Amended Cybersecurity Bill Still Drawing Criticism

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/federal/Amended-Cybersecurity-Bill-Still-Drawing-Criticism.html

Though Sen. Mark Warner amended a controversial cybersecurity bill to
increase congressional oversight, proponents of privacy and computer
security say it still isn’t enough to overcome broader concerns.

The Senate Select Committee on Intelligence voted 12–3 last week to forward
the Cybersecurity Information Sharing Act to the full Senate for
consideration.

If enacted in its current form, the 46-page bill will provide businesses a
way to share information on potential cyberthreats or attacks with the
federal government. The government can then use “countermeasures” that
prevent, reduce or otherwise defend against an attack.

The committee has sent the bill to the overall Senate for additional
discussion.

Jake Laperruque, a fellow at the nonprofit Center for Democracy and
Technology, said the bill has a well-meaning purpose—making it easier for
businesses to relay information to federal authorities—but contains vague
language and broad concepts that raise serious privacy concerns.

He said that there are no clear limits on what information can be shared or
used, and that preserving the privacy of names, IP addresses and other
personal information in what gets shared is not guaranteed.

Warner’s amendment, as outlined in the bill text, requires a report from
the Director of National Intelligence within the first six months of the
bill’s enactment.

The report on “cyberattacks, theft, and data breaches” would include
reports on relationships with nations the United States shares cyberthreat
information with, analysis of countries and nonstate actors that pose
cyberthreats and an assessment of the nation’s response to attacks or
precursor events up to that point.

A statement from Warner called cyberattacks “a significant economic and
national security threat” to the country.

“It is essential that we take meaningful steps now to defend against this
threat and improve our capability to do so,” Warner said in a release.

Laperruque said the amendment, which provides a marked improvement in
oversight, doesn’t hurt the bill, but is not an overly effective fix.

“There’s always value in having more congressional oversight over any type
of instance which the government might be collecting or monitoring
Americans’ communications,” he said. “But in terms of effectiveness, it
still doesn’t address more serious substantive issues in the bill.”

Paul Logan, communications director for Republican senatorial candidate Ed
Gillespie, said that their camp was still reviewing the bill’s final text.

“While we must work to prevent cyberattacks, legitimate concerns about
privacy have been raised by members of both parties,” Logan said. “Ed
Gillespie would ensure that any cybersecurity legislation includes strong
safeguards for our civil liberties and personal privacy.”

Michael DePaepe, the executive vice president and chief operations officer
of Reveille Systems, a Fredericksburg information technology and management
consultation business, said the bill doesn’t safeguard personal information
and is likely to do the “private entities” it aims to assist more harm than
good.

“The government is going to do what it thinks is best for national
security,” he said, “It’s geared more toward getting info about an attack
into the intelligence community’s hands quickly.”

DePaepe, who has over 20 years of experience in computer security, said the
burden for securing personal information should remain with businesses, not
the federal government.

“Businesses have an inherent responsibility to customize and employ methods
to protect their privacy. If not, they’re just asking for trouble,” he said.

DePaepe said that businesses should have established security protocols
that limit people from gaining free access to their systems.

Whether that be through a firewall, password-protected wireless network or
a hard-to-hack password would be up to the business.

“If you can put up that first layer of defense,” DePaepe said, “then your
concerns on privacy as far as this act go are lessened because you’re
already taking those steps.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!