Here is part 3 of our review on the cybersecurity issues the US government faced in 2015.
Cybersecurity Legislation Created
On April 1st, 2015 the President of the United States, Barack Obama, signed a new order that allowed for tougher sanctions against malicious actions by hackers overseas and any company that would knowingly benefit from these actions. These sanctions would apply to those who engage in malicious acts that aim to harm critical infrastructure, damage computer systems and steal trade secrets or sensitive information. Acts subject to these sanctions are ones deemed harmful to national security or the economic health of the U.S. How these sanctions work is the ones committing the acts would have their U.S. funds seized and they would be banned from the American financial system.
Later on in April, April 22nd to be exact, the House voted to pass a cybersecurity information sharing bill called the Protecting Cyber Network Act. The bill would grant legal protections to companies that would share information with the government about their networks and the hacker threats they faced. The bill was supported by the White House but despite the support the White House did call for some changes be made. They wanted to see more limits on the collection and sharing of the unnecessary consumer data and felt that giving companies to much legal protection for failing to protect consumer privacy from the start or to act on hacker threat data might weaken cybersecurity all together.
The Protecting Cyber Network Act was very similar to a bill passed by the Senate Intelligence Committee a month earlier in March called the Cybersecurity Information Sharing Act. What the Cybersecurity Information Sharing Act does is create a voluntary framework for private sector companies to share network data with the government by offering companies additional legal liability if the participate. A key factor in the CISA is that it grants liability protection for companies that share information related to defensive measures used to fend off hacker attacks.
Before the bill was presented in front of the Senate twenty-two amendments were introduced by a group of Senators, ten Republicans, eleven Democrats and one from the bill’s sponsors, in regards to the incentives businesses would receive for participating along with the type and amount of information shared with the government. The amendments ranged in areas from; operations, privacy, liability, structure, oversight, punishments, clearance, international cyber policy and funding. It was agreed upon that these amendments would be considered alongside the bill when it was put to vote on the Senate floor.
On October 27th 2016 the bill cleared what was considered a major hurdle and was passed by the Senate. It was by an overwhelming amount, 74-21. With the passing in the Senate, the House and the Senate must now work together to take the bill passed in each chamber and work to combine each bill into one final version of the bill that will again be voted on by both the Senate and House before it goes in front of the President to be signed into law. As for the amendments, roughly ten amendments were rolled into the bill and passed when the bill passed the Senate. With those amendments passing a limited increase in privacy protection was tweaked. The remaining twelve amendments would be voted on separately. Of the amendments that were privacy protection focused, when voted on they were all voted down along with an amendment that was focused on extending liability protections to companies that chose to share information directly with the FBI and Secret Service. The amendment that was proposed by the manager of the bill was passed.
The passing of the bill did have many people and groups excited for the future of cybersecurity. Besides having the backing of the President and the White House it was backed by business, financial, and retail associations. One such supporter was IBM and a representative from IBM said this was a big win for both security and privacy, sharing technical details on the latest digital threats is critical to strengthening America’s cyber defense. Also with the passing of the amendments it was lead to believe that those amendments strengthen the bill and implement important modifications to better protect privacy. For years many companies felt they had no help or protection if their systems were ever breached and felt like they were on an island but with the passing of this bill would give them protection and help in securing their network from future attacks by learning from other company experiences.
The passing of the bill did have many who were opposed to it and feel there is a better way to protect the privacy of a company and its customer’s information. Many civil-rights, privacy groups and technology firms were opposed to the bill. Many felt this bill did more harm than protect people’s information. Prior to the bill being signed a group of technologists, academics and computer and network security professionals wrote a letter to the Senators who were strongly endorsing this bill. In the letter they stated their reasons the bill was unnecessary and was doing more harm and good. They discussed how they already share information with other organizations as well as the government while staying compliant with their obligations under the federal privacy law. They also stated that the way information is shared with the government under the bill puts the personal information in the report in more danger as it would not be wiped away from the report. Some within the Department of Homeland Security were against the bill as well. Stating making DHS the central location that all the reports would go to and then the DHS would then pass the information on to the other departments. The Department of Homeland Security’s fear was that if there was ever a breach of the department you would have all that information located in just one central place.
Even the definition of a major cyber incident was redefined because of all these incidents and all the new policies being put in place this year and next. The new criteria that makes up a major cyber incident now involves information that is classified or controlled unclassified information that affects at least ten thousand users and is not recoverable or could be recover but the time table is unpredictable and would require additional resources. This then would cause an agency to lose the ability to provide a critical service to at least some users and involves the exfiltration, modification, deletion or any other type of unauthorized access of information or system. It also says that the agency reporting the incident can consult with the Department of Homeland Security about if their incident is considered major but in the end the agency has final say if it is a major cyber incident. Once the DHS is notified they must notify the Office of Management and Budget within an hour then lawmakers must be notified within seven days. The agency must also continue to provide updates with lawmakers as new information comes to light. Lastly, the agency must notify the individuals affected by the breach as expeditiously as practicable, without unreasonable delay.
Our Thoughts on part 3
The legislation passed had many factors that did promote better cybersecurity. By compiling data from organizations who are breached in order to see where these organizations were vulnerable and see what measures could have been taken to make sure the breach didn’t happen and importantly what steps they are taking to resolve the issue is important to have and be able to distribute to other organizations. This would allow organizations a chance to learn from these breaches. It would also encourage an organization to reexamine what they have in place and what vulnerabilities they have they may have not known about and give them a chance to tighten up their system and network. Also, providing incentives to participate helps in organizations not sitting on and with holding the information that they have been breached while they try and resolve the problem themselves when they may not have the resources to handle the situation on their own.
These pieces of legislation are not without their faults. Divulging as much information as the government is asking for is over stepping on a person’s freedom and right to privacy, especially if this information would be used in pursuing this person for an unrelated crime. Also, giving that much information does seem to be unrelated to the incident and could further expose that person’s information to further exposure. Lastly, housing all the information in one place seems to be counterintuitive to the legislation passed as this would only create a larger target on the DHS as all the breach reports would be housed there.
Over all these pieces of legislation created by the House and Senate in the hopes of strengthening cybersecurity is a step in the right direction. These pieces of legislation are promoting for better cooperation within organizations to report their breaches. They are not perfect pieces of legislation with the amount of personal information that is shared. There is room for improvement and areas that need to be addressed but this is a good starting point in addressing an issue that is only getting larger as technology becomes more paramount in daily lives and the way things are done.