Cybersecurity legislation may face tough road

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.usatoday.com/story/news/politics/2015/08/28/cybersecurity-wyden-burr/71312428/


Feeling pressure to act, Congress is struggling to pass a cybersecurity
bill in the wake of this year’s massive hacks that stole the data of
millions of government workers, taxpayers and consumers.

But continuing concerns about the bill’s impact on privacy rights —
combined with a packed legislative calendar — could derail passage of the
legislation in this Congress, supporters and opponents say.

“I think time is very much against us,” said Matt Eggers, who handles
cybersecurity issues at the U.S. Chamber of Commerce and is pushing for
lawmakers to pass a bill. “Our biggest challenge right now is to get it to
the Senate floor for a vote in September. If we do that, then I think we
have a pretty good shot.”

Congress is facing a daunting to-do list when it returns to work Sept. 8,
including votes on the Iran nuclear deal and passing a bill to fund the
government past Sept. 30. Lawmakers also are preparing for the first-ever
papal address to Congress by Pope Francis on Sept. 24.

When the Senate left town in early August for a monthlong recess, it
abruptly stopped debate on the Cybersecurity Information Sharing Act, which
would encourage the voluntary sharing of cyber threat information among
private companies and between companies and the government.

Senate Majority Leader Mitch McConnell, R-Ky., had been wrangling with
Minority Leader Harry Reid, D-Nev., over what amendments would be allowed
to come up for a vote. McConnell said the Senate will take up the bill
again when it returns and consider 21 amendments.

Sen. Ron Wyden, D-Ore., has offered two amendments to strengthen the bill’s
privacy protections but said he still believes the legislation is
unnecessary and could do more harm than good. He said he fears lawmakers
are rushing to pass a flawed bill in the wake of the recent attack that
compromised the data of 21.5 million people whose records were stored by
the Office of Personnel Management.

“Everybody understands that with the OPM hack there’s going to be a push to
do something,” Wyden said. “Nobody wants to look soft on cyber attacks. The
problem is that our best technologists out there say this is not going to
stop the hacks or protect people’s information. But it is going to create
an invasion of people’s privacy.”

Privacy rights advocates say the bill would result in the personal
information of millions of Americans being turned over to the federal
government without their consent. The bill offers liability protection to
shield companies from lawsuits for sharing their customers’ information.

“The bill gives private companies sweeping legal protections when they
share personal consumer information with the government for cybersecurity
purposes, which are broadly defined,” said Gabe Rothman, a legislative
counsel and policy adviser for the American Civil Liberties Union. “The
requirements that companies strip out irrelevant private information are
weak. Once shared with the government, law enforcement and intelligence
agencies can use it for numerous non-cyber purposes.”

The bill’s authors said they have beefed-up privacy protections in the
latest version of the legislation. One big change is that federal law
enforcement officials would no longer be able to use the data to
investigate crimes that have nothing to do with cybersecurity. An earlier
version would have allowed agents to use the information to investigate
crimes such as carjacking and drug running that involves weapons.

“This is not a surveillance bill,” said Senate Intelligence Chairman
Richard Burr, R-N.C., whose bipartisan legislation was approved 14-1 by the
Intelligence committee. “We're here because the American people's data is
in jeopardy if government doesn't help to find a way to minimize the loss.”

Eggers said that privacy advocates should be more concerned about hackers
stealing people’s private data.

“If they’re so concerned about privacy, where’s their outrage over the OPM
attack?” he said.

Wyden has been pressing top federal counterintelligence officials about
what steps the National Counterintelligence and Security Center took to
protect OPM records from suspected Chinese hackers. He said a stronger
cybersecurity strategy by the government is what’s needed most.

“That’s the sensible place to start,” he said.

Burr said the Cybersecurity Information Sharing Act would not prevent cyber
attacks such as those against OPM and the IRS, which was hacked by thieves
who accessed as many as 334,000 taxpayer accounts.

“I’m not sure we could craft anything to do that (prevent attacks),” Burr
said. He said the bill’s aim is to minimize the damage done by hackers by
sharing threat information as widely as possible so that attacks can be
stopped before they spread to other government agencies or companies.

Eggers said the business community, which has been hit hard by attacks on
Target, Home Depot, Anthem health insurance, JPMorgan Chase and others,
sees this fall as the best chance to get a bill passed in this Congress.

“Next year is an election year, and nothing is going to get done then,” he
said. “If it’s going to happen, it has got to be soon.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!