Is Cybersecurity Legislation Finally Possible?
Last week, the US House of Representatives Intelligence Committee voted unanimously in favor of a long-anticipated cyber threat data-sharing bill, the Protecting Cyber Networks Act (PCNA).
The bill—which draws largely upon the Cybersecurity Information Sharing Act (CISA) that the Senate Intelligence Committee passed two weeks ago—would grant legal liability protections for companies sharing cyber threat data with the government through a civilian portal. This official portal, most likely to be managed and overseen by the Department of Homeland Security (DHS), would help mitigate the risks from cyber attacks and help both government and IT security firms take preemptive measures against those potential attacks and their perpetrators. Information passed onto the government would have to be “scrubbed” twice to filter out sensitive, proprietary, and personal information.
Lawmakers have tried for nearly a decade to pass comprehensive cybersecurity legislation, but previous proposals—such as the Cyber Intelligence and Sharing Protection Act of 2012—have drawn widespread and determined opposition from Internet activists, civil libertarians, and privacy advocates, and the bills were ultimately scrapped.
So what made the difference this time around?
Across industry and government, there is now general agreement that greater data-sharing is fundamental to strengthen the nation’s cyber defenses and to detect, minimize, and possibly even prevent debilitating hacks like the one at Sony Pictures. Without a full picture of the cyber threat, we can’t stop it, they say. Businesses, alarmed by the proliferation of hacking instances on payment and online networks, have been hard at work to initiate solutions to strengthen security measures, and this bill would allow them to exchange important information without fearing potential lawsuits when passing data over to state and federal investigators. Lawmakers in both parties seem more eager than ever to move forward with this bill, as shown by the speed at which it was approved–the Intelligence panel advanced the measure in a closed session merely two days after introducing it.
Critics of both CISA and PCNA, however, worry about the accessibility that the government could gain through their private data and have called both pieces of legislation a “surveillance bill by another name.” Major sticking points have been whether the private sector should be able to share data with intelligence agencies including the National Security Agency (NSA), and how law enforcement officials can use that data.
The Senate Intelligence panel has injected language in the bills to address these issues. For example, CISA will only allow non-electronic data sharing with the NSA and it specifies exactly when that data can be used. Other Senators, such as Sen. Tom Carper (D-Del.) and Sen. Patrick Leahy (D-Vt.), have submitted additional privacy-enhancing suggestions.
Despite civil libertarians’ and privacy advocates’ fear that this legislation could bolster government’s surveillance capabilities, the Intelligence panel’s leaders are confident they will get the support needed to pass their cyber bill. Both bills should come forward before the full House and Senate by next month.
So far, the biggest winners have been cybersecurity firms, such as CyberArk Software Ltd, VASCO Data Security International, Qualys Inc, Proofpoint Inc, and Palo Alto Networks Inc, which saw their stocks skyrocket as soon as the news of the Senate approving the bill surfaced last week, and their revenues may continue to grow as spending on next-generation security solutions by governments and corporations accelerates.
Privacy Critics go 0-2 with Congress’ Cybersecurity Bills | WIRED
Shares of CyberArk (CYBR), Palo Alto Networks Inc Gain After House Committee Approves Bill | BIDNESS
Senate Dems Wooed on Cyber Bill | The Hill