Security experts: We don't need cyber bills

Security experts and tech officials aren’t necessarily on board with the major cybersecurity bills set to start hitting the floor next week.

Sixty-five security researchers, systems administrators and computer scientists wrote congressional leaders on Thursday, urging them to reject the legislation.

ADVERTISEMENT
The measures would grant companies liability protections when sharing cyber threat data with the government. Private firms have been hesitant to give cyber data to federal agencies, fearing shareholder lawsuits or regulatory action.

The efforts have received considerable backing from industry groups and some security researchers. A broad swath of lawmakers and government officials are also on board.

Supporters argue that the move is a necessary first step to better understand hackers and bolster the nation’s weak cyber defenses.

But the coalition writing Congress insisted the bills would not help them fight hackers.

“We do not need new legal authorities to share information that helps us protect our systems from future attacks,” said the group. “When a system is attacked, the compromise will leave a trail, and investigators can collect these bread crumbs.”

The coalition includes top security engineers at Amazon, Cisco, Mozilla and Twitter, exposing a rift within the private sector.

The U.S. Chamber of Commerce and trade groups lobbying for financial firms, electronic payment companies and insurers are strong advocates of cyber threat-sharing efforts. But many top tech companies have appeared warier.

Apple CEO Tim Cook made a high-profile, pro-privacy appeal during forceful remarks delivered directly before President Obama took the stage at a White House cybersecurity summit in February.

While Cook didn’t name-check the cyber bills specifically, the day-long summit was centered around promoting information-sharing measures. The White House has expressed conditional support for threat-sharing bills on the table.

The letter’s signers — who were not necessarily writing on behalf of their company — argued the needed cyber threat data is already being exchanged.

“Generally speaking, security practitioners can and do share this information with each other and with the government while still complying with our obligations under federal privacy law,” they said.

As written, the bills under consideration will not open up more useful data, the group maintained.

“Threat data that security professionals use to protect networks from future attacks is a far more narrow category of information than those included in the bills,” they said. “These bills permit overbroad sharing.”

The letter is also signed by computer science professors at universities, including Dartmouth, Johns Hopkins, Stanford and Yale.

Officials from security firms like CloudFlare and Rapid7 signed on as well.

“This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats," they said.

The House will vote on its two info-sharing measures next week, with the Senate is likely to soon follow with a vote on its companion offering.