The cybersecurity bill passed by the Senate Wednesday was six years and innumerable legislative fights in the making. In the end, Senator Harry Reid summed it up best: “The bill, which is okay, is better than nothing.”
That pleasingly tepid praise is on target for a bill that does a few good things, mostly avoids doing bad things, and leaves all the hardest things for others to figure out.
The Cybersecurity Information Sharing Act, known as CISA, would give legal protection to companies that share information about cyberthreats with the government and with each other. This should help them detect intrusions faster, improve their defenses, and take advantage of government advice and intelligence. It should give law enforcement a clearer picture of the threats facing U.S. networks and help in pursuing cybercriminals. And it sends a message — to crooks, spies and bored teenagers everywhere — that the U.S. is starting to take these matters more seriously.
Although the bill had the support of the White House, much of the business community and a substantial majority in Congress, it won’t please everyone. Many privacy activists opposed it. So did some big tech companies (many of the same ones that make their money by siphoning your private information and selling it). And some security experts have warned, reasonably, that the bill’s benefits are oversold.
The sharing of information does raise privacy concerns, but the bill takes sensible precautions. It tells companies to strip out personal data that isn’t related to a threat before sharing it, places prudent restrictions on how the government can use the information it receives, and makes clear that the whole thing is voluntary and expires after 10 years. It also designates the Department of Homeland Security — a civilian agency with significant privacy oversight — as the primary coordinator of the new system.
A bigger worry is that the bill allows the submitted data to be shared with other agencies, including the NSA. Congress should be alert to potential misuse (a House version of the bill is better in this regard), and consider adding stronger language in the final legislation. But on balance, the protections included are sturdy. More to the point, the average privacy- conscious Internet user has far more to fear from hackers than from government spooks (ask the benighted subscribers to Ashley Madison).
Even so, CISA won’t stop intrusions, thievery, espionage or general nuisance-making online. Doing so will require reforming outdated hacking laws and bolstering standards to improve data security. It will mean training more cybersecurity professionals and broadly educating the public. It will require that companies invest in smarter technology, more competent staff and better risk-management models. And it will demand that the government’s ever-growing cybersecurity bureaucracy get smarter and nimbler.
In other words, all the biggest challenges will have to wait. But after years of intensifying attacks — against retailers, banks, insurers, government agencies and just about everyone else — Congress is finally taking a small step toward bolstering the country’s defenses. It’s better than nothing.
