What is Congress Doing About Cyberthreats and Hackers?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govtech.com/federal/What-is-Congress-doing-about-cyberthreats-and-hackers.html

The recent disclosures that hackers had made off with nude celebrity photos
stored on Apple’s iCloud and credit card information collected by Home
Depot were just the latest in a seemingly endless series of
headline-grabbing data thefts. But the timing was propitious, given that
the Senate is resuming work on a long-overdue bill to protect online data
and corporate networks by letting government and the private sector share
more information about cyberthreats. Sadly, this year’s version and the
House’s counterpart have at least as many problems as their predecessors,
putting far too much trust in the government and the private sector to do
the right thing.

The main purpose of both bills is to remove the legal barriers stopping the
dissemination of valuable information about malware, botnets and other
forms of attack online. This is a worthy goal and, potentially, a major
step forward in protecting against cyberassaults, corporate espionage and
other online threats. But the details matter, particularly when it comes to
what information gets shared with whom. Although the bill by Sen. Dianne
Feinstein, D-Calif., is better than the House proposal and some of the
previous versions, it still leaves too many openings for personal
information to be shared with government agencies that don’t need to see
it, and that could use it for too many purposes beyond cybersecurity. In
fact, it requires that information shared with the government be sent
automatically to the Department of Defense and, presumably, the National
Security Agency, given the latter’s interest in cyberattacks. For that
reason, it feels too much like a bill to deter hackers by expanding the
surveillance of ordinary Internet users.

When it comes to cybersecurity, the most effective type of sharing is the
rapid exchange of newly discovered threat information by tech experts
working in the same industry. The Senate bill would make that possible, but
it wouldn’t compel companies to do so — or to take any other steps to
improve security, or even to disclose breaches to the public. And as the
two latest incidents show, data thieves don’t have to come up with
something new and sophisticated to obtain sensitive personal information.
They can succeed with techniques that are relatively simple and well
understood.

The last thing government should do in this area is dictate cybersecurity
techniques. To its credit, the Obama administration has worked with the
private sector to develop voluntary standards and best practices for
protecting networks. Congress should take the next step and pass a bill
that allows companies to share timely information about cyberthreats and
hackers’ methods with each other and the government. The current proposals,
however, don’t do enough to make sure the information shared is anonymized
and used only to promote cybersecurity. And Congress has already given the
federal government too much leeway to monitor its citizenry.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!