THANK YOU FOR SUBSCRIBING
Like much of the legislation coming out of Washington these days, The Cybersecurity Act of 2015 doesn’t get much respect.
The fledgling, four-month-old act calls on businesses, government agencies and other organizations to share information about cyber security threats with each other in order to identify and protect themselves against attacks. In a nutshell, the criticism is that this isn’t good enough—sharing information about new types of malware, suspicious network activity and other indicators of cyber attacks won’t thwart much cybercrime. Making the matter worse, naysayers claim the law provides insufficient consumer identity protection.
While far from perfect, we have to start somewhere and the act does raise the bar. Concerns over privacy are legitimate. But so are the fail threats to consumers. There is no doubt that we need more teeth to protect personally identifiable information and consumer data. Regardless, the law is a step in the right direction to begin improving U.S. cyber defenses. Global cybercrime costs companies roughly $400 billion a year, notwithstanding record spending on cyber defense. Doing something–even it’s mostly just collaboration– is essential.
Here are three additional reasons why the law makes sense:
• While collaboration won’t stop major attacks – i.e., those that make the news, it will help stop many lower-caliber attacks perpetrated with off-the-shelf malware purchased on the black market. Most attacks, in fact, are these. Under the new law, companies and governments will share data about the ‘signatures’ of cybersecurity thieves. These are digital trails that show where the attackers come from and what their code looks like, and unearthing them is a big help in catching cyber crooks.
• Some legalities still must be addressed, but it looks likely that the act will allow corporations and other entities to monitor their own networks to catch the theft of trade secrets and other information. Before passage of The Cybersecurity Act, corporations generally needed employee consent to monitor them. It is expected that this requirement will be rescinded.
• The Cybersecurity Act includes nine pages of healthcare-related cybersecurity measures, including the formation of a taskforce staffed by experts from HHS, Homeland Security and the National Institute of Standards and Technology. The taskforce, recently formed, will analyze cybersecurity actions and safeguards in place in other industries. This is important because hospitals are now being attacked with regularity. Late last month, MedStar Health, a Washington D.C.-area hospital chain, was hit by an attack that forced it to use paper systems and prevented patients from booking appointments. Only weeks before, hackers demanded $17,000 in ransom from the parent company of three Southern California hospitals hit by a debilitating network virus.
The Cybersecurity Act is the first major piece of federal cybersecurity legislation and was a compromise patched together from competing cybersecurity data sharing bills that passed the House and Senate earlier last year. It has never attracted much attention because it was embedded in a $1.1 trillion omnibus spending bill to fund the government through the fall.
It is nonetheless important. As a venture capitalist, I would like to see this legislation become the first step toward a broader and more sophisticated cybersecurity sharing network. I want the startups to push the cybersecurity envelope and to correctly anticipate the future course of attacks as much as possible. An improved sharing network would help achieve that goal because a better job could be done protecting against many standard attacks, allowing young cybersecurity companies to focus more heavily on chronically evolving state-of-the-art attacks.
Homeland Security orchestrates the sharing program and can share the information with other government agencies and companies. A number of technology companies, including Apple and Twitter, have said they will not participate because they don’t think there is sufficient identify protection. (The provisions of the law are voluntary).
There is always a balancing act between security and privacy and we need to address both. At the same time, waiting for the perfect solution exposes those same identities that we want to protect. That’s why IBM, for example, supports collaborative cybersecurity information sharing. Other technology companies, I suspect, are taking the opposite stand primarily for branding purposes. Nonetheless, this is not a major issue.
A far more legitimate complaint among skeptics is the concern about the efficacy of cybersecurity information sharing. The legislation is somewhat behind the times. It is true that sharing information about cyber-attacks won’t stop advanced attacks. For those, what is really needed is the implementation of encryption, the patching of outdated software and the strengthening of other cyber defenses.
Even the sponsors of the legislation admit that the new law would not have helped against the highly destructive, allegedly North Korean-orchestrated attack against Sony Pictures Entertainment in 2014. That attack, like many today, was not based on previously known computer viruses or other malicious tools that companies and the government could warn each other about.
Similarly, this law would not have fended off the theft of millions of personnel records from the U.S. Office of Personnel Management. In that case, the government failed to install sufficient cybersecurity protection in the first place. Poor computer hygiene, in fact, is rampant.
As I mentioned, however, most attacks are not of this caliber. Many far simpler attacks employing off-the-shelf malware – attacks used in 90 percent of attacks, by some estimates – can be contained through collaboration and serious follow-up.
Under the new law, businesses are encouraged to share more information about cyberattacks because the threat of private lawsuits, such as suits over violations of electronic privacy protections, is minimized for participating companies. Consumer identify protection is also built in the law. Companies are generally required to strip personal information about customers out of the shared data so that the government cannot amass records on the behavior of individuals. In addition, the government is required to ensure that all personal information, such as customer records, has been scrubbed.
The upshot? Despite the patchwork of compromise required to pass the new law and other foibles, Washington has managed to make some progress in the global cybersecurity war – and, yes, it is a war. A marker has been established in Washington to step up the U.S. counter-attack against cyber intruders. This is good news on the cybersecurity front for a change.
Check out: Cyber Security Review Magazine