Congress Overwhelmingly Agrees On Something (Cybersecurity), And That Could Be A Problem

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ibtimes.com/breaking-congress-overwhelmingly-agrees-something-cybersecurity-could-be-problem-1860690

Congress doesn’t agree on much these days, but one thing every lawmaker
seems to have in common is no one wants his or her email hacked. That’s the
theme of the conversation around two cybersecurity bills riding their way
through both chambers of Congress on a rare wave of bipartisan support.
Both bills are expected to pass next month despite an outcry from nervous
privacy advocates.

The U.S. House of Representatives Intelligence Committee unanimously
approved a highly anticipated cybersecurity bill Thursday that is
co-sponsored by Rep. Adam Schiff, D-Calif., and Rep. Devin Nunes, R-Calif.
By all rights, those two lawmakers should never agree on anything: Schiff
is a prominent advocate of online surveillance reform and Nunes famously
called one National Security Agency critic “al Qaeda’s best friend in
Congress.” What makes their agreement more bizarre is that, after
near-historic levels of inaction, the Senate Intelligence Committee just
approved a similar cybersecurity bill, 14-1.

Both bills are expected to go up for chamber-wide votes by the end of
April, the result of a rare bipartisan urgency usually seen only for
legislation crafted in the wake of a major event (like the Patriot Act
after the Sept. 11 terrorist attacks). That appears to be the case here,
with Congress spending the last five years trying and failing to pass a
comprehensive cybersecurity law that might’ve stopped the hack on Sony
Pictures or Anthem health insurance.

Too Many Loopholes?

But for all the benefits lawmakers keep touting -- liability insurance for
hacked companies, increased cooperation between the private and public
sectors, improved national security -- the effort behind both bills could
all be for naught because of privacy concerns. The Senate bill in
particular, known as the Cyber Intelligence Sharing and Protection Act
(Cispa), has infuriated privacy advocates who say the bill’s wording
creates too many loopholes.

Cybersecurity is unique in a political climate where lawmakers are still
bitterly divided on the best way to protect Americans’ personal information.

“That concern about the government is shared by the tea party Republicans
and by somewhat left-leaning liberals,” said Robert Jervis, a professor of
international politics at Columbia University. “The conservatives have a
general sense of a small government and say ‘Look what’s happened,’ whereas
the older left remembers Nixon and even McCarthy.”

The Electronic Frontier Foundation has asserted that by using overly vague
language and giving companies new immunity power, Cispa would remove
safeguards meant to prevent companies from sharing customer data without
permission. They also deemed it redundant after President Barack Obama
signed two executive orders this year mandating more communication on
threat information.

“First, [Cispa] authorizes companies to launch countermeasures (now called
‘defensive measures’ in the bill) for a ‘cybersecurity purpose’ against a
‘cybersecurity threat,’” EFF Legislative Analyst Mark Jaycox wrote in a
blog post. “‘Cybersecurity purpose’ is so broadly defined that it means
almost anything related to protecting (including physically protecting) an
information system, which can be a computer or software. The same goes for
a ‘cybersecurity threat,’ which includes anything that ‘may result’ in an
unauthorized effort to impact the availability of the information system.”

Privacy advocates are slightly more optimistic about the House bill.

Dubbed the Protecting Cyber Networks Act, the legislation would require
personal information to be “scrubbed” twice before it was transmitted to
the Department of Homeland Security, lawmakers told Reuters.

Willing To Sacrifice Privacy

Yet, while privacy groups are still looking through the bill, the American
Civil Liberties Union said it could still be possible for spy agencies to
access personal information that has no relevance on cybersecurity.

Americans, for the most part, don’t seem to care. Polls have consistently
shown that U.S. citizens are willing to sacrifice their privacy if it helps
the government investigate foreign security threats. AWashington Post-ABC
News poll in January found that the public thinks it’s more important to
investigate possible terrorist threats than to not intrude on personal
privacy, by a margin of 63 percent to 32 percent. That feeling has largely
been reflected in Washington since the Sept. 11 attacks.

Differences between the bills would need to be resolved before a final
version goes to Obama, who threatened to veto earlier versions of Cispa in
2012 and 2013, citing privacy concerns. Nunes admitted the House bill’s
best hope of passing might be when a new president takes office in 2017.

All of which might be trumped by the simple need to do something --
anything -- to slow down the embarrassment that comes with major data
breaches. Jervis added that, as the Republican-controlled Congress sets the
stage for the 2016 presidential election, its members are still trying to
prove they can govern.

“The very fact that there aren’t many issues where Congress can do
something might be an issue where if they simply prove they can do it they
might find some momentum on it,” he said. “It’s hard to think of an issue
where there’s this much agreement.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!