Chances are, your company’s computers will come under attack sometime soon. The perpetrators may want to steal personal information. They may want trade secrets or intellectual property. They may simply want to annoy you.
Whatever their motives, by one estimate cybercrime is already costing the global economy more than $400 billion a year. After years of unproductive debate, the U.S. government finally looks ready to get serious. A big cybersecurity bill is likely to be introduced soon.
The question that springs to mind is whether that remedy might be more harmful than the disease. When it comes to digital security, the government — to put it mildly — can no longer take the country’s trust for granted. A systematic assault on cybercrime is necessary, but the policy must have safeguards and oversight built in from the start, not tacked on as afterthoughts.
A main component is likely to be new ways for companies to share information about attacks and vulnerabilities with the government and with one another, most likely through the Department of Homeland Security. On the whole, that would be a good thing. Better pooling of information should help companies detect threats, boost their defenses and develop countermeasures more quickly. It could help them avoid replicating security efforts or persisting with dubious technology. And it could help make the market for cybersecurity products more efficient.
The government, for its part, should be able to share technical know-how and advice, assimilate diverse threats into a bigger picture, and chase cybercriminals more effectively.
Fine. Yet building a new government-run colossus for collecting and disseminating private information isn’t to be done lightly. The cyberguardians will have to follow some rules.
For starters, as far as possible, any personally identifiable information that is shared must be anonymized. Data should be held only for a limited and specified time, and shared only with clearly defined recipients. Penalties for the improper use or disclosure of information should be too serious to ignore.
More important, the government should be strictly limited in what it can do with the data. A legislative proposal recently released by the White House suggests the information should be used only to prevent computer crimes, respond to threats of death or injury, and protect minors. That’s a start, but as certain agencies have demonstrated, such language is susceptible to surprisingly capacious interpretation. Congress should insist on a sophisticated oversight system, so that people can be sure they aren’t being spied on.
Even with such safeguards in place, companies will hesitate to get involved if, because of the data they divulge, they could face onerous regulatory meddling or lawsuits over privacy violations. So, for any information shared for cybersecurity purposes, the government should consider offering businesses an antitrust exemption, protection from regulatory action and exclusion from Freedom of Information Act requests. As long as companies are acting without malice or gross negligence, they should get liability protection.
Meanwhile, the Department of Homeland Security ought to keep investing in promising technologies that can help businesses share information in a standardized format and automatically anonymize data. Such innovations could go a long way toward protecting privacy.
Admittedly, all this is just a start. Preventing attacks in the first place will also require better technology and greater expertise. It will demand that governments around the world assent to new norms of corporate and official conduct. And, ultimately, it will require educating the public, building a workforce with better cyberskills and persuading companies to take security far more seriously.
None of this Congress can do overnight, and some of this Congress can’t do at all. It will take time, money and — more than likely — the forceful encouragement of more and worse attacks. Sadly, that part can indeed be taken for granted.