BreachExchange mailing list archives
What is Congress Doing About Cyberthreats and Hackers?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 8 Sep 2014 18:52:57 -0600
http://www.govtech.com/federal/What-is-Congress-doing-about-cyberthreats-and-hackers.html The recent disclosures that hackers had made off with nude celebrity photos stored on Apple’s iCloud and credit card information collected by Home Depot were just the latest in a seemingly endless series of headline-grabbing data thefts. But the timing was propitious, given that the Senate is resuming work on a long-overdue bill to protect online data and corporate networks by letting government and the private sector share more information about cyberthreats. Sadly, this year’s version and the House’s counterpart have at least as many problems as their predecessors, putting far too much trust in the government and the private sector to do the right thing. The main purpose of both bills is to remove the legal barriers stopping the dissemination of valuable information about malware, botnets and other forms of attack online. This is a worthy goal and, potentially, a major step forward in protecting against cyberassaults, corporate espionage and other online threats. But the details matter, particularly when it comes to what information gets shared with whom. Although the bill by Sen. Dianne Feinstein, D-Calif., is better than the House proposal and some of the previous versions, it still leaves too many openings for personal information to be shared with government agencies that don’t need to see it, and that could use it for too many purposes beyond cybersecurity. In fact, it requires that information shared with the government be sent automatically to the Department of Defense and, presumably, the National Security Agency, given the latter’s interest in cyberattacks. For that reason, it feels too much like a bill to deter hackers by expanding the surveillance of ordinary Internet users. When it comes to cybersecurity, the most effective type of sharing is the rapid exchange of newly discovered threat information by tech experts working in the same industry. The Senate bill would make that possible, but it wouldn’t compel companies to do so — or to take any other steps to improve security, or even to disclose breaches to the public. And as the two latest incidents show, data thieves don’t have to come up with something new and sophisticated to obtain sensitive personal information. They can succeed with techniques that are relatively simple and well understood. The last thing government should do in this area is dictate cybersecurity techniques. To its credit, the Obama administration has worked with the private sector to develop voluntary standards and best practices for protecting networks. Congress should take the next step and pass a bill that allows companies to share timely information about cyberthreats and hackers’ methods with each other and the government. The current proposals, however, don’t do enough to make sure the information shared is anonymized and used only to promote cybersecurity. And Congress has already given the federal government too much leeway to monitor its citizenry.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- What is Congress Doing About Cyberthreats and Hackers? Audrey McNeil (Sep 16)