What Congress' Cybersecurity Bills Mean for You
The U.S. Capitol in Washington, D.C.
CREDIT: Diliff/Creative Commons
President Barack Obama is currently pushing for cybersecurity legislation and has made it one of his priorities for 2012.
In a July 19 opinion piece published in The Wall Street Journal, the president wrote, "It doesn't take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.
"This is the future we have to avoid," he wrote. "That's why my administration has made cybersecurity a priority, including proposing legislation to strengthen our nation's digital defenses. It's why Congress must pass comprehensive cybersecurity legislation."
Congress hasn't ignored the call. Members of both the House and Senate have introduced a number of bills in recent months, most of which are being hashed out in committees.
As of this writing in late July, one piece of legislation, the Cybersecurity Act of 2012, is expected to be brought up for debate on the Senate floor in a matter of days.
According to Dan Stickel, CEO of Metaforic, a software-security company in San Jose, Calif., there are two primary categories into which the approximately 30 bills that have been introduced fall: data-breach tracking and infrastructure hardening.
"Mostly, the government is trying to provide a clearinghouse of information so people can track what's going on, how people are getting attacked, etc., and try to shore up the defenses," Stickel said. "These breaches are a real problem, and costly, but we're living with them."
Infrastructure hardening is part of an effort to protect the country's critical infrastructure, such as power plants and water supplies, from an attack by a foreign power, a terrorist organization or even organized crime.
Such attacks are rare — many experts argue they've never even taken place — but the weaknesses in critical-infrastructure data security make possible an attack that could cripple large regions of the nation.
Out of all of the bills that have been introduced, only three are thought to have much of a chance of reaching the debate stage. Stickel provided a description of each one:
— The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House in April. It has provisions for sharing information, but doesn't contain any federal cybersecurity standards, so it's really aimed at data-breach tracking.
The bill doesn't require telecommunications companies such as AT&T, or even Facebook or Google, to share more information than they already have to. Privacy advocates are nonetheless worried that it will let the government pressure those companies into disclosing all private, personal communications.
CISPA is opposed by many Democrats, including President Obama, who vowed to veto an early form of the bill.
— The Cybersecurity Act (CSA) of 2012: Sen. Joseph Lieberman (I-Conn.) and three other senators introduced this bill in February, and they're making a push to get it passed this month.
Unlike CISPA, this one requires the Department of Homeland Security to set cybersecurity requirements for critical-infrastructure facilities such as power grids and water-treatment plants. It's broadly similar to a bill Obama proposed last year.
Criticisms of the bill include doubts that a slow-moving bureaucracy can possibly keep up with such a rapidly changing field, and fear that it will mostly create onerous, costly regulations that don't accomplish much.
The CSA has been greatly watered down since its initial introduction. An Internet "kill switch" for the president was taken out, and an overhauled version of the bill that Lieberman introduced last week removed all mandatory security upgrades for privately owned facilities, rendering it toothless in the eyes of some security experts.
— The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology (SECURE IT) Act: Sen. John McCain (R-Ariz.) and others have introduced a measure that encourages voluntary sharing of cyberthreat information between businesses and government, without setting requirements.
Lieberman's revision of the CSA is an attempt to reconcile his bill with McCain's.
As with CISPA, privacy advocates are concerned that the SECURE IT Act would give the government access to all sorts of personal, private information. Critics say it wouldn't really accomplish much, although it would probably helpful to law enforcement.
Reading the descriptions of these bills, it certainly looks like Congress at least recognizes where cybersecurity is needed, but most of the legislation seems focused on protecting businesses.
What exactly do these bills mean for the average computer user?
"Both CISPA and SECURE IT are bills that would allow the government unprecedented powers to monitor Americans' online behaviors," explained Dave Aitel, CEO of Immunity Inc. in Miami Beach, Fla., and a former computer scientist for the National Security Agency. "These would have a direct, and so far incalculable, impact on people's daily lives."
"CSA on the other hand, is a smarter solution that aims to protect the most important elements of the country — critical infrastructure," Aitel said. "The bill appears to protect civil liberties and isn't too tough on private industry.
"However, the costs of power plants and other facilities will likely go up — which means consumers could end up paying more on their electric bills, water bills, etc."
The chances that any of these bills have of passing is another matter altogether. Not surprisingly, there is partisan opposition to each, which Obama tried to tackle head-on by publishing his op-ed piece in the Republican-friendly Wall Street Journal.
Whether or not the deeply divided Congress will be able to find agreement remains to be seen.
"Whether or not these bills pass, more bills just like them are sure to be proposed again and again until they pass," said Aitel. "The private sector and military have too much at stake for cybersecurity enhancements to go unpassed."