Congress must focus on more than information sharing

This week, both the House and the Senate held hearings on cybersecurity. Each chamber took a very different approach to the discussion, with the House focused primarily on how to prevent attacks through improvements in basic security practices, and the Senate focused on the more reactive and potentially privacy-threatening tactic of information sharing with the government.

First, the House Science, Space, and Technology Subcommittee on Research and Technology held a hearing on Tuesday that explored what companies and individuals can do to better protect themselves from computer crime and data breaches. Such basic “cyber hygiene” includes simple practices like encrypting data, updating software, and setting strong passwords.

If companies and individuals regularly used techniques like these to defend themselves from attack, 80-90 percent of cyber threats could be prevented. This proposition has been roundly affirmed by security experts ranging from former Deputy Secretary of the Department of Homeland Security Jane Holl Lute, to the SANS Institute, and Symantec’s Vice President of Global Government Affairs & Cybersecurity Policy, Cheri McGuire, who testified to that fact at yesterday’s House hearing.

Information Technology Industry Council’s (ITIC) CEO, Dean Garfield, also testified at Tuesday’s hearing that engaging in better cyber hygiene is the best way to protect yourself from attack. Additionally, Dr. James Kurose of National Science Foundation and Dr. Charles H. Romine of NIST not only stressed the importance of good cyber hygiene, but informed the Subcommittee that there have been significant and continuing improvements to technology that will make cyber hygiene more accessible and useable. Dr. Eric A. Fischer of the Congressional Research Service (CRS) also testified to many of the same things.

In contrast to the House’s focus on a broad range of cybersecurity solutions , the Senate Homeland Security and Governmental Affairs Committee held a hearing Wednesday on “The Importance of Information Sharing.” This hearing is the latest in a string of hearings on the topic of information sharing in previous Congresses, and will likely be the first of many to take place this Congress. For years, changes to the law to allow companies to share more cyber threat information with the government has been touted as the panacea to our nation’s cybersecurity problems.

While the Senate hearing failed to reveal anything new about this debate, it was the most comprehensive and intelligent hearing on information sharing yet. Importantly, there was a clear articulation by every witness that strong privacy protections and civilian control are central components to an effective bill. American Express’ Marc D. Gordon and Microsoft’s Scott Charney both testified that companies should be required to strip unnecessary personal information before engaging in sharing, and that the government should not be able to use information it receives for law enforcement or national security objectives, absent judicial authorization. Peter J. Beshar of Marsh & McLennan Companies, Inc. and Richard Bejtlich of FireEye also acknowledged the need for strong privacy protections.

Greg Nojeim, a privacy expert from the Center on Democracy and Technology, testified, none of the proposals that have been put forth by Congress and the administration adequately address the privacy and civil liberties concerns that would be raised by increased information sharing. Nor are any of the proposals drafted narrowly enough to ensure that any new information sharing regime is not used as a new backdoor for government surveillance of Americans’ online communications.

Unfortunately, no witness talked at much length about the myriad of other, less privacy-invasive measures that the government could undertake or encourage in order to improve the state of cybersecurity. Any serious attempt at improving cybersecurity must reach beyond debates about information sharing and include a robust discussion on all the ways that policymakers, companies and the public can work together to improve cyber hygiene.

It is incumbent upon the Senate and the Science Committee’s peers in the House to turn their attention more squarely upon how the government could encourage companies and individuals to be proactive in protecting themselves by taking basic and necessary steps such as encrypting more of their data, keeping their software updated, and using stronger passwords and other authentication techniques.

Rep. Barbara Comstock (R-Va.), the new chairperson of the Subcommittee on Research and Technology, took a critical first step in raising the level of the debate by asking questions about cyber hygiene and about the many proven techniques for preventing attacks. Other lawmakers should follow her lead by focusing less on information sharing and more on the ways that Congress can encourage individuals, industry, and the government itself to take the most basic steps to improve cybersecurity for everyone.

Greene is policy counsel at the Open Technology Institute.