Three Cybersecurity Alternatives if CISA Fails

Orhan Cam/

Lawmakers have focused almost exclusively on information-sharing to boost cybersecurity after a series of high-profile government data breaches.

As sen­at­ors re­turn from re­cess to a heap­ing plate of le­gis­lat­ive pri­or­it­ies, a cy­ber­se­cur­ity in­form­a­tion-shar­ing bill that stalled earli­er this sum­mer is com­pet­ing for law­makers’ at­ten­tion with de­bates over the pres­id­ent’s nuc­le­ar deal with Ir­an and the loom­ing budget dead­line.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, along with the 22 amend­ments that will also get a vote when the bill comes up, is the Sen­ate’s main push this ses­sion for a bill to ad­dress cy­ber­se­cur­ity short­com­ings in both the gov­ern­ment and the private sec­tor. Two sim­il­ar bills have already passed the House.

Op­pon­ents of CISA—tech ex­perts, pri­vacy ad­voc­ates, and pro-pri­vacy law­makers—have fought to delay the bill and would rather see it dropped com­pletely. But if CISA does get bur­ied un­der the Sen­ate’s packed sched­ule, ex­perts say there are al­tern­at­ives for law­makers look­ing for ways to im­prove cy­ber­se­cur­ity through le­gis­la­tion.

“There are a bunch of oth­er things they could be look­ing at, some of which are very non­con­tro­ver­sial, don’t in­volve pri­vacy risks, and could be low-hanging fruit,” said Jake Laper­ruque, a pro­gram fel­low at New Amer­ica’s Open Tech­no­logy In­sti­tute.

After hack­ers in­filt­rated com­puter sys­tems at the White House, the State De­part­ment, the Pentagon, and the Of­fice of Per­son­nel Man­age­ment—all with­in the last year—Con­gress began mov­ing to­ward a cy­ber­se­cur­ity fix with more ur­gency.

The push for CISA has come in large part from the busi­ness com­munity, which has a lot to gain from the li­ab­il­ity pro­tec­tions built in­to the bill.

“The Pro­tect­ing Amer­ica’s Cy­ber Net­works Co­ali­tion strongly be­lieves that CISA is the only game in town on cy­ber­se­cur­ity le­gis­la­tion,” said Mat­thew Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, re­fer­ring to a co­ali­tion of nearly 50 tech as­so­ci­ations. “No cy­ber bill comes close to cap­tur­ing both the sup­port of vir­tu­ally every eco­nom­ic sec­tor and the White House.”

But pri­vacy ad­voc­ates say law­makers’ near-ex­clus­ive fo­cus on in­form­a­tion-shar­ing was pre­ma­ture.

“In the rush to act, Con­gress lost sight of all the oth­er solu­tions,” said Drew Mit­nick, policy coun­sel at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion.

Here are three al­tern­at­ives to in­form­a­tion-shar­ing that ex­perts have floated.

Incentives for vulnerability buybacks

When a se­cur­ity re­search­er or a ma­li­cious hack­er dis­cov­ers a vul­ner­ab­il­ity in a com­pany’s soft­ware or hard­ware—wheth­er it’s a web­site, a sens­it­ive data­base, or crit­ic­al in­fra­struc­ture—he or she must de­cide what to do with the in­form­a­tion. Se­cur­ity re­search­ers will of­ten go straight to the com­pan­ies to no­ti­fy them of the vul­ner­ab­il­ity. Some com­pan­ies are re­cept­ive to hear­ing about their se­cur­ity short­falls; oth­ers are much slower to re­spond.

But a hack­er who is less in­ter­ested in the com­pany’s well-be­ing will likely take a more prof­it­able route, turn­ing to the shadier corners of the In­ter­net to pawn off the vul­ner­ab­il­ity.

