Cybersecurity Archive - BSA TechPost

Archive for the ‘Cybersecurity’ Category

How to Continue Improving CISPA in the Senate

posted by Tim Molino in Cybersecurity May 30, 2013

With last month’s House passage of the Cyber Intelligence Sharing and Protection Act (CISPA), the cybersecurity debate has now moved to the Senate, albeit quietly, as attention in the upper chamber has been intently focused on immigration. This lull in activity presents an opportunity for Senators to take stock of improvements that were made to the bill as it advanced through the House and begin forging agreement on what still needs to be done before the legislative process is over.

They begin in a good place, because there is widespread agreement on the fundamental proposition that sharing cyber threat information would bolster the country’s security posture. As passed in the House, CISPA would greatly improve the situational awareness of front-line IT professionals and law enforcement authorities by breaking down legal barriers that currently discourage information sharing between and among the public and private sectors.

Moreover, as the bill moved through the committee process and floor debate in the House, it benefited from a number of important refinements to protect citizens’ privacy and civil liberties. For example, it stipulates that government can only use the information it gets from the private sector for cybersecurity purposes and the definition of what constitutes a cybersecurity purpose has been narrowed. As passed in the House, the bill also makes civilian agencies of government (the departments of Homeland Security and Justice) the main hubs for the private sector to report potential cyber threats. Those civilian agencies have oversight authority for privacy concerns, too. And finally, the bill makes clear that it does not authorize the government to engage in surveillance of US citizens.

But additional improvements are still needed before BSA and many other stakeholders can support final passage of legislation on information sharing — and before President Obama would agree to sign it.

For BSA, there are three main priorities:

First, sharing cyber threat information with the government should remain voluntary. CISPA came out of the House without any mandates, and it is very important that it remain that way. There are a number of good reasons for this, not least of which is the fact that it will improve the quality of information being shared, because companies will be free to separate wheat from chaff. Furthermore, mandates mean regulation. But a voluntary system with less regulation also will promote speed and adaptation, a sine qua non for effectively detecting and deterring fast-moving threats.
Second, it should be made clear that companies will only receive liability protection if a civilian agency is their first point of contact when they share cyber threat information with the government. This is critically important because civilian agencies are best equipped to address privacy and civil liberties issues. This is not to say that companies should be forbidden from sharing with any agency of government they wish. If a company is already sharing information legally with any government agency, then that relationship should be allowed to continue. But there should be a simple rule that liability protection is only available if a civilian agency is your first stop.
Third, companies should be held accountable for honoring contracts that spell out the types of cyber threat information they might share with the government. For example, it is common for companies to include these details in user license agreements and other contexts. If they violate those contracts, then their customers should be allowed to challenge the disclosure. It seems self-evident that a company should not be given carte blanche to break its contractual word. But including a provision that clarifies this would nonetheless be useful. Among other things, it would help ensure that the program remains voluntary, because it would give companies legal leverage to resist any pressure they might feel to share information.

Additionally, it is important for any cybersecurity legislation to be written in a way that is not overly regulatory. For example, specifically designating which types of data can be considered cyber threat information could prove to be too cumbersome and thus ineffective. The standards must be flexible and take into account the realities of an ever-changing threat landscape.

By taking these considerations into account, the Senate has an opportunity to further protect people’s privacy and civil liberties, prevent government from strong-arming companies into sharing more than would be appropriate or necessary — and get us one step closer to the stronger cybersecurity footing that the country urgently needs to achieve.

Sharing Cyber Threat Information: How It Would Work, and Why It Would Help Bolster Security

posted by Tim Molino in Cybersecurity April 15, 2013

The Cyber Intelligence Sharing and Protection Act of 2013 (CISPA), which aims to bolster America’s ability to anticipate and defend against cyber-attacks by improving the situational awareness of front-line IT professionals and law enforcement authorities, will be on the House floor this week. So it is worth taking a close look at how the information sharing it aims to encourage between the public and private sectors would work in practice to protect critical systems and safeguard people’s personal information. (more…)

When “Security” Regulations Overreach

posted by Robert Holleyman in Cybersecurity, Opening Markets July 9, 2012

Cybersecurity has justifiably become a front-burner policy concern for governments around the world. But what happens when security regulations are effectively used to bolster the prospects of local firms at the expense of foreign competitors?

