The passage by the U.S. House of Representatives of the Protecting Cyber Networks Act on Aprils 22 is being widely hailed as a critical first step in protecting networks in the United States against cyber-criminals.
This bill is intended to make it easier for companies to share information about cyber-attacks with other companies and with the government. A similar bill is in line for consideration by the U.S. Senate in the near future. President Obama has already indicated that he'll sign it.
This new bill takes a critical step by limiting the liability of companies that share cyber-security information in good faith, it restricts distribution of the information within the government, it forbids the information from being provided to the National Security Agency (NSA) and the Department of Defense, and it requires that personal information be removed before the information is passed to other companies or the government.
However, some privacy and security advocates say the bill doesn't go far enough in protecting privacy and that it allows companies with shoddy security practices to escape consequences of data breaches and thefts.
But remember, this bill is only the first step. A companion bill, The National Cybersecurity Protection Advancement Act of 2015, will fill in some holes. That bill has been reported out to the full House and is expected to be voted on within a few days. Passage of that bill is also anticipated.
Jasper Graham, former NSA technical director and now vice president of Darktrace, says that the bill that was just approved is a good start. "I think it's a really good thing," Graham said. "It's the start of a longer conversation and the beginning of putting a more holistic conversation in place."
What's most important is that Congress has taken this important first move, Graham said. "None of these things are going to be perfect, and there will be a lot of debate around it, but you have to start somewhere."
Graham asserts that to some extent the concerns of privacy advocates are overblown. "If people were to really understand how much privacy information they give to Websites they browse, they'd be shocked," he said. "They're holding the government to a much higher standard."
Graham said that while it's important to protect privacy, it's also necessary to give the government the teeth it needs to accomplish the job of protecting security.
This bill has been in the works for several years, but until now has failed to get the support it needed to make it through Congress. Several things have changed since the beginning. First, the massive data breaches of 2013 and especially 2014 have made it clear that more needs to be done to protect business than is being done now.