One way com­pan­ies can keep bugs and vul­ner­ab­il­it­ies from ap­pear­ing on on­line black and gray mar­kets is by of­fer­ing to buy them from the people who dis­cov­er them. Some com­pan­ies already have buy­back, or “bug bounty,” pro­grams. A num­ber of tech com­pan­ies of­fer up­ward of tens of thou­sands of dol­lars for vul­ner­ab­il­it­ies; United Air­lines re­cently be­came the first air­line to in­tro­duce a buy­back pro­gram, an­noun­cing boun­ties of up to 1 mil­lion fre­quent-fli­er miles for bugs in its web­sites and apps. But it spe­cific­ally ex­cluded from the bounty pro­gram re­search on vul­ner­ab­il­it­ies in crit­ic­al in­fra­struc­ture, like the ac­tu­al air­planes United flies.

Tech ex­perts say the gov­ern­ment could in­centiv­ize buy­back pro­grams by of­fer­ing the private sec­tor grants or tax write-offs for the pur­chases.

“If a com­pany wants to pay to get a vul­ner­ab­il­ity off the black mar­ket or the gray mar­ket, then we’re go­ing to help them do that and en­cour­age them to do that,” said Laper­ruque.

Clarifications of anti-hacking laws

An­oth­er way to en­cour­age the se­cur­ity re­search that makes the private sec­tor safer is by cla­ri­fy­ing and trim­ming down anti-hack­ing laws like the Com­puter Fraud and Ab­use Act, tech act­iv­ists say.

That law is used to pro­sec­ute hack­ers who make their way in­to pro­tec­ted com­puter sys­tems, but pri­vacy ad­voc­ates have long cri­ti­cized the law for be­ing overly broad and dis­cour­aging le­git­im­ate se­cur­ity re­search.

Law­makers have tried in the past to cut the law down to size, with bills like Aaron’s Law—named after a se­cur­ity re­search­er who took his own life after be­ing charged with data theft—which would cla­ri­fy when re­search on vul­ner­ab­il­it­ies in pub­lic and private sys­tems is law­ful.

“Im­prov­ing the law so that se­cur­ity ex­perts can ac­tu­ally con­duct re­search without fear­ing pro­sec­u­tion” would be a boon to cy­ber­se­cur­ity, Mit­nick said.

One pro­posed amend­ment to CISA, put for­ward by Sen. Shel­don White­house, would al­ter the com­puter-hack­ing law, but pri­vacy ad­voc­ates are wor­ried that the change would make se­cur­ity re­search more dif­fi­cult rather than easi­er.

An end to government "stigmatization" of encryption

FBI Dir­ect­or James Comey has re­cently waged a pub­lic-re­la­tions war on tech com­pan­ies’ en­cryp­tion prac­tices, rail­ing against end-to-end en­cryp­tion in speeches and com­mit­tee hear­ings.

Comey ar­gues that strong, nearly in­ac­cess­ible en­cryp­tion is a threat to na­tion­al se­cur­ity be­cause it leaves law en­force­ment blind to the com­mu­nic­a­tions of po­ten­tial ter­ror­ists and crim­in­als. He has asked tech com­pan­ies to build in a way to de­code en­cryp­ted com­mu­nic­a­tion that com­pan­ies could use when asked by law en­force­ment. Ex­perts have warned against built-in vul­ner­ab­il­it­ies, cau­tion­ing that in­trep­id hack­ers will al­ways find ways to ex­ploit them.

Some law­makers have taken up the pro-en­cryp­tion fight. Reps. Will Hurd and Ted Lieu, two com­puter sci­ent­ists on the House Over­sight Com­mit­tee, sent a let­ter to Comey in June, con­demning the FBI’s stance on the so-called “back­doors” that would al­low law en­force­ment to ac­cess en­cryp­ted com­mu­nic­a­tion.

The con­flict over en­cryp­tion has been det­ri­ment­al to private-sec­tor cy­ber­se­cur­ity, Mit­nick says, be­cause it dis­cour­ages more busi­nesses from tak­ing up the prac­tice.

“The gov­ern­ment should stop stig­mat­iz­ing these strong se­cur­ity meas­ures,” Mit­nick said. “I think that would pro­tect the gov­ern­ment, pro­tect con­sumers, and pro­tect busi­nesses.”

(Image via /