The U.S. Congress has been considering two significant cybersecurity bills, the Revised Cybersecurity Act of 2012, which failed a procedural vote in the Senate on Thursday, and the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives.* Their significance comes from their shortcomings: Both bills have fallen prey to the limits of the current American political climate, where special interests and disputes over the appropriate role of government have combined to harm national security -- and, as a result, neither will do much to protect the United States from cyberthreats.
Congress knows that weak cybersecurity endangers the country -- and that America is dangerously unprepared -- but it cannot muster a majority to support serious defensive measures. The same forces that have kept Capitol Hill in gridlock on many important issues have also blocked effective cybersecurity legislation. That said, Congress does not want to be in the position, after the inevitable cyberdisruption, of having to say it knew but did nothing.
The political solution to gridlock is to pass weak legislation and pretend it will work. This is the CISPA story. House Republicans created a Cybersecurity Task Force last year to develop ideas to strengthen cybersecurity. The report they issued in October was fair and accurate. Had the House enacted its unanimous recommendations, which included regulation of critical infrastructure, the nation would be safer. The recommendations formed the basis of a comprehensive bill introduced in the Homeland Security Committee. Unfortunately, for reasons that are unclear, but likely relate to concerns about the Department of Homeland Security (DHS), small-government ideology, and the pressures of an election year, the House suddenly reversed course and withdrew the comprehensive cybersecurity bill from consideration, with some members saying that they no longer supported the report they had endorsed a few months earlier.
The demise of the task force-inspired bill meant the House needed something to take its place. The solution was to elevate CISPA. CISPA began as a measure to remove the legal impediments to information sharing between companies and the government. This information can include "signatures" and other cyberthreat indicators, such as intelligence information, reports of successful penetrations, and information on the identities or network addresses of the "attacking computers" (This category raises potential privacy problems that CISPA worked hard to address). Many people agree that the United States needs to update legislation on communications and privacy, and CISPA does good work in this regard (pace the privacy community), but it is not really a cybersecurity bill and sharing information is a feeble response to a serious threat.
Politicians like information sharing because it doesn't actually require them to do anything. Information sharing was a central part of the Clinton administration's cybersecurity policy created in 1998 by Presidential Decision Directive 63. Information sharing didn't work then, it hasn't worked since, and it won't work now. America is more vulnerable to cyberattack after years of relying on voluntary action and information sharing because information sharing does not change the economic incentives for inaction. Companies assess the probability that a threat will become an attack, and if there is an attack, whether they will be held liable. They weigh the cost of preventive measures against the risk of liability. Almost all conclude that the liability risk for cyberattack is too low to justify greater effort. This is a sensible business decision but does not help national security. Sharing cyberthreat information is not enough to protect critical infrastructure because it is the attacks we don't know about, the attacks that exploit unknown vulnerabilities, that create the greatest risk.
Particularly after their experience with the "warrantless surveillance program," where companies that cooperated faced a plethora of lawsuits, corporations are understandably reluctant to share information with the government. CISPA would lower the risk of sharing information by offering them liability protection, but it does not create incentives for securing networks. In private, some members of Congress will tell you that they know CISPA is not enough. Nevertheless, in public, they trumpet CISPA as a cybersecurity bill. One powerful motive for its passage, as a House member privately told companies, was that it would "help protect you from regulation."