The first line of defense against cybercriminals is to have the companies and individuals who connect to the Internet hew to industry standards for minimizing risks. Many of them have so far failed to do so, however, enabling hackers to steal trade secrets, knock sites offline and vacuum up credit card numbers. Sadly, a new Senate bill aimed at improving cybersecurity wouldn’t address those security gaps as forcefully as its sponsors originally proposed. But at least it’s better than the alternative that passed the House.
At issue is what role, if any, the federal government should play in improving private industry’s practices. Business groups have urged Congress to let government and the private sector share more information about hacking threats and defenses. That’s necessary, but not sufficient. And if it’s done the wrong way, as in the House-passed cybersecurity bill, information “sharing” can become a pretext for government surveillance and privacy violations.
The Senate bill is more sensitive to privacy concerns than the House’s. Just as important as information sharing, however, is persuading corporate networks and sites to follow the tech industry’s best cybersecurity practices. The Senate bill’s sponsors originally proposed to require operators of critical infrastructure — e.g., power grids, water plants and payment processing networks — to meet federal security standards, using the techniques of their choice. But when business groups and their Senate allies howled about regulation, the sponsors dropped the mandate in favor of a voluntary program that merely encourages companies to adhere to cybersecurity standards.
Companies already have plenty of incentive to protect their networks from hackers, yet too many fail to do so. It’s conceivable that providing even more incentives could do the trick, but the ones in the current version of the Senate bill range from weak to nonsensical — such as threatening to withhold information about cybersecurity threats from companies that don’t comply.
The best motivator may be to require companies to disclose publicly when they’ve been hacked, which would bring more market forces to bear on companies that didn’t keep up with the constant demands of cybersecurity. Business groups oppose even that step, however, and the bill merely tells regulators to consider it. Unable to mandate better compliance with security standards, lawmakers evidently can’t even provide companies more compelling reasons to do so voluntarily.