Lawmakers are moving forward on the Cybersecurity Act of 2015 amid complaints about privacy.
You get a letter from a company you know. It’s the online ice cream-of-the-month club, and they have bad news: an attacker hacked into their company and stole your personal info, including your Social Security number, credit card number and flavor preferences. What would you give up in order to have the attacker stopped?
The example is tongue-in-cheek, but the argument over a new cybersecurity measure is real: will the Cybersecurity Act of 2015, which lawmakers in the House could pass this week, go too far in its goal to keep hackers out of company computer systems?
The measure would encourage businesses to share information about cybersecurity threats with the government, according to multiple news organizations.
What would companies reveal?
One of the points of contention is that companies could share private information about customers with the Department of Homeland Security, if the measure passes.
The bill asks businesses to remove “extraneous” personally identifiable info from the data when they send it to DHS, and asks DHS to scrub the data again before it gives the data to other agencies, reported ABC News.
But that doesn’t mean your info wouldn’t be in the data.
“…If the cyber threat pertains to a specific threat of the loss of life, economic damage, serious injury or the effort to prosecute or prevent the exploitation of a minor, the personal identifiable information may be passed on,” ABC News reported.
Attack on privacy?
Some supporters of the bill say your privacy is already under attack—by hackers with malicious intent.
“The bill is very protective of privacy while also doing a lot to help companies protect themselves from cyberattack,” said Rep. Adam Schiff, D-Calif., in the ABC News story. “We have to measure this against the daily invasion of our privacy by these hackers.”
But a number of groups have criticized Congress’ efforts to create this measure, including Yelp, Apple, and the American Civil Liberties Union.
“It’s a disingenuous attempt to quietly expand the U.S. government’s surveillance programs,” said Evan Greer of Fight for the Future, an Internet users’ rights group, according to USA Today.
Sen. Ron Wyden, D-Ore., called the measure a “bad bill,” in the USA Today report.
“Americans deserve policies that protect both their security and their liberty. This bill fails on both counts,” Wyden said, as reported by the Associated Press.
Incentives for sharing
The measure would take down one of the barriers that may keep companies from sharing now.
“It gives companies immunity from lawsuits by shareholders and consumers for sharing the information,” reported USA Today.
More incentives
A cybersecurity expert says another part of the act could encourage companies to share their information very early in the process of dealing with a data breach or hack.
“There is a lot less burden on a company under the new measure if they report information before they fully understand it,” said Bob Beachy of Archer Security Group.
Your info could get caught up in the rush to report, he said.
“In the initial stages of understanding a cyber attack or a potential cyber attack, almost anything could be pertinent to the attack, including personal information,” Beachy said.
“This could incentivize companies to release a flood of unvetted information, that may or may not have anything to do with anything, to the government,” he added. “DHS then becomes the custodian of a mountain of sensitive data with little to no context provided.”
New targets
The bill reveals new targets of concern, said Patrick Coyle with Chemical Facility Security News.
It applies not only to information systems, but industrial control systems, he said.
“Industrial control systems are the computer systems that control modern manufacturing processes, from electric power, to chemical plants, to drinking water production systems,” said Coyle.
“It is becoming increasingly clear that people (foreign governments and maybe terrorist organizations) are beginning to target these control systems for electronic attack as a method to potentially weaken our economy,” he explained.
Coyle said previous versions of the information sharing bills only applied to information technology, not industrial control systems.
“…It was thought that data bases and payment systems were the only targets that crooks were looking at (to steal money),” he said. “The realization that others were now targeting control systems means that security measures must also protect these systems.”
Up for the vote
The House is scheduled to vote on this measure, part of a spending bill, on Friday, December 19.
“Very few things that are new are perfect to begin with, so it will be interesting to see how this initiative evolves over the coming months and years,” said Beachy.