Beefing up cyber security

The engineers who designed the Internet focused on connection and communication, not safety and security. That’s one reason hackers have been able to take surreptitious control of Internet-connected devices, cripple websites and steal valuable data. Now, lawmakers are considering whether to vastly expand the government’s role in protecting Internet services and corporate computer networks against cyber attack. But while the online security threats are serious, encouraging private industry to funnel information to the government poses its own set of problems.

Disturbed by reports of Chinese hackers brazenly raiding U.S. corporate networks to steal trade secrets and track dissidents, the House is expected to take up a bill this week that would allow companies and the government to share more cyber security tips and techniques. The noncontroversial part of the proposal would let federal intelligence agencies disclose sensitive information about cyber threats to utilities, ISPs and corporate network operators. The controversial part would encourage private industry to monitor any and all activity on their networks for cyber security problems and share even potentially sensitive personal information they collect with the feds.

The bill’s authors — the top Republican and Democrat on the House intelligence committee — are so eager to beef up the private sector’s defenses, they would waive wiretapping rules, privacy regulations and all other laws to let companies use vaguely defined “cyber security systems” to obtain information about cyber threats and share it with anyone, including the Department of Homeland Security. To accommodate the rapid changes in technology and hacking methods, the measure broadly defines the information that companies could monitor, collect and share in the name of cyber security without fear of liability.

To their credit, leaders of the intelligence committee have tried to address privacy advocates’ concerns. But the bill’s fundamental problem is that encouraging the operators of broadband services, email systems and social networks to collect information about their users and share it with the government transforms them from service providers to surveillance agencies.

A better approach would be to address directly the software vulnerabilities of the Internet and the devices that connect to it. Having companies do a better job minimizing their exposure to hackers and keeping their software up to date is at least as important as having them monitor their networks. And if companies want to share what they learn about cyber attacks — some may not because they believe that information gives them a competitive advantage — they should do so without including personally identifiable information, and without handing the data to federal enforcement agencies that might be tempted to look for something other than hackers.