Three Cybersecurity Alternatives if CISA Fails

Orhan Cam/Shutterstock.com

Featured eBooks
AI in the Workplace
Read Now

CX in Action

Read Now

Next Steps for CMMC

Read Now
Kaveh Waddell By Kaveh Waddell,
National Journal

By Kaveh Waddell,
National Journal

|

Lawmakers have focused almost exclusively on information-sharing to boost cybersecurity after a series of high-profile government data breaches.

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22 amend­ments that will also get a vote when the bill comes up, is the Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity short­com­ings in both the gov­ern­ment and the private sec­tor. Two sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy law­makers—have fought to delay the bill and would rather see it dropped com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity, which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the bill.

“The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly be­lieves that CISA is the only game in town on cy­ber­se­cur­ity le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,” said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts have floated.

Incentives for vulnerability buybacks

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or she must de­cide what to do with the in­form­a­tion. Se­cur­ity re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will likely take a more prof­it­able route, turn­ing to the shadier corners of the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing on on­line black and gray mar­kets is by of­fer­ing to buy them from the people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its web­sites and apps. But it spe­cific­ally ex­cluded from the bounty pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture, like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams by of­fer­ing the private sec­tor grants or tax write-offs for the pur­chases.

“If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black mar­ket or the gray mar­ket, then we’re go­ing to help them do that and en­cour­age them to do that,” said Laper­ruque.

Clarifications of anti-hacking laws

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long cri­ti­cized the law for be­ing overly broad and dis­cour­aging le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills like Aaron’s Law—named after a se­cur­ity re­search­er who took his own life after be­ing charged with data theft—which would cla­ri­fy when re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct re­search without fear­ing pro­sec­u­tion” would be a boon to cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don White­house, would al­ter the com­puter-hack­ing law, but pri­vacy ad­voc­ates are wor­ried that the change would make se­cur­ity re­search more dif­fi­cult rather than easi­er.

An end to government "stigmatization" of encryption

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has asked tech com­pan­ies to build in a way to de­code en­cryp­ted com­mu­nic­a­tion that com­pan­ies could use when asked by law en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies, cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance on the so-called “back­doors” that would al­low law en­force­ment to ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more busi­nesses from tak­ing up the prac­tice.

“The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment, pro­tect con­sumers, and pro­tect busi­nesses.”

(Image via / Shutterstock.com)

NEXT STORY: DOE CISO heads to Commerce