The recent disclosures that hackers had made off with nude celebrity photos stored on Apple’s iCloud and credit card information collected by Home Depot were just the latest in a seemingly endless series of headline-grabbing data thefts. But the timing was propitious, given that the Senate is resuming work on a long-overdue bill to protect online data and corporate networks by letting government and the private sector share more information about cyberthreats. Sadly, this year’s version and the House’s counterpart have at least as many problems as their predecessors, putting far too much trust in the government and the private sector to do the right thing.
The main purpose of both bills is to remove the legal barriers stopping the dissemination of valuable information about malware, botnets and other forms of attack online. This is a worthy goal and, potentially, a major step forward in protecting against cyberassaults, corporate espionage and other online threats. But the details matter, particularly when it comes to what information gets shared with whom. Although the bill by Sen. Dianne Feinstein, D-Calif., is better than the House proposal and some of the previous versions, it still leaves too many openings for personal information to be shared with government agencies that don’t need to see it, and that could use it for too many purposes beyond cybersecurity. In fact, it requires that information shared with the government be sent automatically to the Department of Defense and, presumably, the National Security Agency, given the latter’s interest in cyberattacks. For that reason, it feels too much like a bill to deter hackers by expanding the surveillance of ordinary Internet users.
When it comes to cybersecurity, the most effective type of sharing is the rapid exchange of newly discovered threat information by tech experts working in the same industry. The Senate bill would make that possible, but it wouldn’t compel companies to do so — or to take any other steps to improve security, or even to disclose breaches to the public. And as the two latest incidents show, data thieves don’t have to come up with something new and sophisticated to obtain sensitive personal information. They can succeed with techniques that are relatively simple and well-understood.
The last thing government should do in this area is dictate cybersecurity techniques. To its credit, the Obama administration has worked with the private sector to develop voluntary standards and best practices for protecting networks. Congress should take the next step and pass a bill that allows companies to share timely information about cyberthreats and hackers’ methods with each other and the government. The current proposals, however, don’t do enough to make sure the information shared is anonymized and used only to promote cybersecurity. And Congress has already given the federal government too much leeway to monitor its citizenry.