In the name of fighting hackers, Congress is about to make it harder for the government to punish companies that refuse to take adequate steps to fight hackers.
For years, Congress has been pursuing bills that make it easier for corporations to share information about hacks back and forth with the government. The idea is that if every entity knows what kind of software code hackers are using, they'll be able to keep an eye out for it. During the years when Congress has been pursuing such a bill, mind you, similar information sharing in the private sector proved inadequate to prevent most attacks. Government and some private sector industries started sharing information without such a bill. And it became clear -- when China snuck into government databases and stole the security clearance information from 21 million government employees and contractors -- that the government is still unable to keep even its most sensitive data secret.
In short, during the years Congress has been trying to pass the bill, it has become increasingly clear how pointless it would be to protect against hacks this way and how much more urgent other efforts to combat hackers are.
Nevertheless, the Chamber of Commerce has been demanding an information sharing law. And what the Chamber of Commerce wants, Congress usually obligingly delivers. So in the next few weeks, the Senate is poised to pass the Cyber Information Sharing Act, with some counterpart bills already passed in the House.
The thing is, we not only don't need this bill, it will probably take away key tools the government has finally begun to use to force corporations to fix weak cybersecurity.
Back in July, Wired magazine published an alarming story about researchers who managed to take over a Jeep Cherokee by remotely hacking its entertainment system. At first, Chrysler tried to address the issue by releasing a Technical Service Bulletin -- basically just recommendations for customers on how they could fix it. But the National Highway Traffic Safety Administration, which regulates automotive safety, forced the company to recall the 1.4 million cars affected by the vulnerability. The move was regarded as a sign that NHTSA would treat cybersecurity vulnerabilities with the increased vigilance it has recently given to mechanical defects.
Then, in August, an appeals court in Philadelphia ruled that the Federal Trade Commission can sue companies -- in this case, Wyndham Hotels -- that expose their customers' data to hackers over and over. That creates a tool that the government can use to force companies to improve their security when repeated hacks don't otherwise convince them, or at the very least, require companies to tell the truth about how reckless they are with customer data.
In both these cases, government regulators stepped in when corporations were blowing off real security problems that might threaten their customers' identity, bank accounts, or even lives.
The problem is, Congress is about to undercut these important new regulatory tools.
That's because one of the things Congress is doing to convince companies that are otherwise reluctant to share their cybersecurity data with the government is regulatory immunity. CISA prohibits the government from using data that corporations share willingly to initiate an enforcement action regarding the lawful activities of that company. So all Chrysler would need to do to avoid a NHTSA-forced recall, and all Wyndham would have to do to avoid a FTC lawsuit, would be to share the information showing how negligent they were in protecting their customers' security. Having sloppy code or insecure networks, after all, is perfectly legal, even if recent events make it clear it can -- and should -- be subject to regulatory action.
When asked about this part of the bill at the Computers, Freedom, and Privacy conference on Wednesday, a key author of the bill, Senate Intelligence Committee staffer Josh Alexander, pointed to another part of the bill that permits such language to be used for criminal prosecution. But, again, there's no reason to believe Chrysler or Wyndham broke the law when they recklessly exposed their customers to being hacked.
For two and a half years, government officials have claimed that cyberattacks are the biggest national security threat to this country and people throughout government and private industry are taking a range of actions to combat the threat. In other areas -- such as when Apple made encryption on its iPhones the default setting -- both Congress and the government have happily harangued private companies about doing their part to protect the country.
But Congress not only isn't doing that for cybersecurity -- these information sharing bills make no requirements that companies practice minimum standards of security -- it is doing precisely the opposite, taking away tools the government has started to use to force companies to protect their customers if they won't do it by themselves.
No wonder the Chamber of Commerce wants this bill.
Shares