Quantcast
Channel: Security Boulevard
Viewing all articles
Browse latest Browse all 37364

Navigating a Sea of Cyber Security Legislation

$
0
0

For once, Republicans, Democrats, Independents and the people of the United States all agree on something: We need better protection from cyber attack. We’ve all seen quotes and statistics declaring that cyber attacks will soon be the number one threat to American national security, surpassing physical terrorist attacks. And just last week, a new survey stated that 74 percent of Americans cited protecting government and other critical systems from hackers and cyber attacks as very important for presidential candidates.

Clearly, we all agree something needs to be done to protect America’s systems and intellectual property from cyber criminals. It’s the what-to-do that’s under dispute. There are currently no less than three bills under discussion in Congress aimed at better cyber security. The differences include: what should be done to improve cyber security; who will pay for it (and how much); and what happens to an individual’s privacy in the quest for heightened security? Here’s a quick break down:

Cyber Intelligence Sharing and Protection Act (CISPA)

What: The Cyber Intelligence Sharing and Protection Act goal is to enable information sharing between government and private industry without fear of legal reprisal.

Pros: A topic that my colleague Paul Henry discusses frequently is the fact that the bad guys talk to each other and the good guys don’t. This fact propels the bad guys forward and greatly hampers our ability to safeguard against their attacks. CISPA is an effort to fix this problem.

Cons: The wording of CISPA doesn’t allow for adequate safeguards for privacy. The information being shared between public and private entities is not stripped of identifying information and is shared with the Department of Homeland Security. The bill would trump all existing federal and state civil and criminal laws. This includes wiretap laws, company privacy policies, gun laws, record laws, census data laws, medical record rules, and a lot of other regulations that were put in place to keep private information private.

Status: Introduced to the House of Representatives in late 2011 by Michael Rogers (R-MI), the bill has passed the House and is moving on to the Senate. However, President Obama has promised to veto it if it is passed without more privacy protections put in place. It’s supported by several industry trade groups, as well as a number of tech heavyweights such as Facebook, Intel, Symantec and Verizon, among others.

Cyber Security Act of 2012 (CSA)

What: Though there is information sharing elements to this bill as well, the main focus is protecting the critical infrastructure – i.e. electrical grids, air traffic control systems, utilities, etc. – from cyber attack.

Pros: The The Cyber Security Act of 2012 billhas better protections in place for consumers, requiring companies to make a reasonable effort to strip personally identifiable information from the data they share with the government. It also requires a certain minimum security standard for privately owned critical infrastructure.

Cons: Unlike CISPA, the information shared under CSA can be used in any other criminal investigation, raising Fourth Amendment issues, according to critics. There’s also the question of who will pay for the newly required compliance: the government or business. Many of the businesses affected by these new rules will be unable to afford the new security measures required. And of course, as my Optimal Security comrades and I have said many times before, compliance does not equal security. The minimum requirements here may not be enough to be effective.

Status: Introduced by Senators Joe Lieberman (I-CT) and Susan Collins (R-ME), the bill is supported by President Obama. It is currently being debated in the Senate.

SECURE IT Act

What: Like the other two bills, SECURE IT removes certain barriers to information shared. Unlike the others however, it does not establish a regulatory system to oversee threats or enforce security standards. Instead, it provides a number of incentives to companies that choose to share information with the government. It also introduces penalties for a wide variety of cyber crimes.

Pros: With no required minimum security standards, this bill would likely be easier for businesses to comply with. It also levies criminal penalties against those who commit cyber crimes, making it easier to prosecute cyber criminals. It also does not create additional bureaucracy or regulatory mandates, making it cheaper for the government to implement.

Cons: This bill raises privacy issues similar to the other two, and it does not prevent information shared under the bill’s protection from being used in non-cyber security criminal investigations. Like CSA, it trumps existing privacy laws. It also trumps existing privacy tort laws, causing privacy advocates to protest the bill. Though the other two bills put cyber security in the hands of the Department of Homeland Security, nominally a civilian agency, SECURE IT requires information to be shared with the National Security Agency, eliminating the choice to share the information with a civilian, rather than military agency.

Status: Introduced to the Senate by Senator John McCain (R-AZ) and to the House by Representative Mary Bono (R-CA), the bill is currently being debated on both sides of Congress.

I hope this has helped you sort out all the cyber confusion. Leave any questions in the comments!



Viewing all articles
Browse latest Browse all 37364

Latest Images

Trending Articles



Latest Images