The push for CISA has come in large part from the business community, which has a lot to gain from the liability protections built into the bill. "The Protecting America’s Cyber Networks Coalition strongly believes that CISA is the only game in town on cybersecurity legislation," said Matthew Eggers, senior director of national security programs at the U.S. Chamber of Commerce, referring to a coalition of nearly 50 tech associations. "No cyber bill comes close to capturing both the support of virtually every economic sector and the White House."
But privacy advocates say lawmakers' near-exclusive focus on information-sharing was premature.
"In the rush to act, Congress lost sight of all the other solutions," said Drew Mitnick, policy counsel at Access, a digital human-rights organization.
Here are three alternatives to information-sharing that experts have floated.
Incentives for vulnerability buybacks
When a security researcher or a malicious hacker discovers a vulnerability in a company's software or hardware—whether it's a website, a sensitive database, or critical infrastructure—he or she must decide what to do with the information. Security researchers will often go straight to the companies to notify them of the vulnerability. Some companies are receptive to hearing about their security shortfalls; others are much slower to respond.
But a hacker who is less interested in the company's well-being will likely take a more profitable route, turning to the shadier corners of the Internet to pawn off the vulnerability.
One way companies can keep bugs and vulnerabilities from appearing on online black and gray markets is by offering to buy them from the people who discover them. Some companies already have buyback, or "bug bounty," programs. A number of tech companies offer upward of tens of thousands of dollars for vulnerabilities; United Airlines recently became the first airline to introduce a buyback program, announcing bounties of up to 1 million frequent-flier miles for bugs in its websites and apps. But it specifically excluded from the bounty program research on vulnerabilities in critical infrastructure, like the actual airplanes United flies.
Tech experts say the government could incentivize buyback programs by offering the private sector grants or tax write-offs for the purchases. "If a company wants to pay to get a vulnerability off the black market or the gray market, then we're going to help them do that and encourage them to do that," said Laperruque.
Clarifications of anti-hacking laws
Another way to encourage the security research that makes the private sector safer is by clarifying and trimming down anti-hacking laws like the Computer Fraud and Abuse Act, tech activists say.
That law is used to prosecute hackers who make their way into protected computer systems, but privacy advocates have long criticized the law for being overly broad and discouraging legitimate security research.