution (last month the world’s largest credit card payments processor—Global Payments—was hacked). The bipartisan Senate bill would require the institution to scrub the email chain of information on its client’s personal bank accounts before giving federal authorities the information they need to investigate the intrusion. The House bills do not provide this layer of individual protection.
Information sharing, with protections for both personal privacy and critical infrastructure, must be included in any cybersecurity legislation if we want to address our national security vulnerabilities. Without these provisions, we won’t be as effective in preventing and responding to cyber attacks, and mitigating the effects of those attacks. There is a way to do this that balances the security needs of the country with the privacy rights of its citizens.
A bipartisan group of Senators have correctly struck that balance and we should support their efforts.
Matthew Rhoades is director of legislative affairs at the Truman Project and Truman Institute.
Most Viewed RSS Feed »