We are starting to find out, especially in emerging markets, where many governments have recently begun implementing security-related measures that stray far into the commercial sphere. The development of these overreaching security-related regulations is one of several IT-focused market barriers detailed in BSA’s latest policy report, “Lockout.” They not only create barriers (more…)

More Progress toward Compromise on Information Sharing

posted by Katherine McGuire in Cybersecurity April 19, 2012

“If your neighbor’s house gets broken into, you’d want to know about it.”

That was how John Landwehr, Vice President for Digital Government Solutions at Adobe Systems, put a fine point on the need for efficient and effective sharing of cyber threat information. He spoke at a packed briefing BSA hosted today on Capitol Hill to help educate House staff on issues involved in cyber legislation now pending in Congress.

Landwehr used the analogy of a home invasion to illustrate what information ought to be shared, with whom, and for what purpose: You would want to know how the break-in occurred so you could take appropriate steps to protect your house from the same type of crime. You would want others in the neighborhood to know, too, so they could (more…)

Time for a Final Push on Cybersecurity Legislation

posted by Katherine McGuire in Cybersecurity March 22, 2012

In an otherwise divided Congress, there is clear, bipartisan support for upgrading America’s cybersecurity capabilities. BSA believes this is an urgent matter of national and economic security; it cannot wait to be addressed. We also believe lawmakers are making significant progress. A number of House and Senate bills are pointed in the right direction, so it is time to hammer out the remaining details and get legislation passed.

In January, BSA outlined a series of policy priorities for cybersecurity legislation. Since then, Senate Homeland Security Chairman Joe Lieberman (I-Conn.), Ranking Member Susan Collins (R-Maine), and Commerce Committee Chairman Jay Rockefeller (D-W.V.) introduced a robust bill, the Cybersecurity Act of 2012 (S.2105), which covers the most important bases (more…)

Will 2012 Be the Year for Cybersecurity Legislation?

posted by Katherine McGuire in Cybersecurity December 22, 2011

Could it be that after years of false starts and dashed hopes, the logjam is about to break on cybersecurity legislation? It is too soon to be sure, but one thing is abundantly clear: There is significant movement in both chambers of Congress.

Senate Majority Leader Harry Reid has informed Minority Leader Mitch McConnell that he intends to bring comprehensive cybersecurity legislation to the floor in the first working period of the New Year. The ranking Republican members of four key Senate committees countered with a letter to President Obama urging that cybersecurity legislation focus on four near-term measures for which there would likely be broad support: information sharing, reforming the Federal Information Security Management Act (FISMA) (more…)

Guest Post: Key Steps Forward in Managing Cybersecurity Risks

posted by Cheri F. McGuire in Cybersecurity December 6, 2011

To understand the pressing need for effective cybersecurity policies, consider first how much we rely on information technology. In 2010, there were nearly 332 million personal computers in use in the United States — one for every man, woman, and child, with 20 million or so left over. In addition to all those PCs, there were another 148 million enterprise servers, tablet computers, eReaders, and smartphones exchanging both mundane and highly sensitive information across public and private networks. In fact, we rely on information technology for almost everything we do as a society — from personal tasks, such as paying bills and finding our way to new places, to matters central to the public interest, such as operating nuclear power plants and the country’s electricity grid.

(more…)

ECPA’s Silver Anniversary: Time for Reform

posted by Katherine McGuire in Cybersecurity October 19, 2011

The Electronic Communications Privacy Act (ECPA), the law that sets the standards by which authorities can access electronic communications and data, turns 25 years old this week. Yet many of the electronic technologies it covers — technologies we use day in and day out — are much younger. Just think: ECPA took effect a decade before the World Wide Web took off, before most people used email, before there were smartphones and mobile-location technologies, before there was social media or cloud computing. (more…)

Senate Bill Shines a Light on Global Cybercrime

posted by Katherine McGuire in Cybersecurity August 5, 2011

Senators Kirsten Gillibrand (D-N.Y.) and Orrin Hatch (R-Utah) this week made an important contribution to the unfolding cybersecurity debate in Congress when they introduced an updated version of their International Cybercrime Reporting and Cooperation Act (S. 1469), which aims to foster more effective coordination between the United States and foreign countries. As has been reported by Politico (subscription required) and The Hill, the bill adds to a growing mix of cybersecurity proposals in front of lawmakers, with negotiations expected to pick up even more steam this fall.

Similar to the Special 301 process that the Office of the U.S. Trade Representative uses to spur America’s trading partners to improve intellectual property protections, the Gillibrand-Hatch bill would hold countries accountable (more…)