What Congress Can Do About Cybersecurity If CISA Fails

As senators return from recess to a heaping plate of legislative priorities, a cybersecurity information-sharing bill that stalled earlier this summer is competing for lawmakers' attention with debates over the president's nuclear deal with Iran and the looming budget deadline.

The Cybersecurity Information Sharing Act, along with the 22 amendments that will also get a vote when the bill comes up, is the Senate's main push this session for a bill to address cybersecurity shortcomings in both the government and the private sector. Two similar bills have already passed the House.

Opponents of CISA—tech experts, privacy advocates, and pro-privacy lawmakers—have fought to delay the bill and would rather see it dropped completely. But if CISA does get buried under the Senate's packed schedule, experts say there are alternatives for lawmakers looking for ways to improve cybersecurity through legislation.

"There are a bunch of other things they could be looking at, some of which are very noncontroversial, don't involve privacy risks, and could be low-hanging fruit," said Jake Laperruque, a program fellow at New America's Open Technology Institute.

After hackers infiltrated computer systems at the White House, the State Department, the Pentagon, and the Office of Personnel Management—all within the last year—Congress began moving toward a cybersecurity fix with more urgency.

The push for CISA has come in large part from the business community, which has a lot to gain from the liability protections built into the bill. "The Protecting America’s Cyber Networks Coalition strongly believes that CISA is the only game in town on cybersecurity legislation," said Matthew Eggers, senior director of national security programs at the U.S. Chamber of Commerce, referring to a coalition of nearly 50 tech associations. "No cyber bill comes close to capturing both the support of virtually every economic sector and the White House."

But privacy advocates say lawmakers' near-exclusive focus on information-sharing was premature.

"In the rush to act, Congress lost sight of all the other solutions," said Drew Mitnick, policy counsel at Access, a digital human-rights organization.

Here are three alternatives to information-sharing that experts have floated.

Incentives for vulnerability buybacks

When a security researcher or a malicious hacker discovers a vulnerability in a company's software or hardware—whether it's a website, a sensitive database, or critical infrastructure—he or she must decide what to do with the information. Security researchers will often go straight to the companies to notify them of the vulnerability. Some companies are receptive to hearing about their security shortfalls; others are much slower to respond.

But a hacker who is less interested in the company's well-being will likely take a more profitable route, turning to the shadier corners of the Internet to pawn off the vulnerability.

One way companies can keep bugs and vulnerabilities from appearing on online black and gray markets is by offering to buy them from the people who discover them. Some companies already have buyback, or "bug bounty," programs. A number of tech companies offer upward of tens of thousands of dollars for vulnerabilities; United Airlines recently became the first airline to introduce a buyback program, announcing bounties of up to 1 million frequent-flier miles for bugs in its websites and apps. But it specifically excluded from the bounty program research on vulnerabilities in critical infrastructure, like the actual airplanes United flies.

Tech experts say the government could incentivize buyback programs by offering the private sector grants or tax write-offs for the purchases. "If a company wants to pay to get a vulnerability off the black market or the gray market, then we're going to help them do that and encourage them to do that," said Laperruque.

Clarifications of anti-hacking laws

Another way to encourage the security research that makes the private sector safer is by clarifying and trimming down anti-hacking laws like the Computer Fraud and Abuse Act, tech activists say.

That law is used to prosecute hackers who make their way into protected computer systems, but privacy advocates have long criticized the law for being overly broad and discouraging legitimate security research.

Lawmakers have tried in the past to cut the law down to size, with bills like Aaron's Law—named after a security researcher who took his own life after being charged with data theft—which would clarify when research on vulnerabilities in public and private systems is lawful.

"Improving the law so that security experts can actually conduct research without fearing prosecution" would be a boon to cybersecurity, Mitnick said.

One proposed amendment to CISA, put forward by Sen. Sheldon Whitehouse, would alter the computer-hacking law, but privacy advocates are worried that the change would make security research more difficult rather than easier.

An end to government "stigmatization" of encryption

FBI Director James Comey has recently waged a public-relations war on tech companies' encryption practices, railing against end-to-end encryption in speeches and committee hearings.

Comey argues that strong, nearly inaccessible encryption is a threat to national security because it leaves law enforcement blind to the communications of potential terrorists and criminals. He has asked tech companies to build in a way to decode encrypted communication that companies could use when asked by law enforcement. Experts have warned against built-in vulnerabilities, cautioning that intrepid hackers will always find ways to exploit them.

Some lawmakers have taken up the pro-encryption fight. Reps. Will Hurd and Ted Lieu, two computer scientists on the House Oversight Committee, sent a letter to Comey in June, condemning the FBI's stance on the so-called "backdoors" that would allow law enforcement to access encrypted communication.

The conflict over encryption has been detrimental to private-sector cybersecurity, Mitnick says, because it discourages more businesses from taking up the practice. "The government should stop stigmatizing these strong security measures," Mitnick said. "I think that would protect the government, protect consumers, and protect businesses."