Three Cybersecurity Alternatives if CISA Fails

Orhan Cam/Shutterstock.com

Lawmakers have focused almost exclusively on information-sharing to boost cybersecurity after a series of high-profile government data breaches.

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22 amend­ments that will also get a vote when the bill comes up, is the Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity short­com­ings in both the gov­ern­ment and the private sec­tor. Two sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy law­makers—have fought to delay the bill and would rather see it dropped com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity, which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the bill.

“The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly be­lieves that CISA is the only game in town on cy­ber­se­cur­ity le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,” said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts have floated.

Incentives for vulnerability buybacks

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or she must de­cide what to do with the in­form­a­tion. Se­cur­ity re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will likely take a more prof­it­able route, turn­ing to the shadier corners of the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing on on­line black and gray mar­kets is by of­fer­ing to buy them from the people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its web­sites and apps. But it spe­cific­ally ex­cluded from the bounty pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture, like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams by of­fer­ing the private sec­tor grants or tax write-offs for the pur­chases.

“If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black mar­ket or the gray mar­ket, then we’re go­ing to help them do that and en­cour­age them to do that,” said Laper­ruque.

Clarifications of anti-hacking laws

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long cri­ti­cized the law for be­ing overly broad and dis­cour­aging le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills like Aaron’s Law—named after a se­cur­ity re­search­er who took his own life after be­ing charged with data theft—which would cla­ri­fy when re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct re­search without fear­ing pro­sec­u­tion” would be a boon to cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don White­house, would al­ter the com­puter-hack­ing law, but pri­vacy ad­voc­ates are wor­ried that the change would make se­cur­ity re­search more dif­fi­cult rather than easi­er.

An end to government "stigmatization" of encryption

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has asked tech com­pan­ies to build in a way to de­code en­cryp­ted com­mu­nic­a­tion that com­pan­ies could use when asked by law en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies, cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance on the so-called “back­doors” that would al­low law en­force­ment to ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more busi­nesses from tak­ing up the prac­tice.

“The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment, pro­tect con­sumers, and pro­tect busi­nesses.”

(Image via / Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.