It’s taken several years, billions of dollars in breaches, and one large-scale hack that rocked the entertainment industry, but Congress is finally on the verge of passing a cybersecurity bill that could make Target breaches far less devastating.
In a majority 307–116 vote Wednesday, the U.S. House of Representatives passed the Protecting Cyber Networks Act, a bill that would let private companies grant real-time access to their computer systems to federal agencies and other companies to better fend off cyber threats.
It’s a much-needed bill that has consistently stalled in Congress, but is now finally getting traction. There’s just one problem: Congress tackles cybersecurity as it does other issues, with vague language that doesn’t fully take into account the effects of opening up several, massive computer networks for data sharing will have.
PCNA comes with some consumer protections, such as sanitizing personal data by both the company and the government agency. The lack of such protections has kept privacy advocates like Rep. Adam Schiff (D-CA) from cosigning pass iterations of the bill.
Speaking on the House floor Wednesday, Schiff lauded the bill for protecting consumers from hackers, by allowing the real-time exchange of information that could be linked to a current or future cyberattack.
“At some point we need to stop hearing about cyber attacks that steal our most valuable trade secrets and our most private information, and actually do something to stop it.” Schiff said. “PCNA does what no executive order can do, it incentivizes cyber threat information sharing providing limited liability protection,” which for example would allow a company to freely share malicious code or viruses found in its systems with other companies. The government, in turn, would warn companies in the partnership of an impending attack.
The Senate Intelligence Committee has raved about the PCNA, which is now on its way to the Senate for a vote, and the White House is pretty much on board with the bill. In a statement Tuesday, the White House commended the new legislative effort but expressed some reservations over making sure the bill wouldn’t give companies a free pass to not take steps to boost cybersecurity and risk customer data. The White House also stressed that protections under the bill should not allow companies take down competitors.
The bill still falls short, according to privacy groups, because it gives the government and law enforcement agencies discretion over what internet behavior is considered a potential threat. As Robyn Greene, policy counsel for the New America Foundation’s Open Technology Institute, told Wired, the government can legally get personally related information as long as it’s considered a “threat indicator.” That includes spam victims’ IP addresses that were unwittingly exposed through botnets.
Nearly 60 privacy, security experts and civil liberties advocates wrote a letter to Congress asking House members to oppose the bill because it left many security questions unanswered.
“PCNA’s overbroad monitoring, information sharing, and use authorizations effectively increase cyber-surveillance, while the authorization for the use of defensive measures actually undermines cybersecurity,” the letter stated.
Privacy groups say the bill is a diluted version of past cybersecurity bills, such as the Cyber Intelligence Sharing and Protection Act (CISPA), which was condemned for allowing tech companies and device manufacturers to share internet traffic with the government.
CISPA previously failed to pass through Congress but was reconsidered in the wake of the Sony hack last year. It never got off the ground. But like CISPA and other legislative attempts to address the perils of the digital world, PCNA is the victim of Congress trying to solve a problem with either too broad or too narrow a scope.
The Computer Fraud and Abuse Act, for example, has been used by the government and law enforcement to more easily charge and convict hackers. The law was used against Aaron Swartz, an internet activist who committed suicide after the Justice Department charged him with criminal hacking for downloading documents from a research database, and has been criticized by the tech industry for being too broad and constituting everyday internet habits such as lying about your age as hacking, and thus a federal crime. He faced up to 50 years in prison for 13 felonies permitted by the law.
President Barack Obama has already made plans to update the law that originally passed in 1986 prohibiting unauthorized computer access. But Obama’s proposed revisions could still be too broad, criminalizing any behavior done without expressed consent — like guessing your grandmother’s password after she locked herself out of her iPad.
Cyberattacks are serious and the government should definitely have legal framework to prosecute malicious hacks that expose people’s personal information. Technology evolves exponentially faster than the pace of government, innovating without permission, and each update weaving more tightly into our lives than the last. And at that rate, Congress can’t afford to be opaque.