Would Cybersecurity Legislation Hurt Business?

Every day, hackers steal sensitive personal and financial information from both consumers and businesses. According to McAfee Labs, a security company, its researchers uncover more than 200 cyberattacks every minute, or more than three attacks per second. Another security company, Norton, found that over 1 million adults become cybercrime victims every day. Half of small companies that experience cyberattacks go out of business within a year.
In 2012, then Defense Secretary Leon Panetta warned that if America didn’t improve its cybersecurity posture, the country could face a cyber Pearl Harbor. Despite Panetta’s warning, Congress has failed to pass cybersecurity legislation. In the long run, cybersecurity legislation would prevent intellectual property theft, data breaches, and erosion of trust in business. By failing to act, Congress exposes not only businesses but also people, government agencies, and critical infrastructure to dangerous cyberattacks.
A Brief History of Current Cybersecurity Legislation
In 2011, Rep. Michael Rogers (R-Mich.) introduced the Cybersecurity Information Sharing and Protection Act, or CISPA. CISPA would have facilitated information sharing between law enforcement and vulnerable businesses, people, and government agencies. When cyberattacks happened, law enforcement could share information while still protecting the privacy of the organization that was attacked.
Companies like Google, Apple, Verizon, AT&T, and Microsoft all supported CISPA. So did the Chamber of Commerce as well as a number of other technology industry groups and major security companies. All of these companies grapple with cybersecurity challenges on a minute-by-minute basis. A high volume of cybersecurity attacks has driven up demand for cybersecurity professionals with degrees like a BS in cybersecurity, but there still aren’t enough graduates to fill many available jobs.
Despite widespread support, many privacy advocates including the Electronic Frontier Foundation, ACLU, and Avaaz.org argued that cybersecurity legislation was a cloak for a widespread government spying. President Obama agreed with them, saying that he would veto CISPA even if it passed.
2014: A New Cybersecurity Bill
Senators Diane Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.) have repurposed CISPA and excised some of the name, rebranding it as the Cybersecurity Information Sharing Act, or CISA. In addition to continuing to ignore the need to require information sharing from critical infrastructure entities, CISA adds more provisions that have angered privacy advocates. According to the bill, companies could monitor not only their own networks but also customer networks for threats. Companies could also implement countermeasures to block potential threats, and they’d have broad immunity for any damage caused by those countermeasures.
Although privacy advocates say the bill reaches too far, others suggest that it doesn’t do enough to protect the American people. Former NSA director Gen. Keith Alexander called on Congress to pass even stricter cybersecurity legislation. He argued that nuclear power plants and other critical infrastructure facilities should be required to share cyberattack information with the US government.
Cyber Pearl Harbor
By failing to reach a cybersecurity legislation compromise, Congress is putting Americans at risk. Secretary Panetta, in a 2012 speech, described what a major cyberattack could look like:

• Cyberattackers gain control of critical switches. Panetta suggested that attackers could derail passenger trains or trains loaded with dangerous chemicals.
• Water becomes contaminated. Cyberattackers that control water treatment plants could contaminate large metropolitan water supplies.
• Americans lose power. Attackers could shut down large portions of the country’s electrical grid.
• Communications are disabled. Both defense and civilian communications systems could be compromised by cyberattack.
• An attacker invades. Attackers could unleash an all-out cyberassault as a prelude to an airstrike or invasion of US soil.

The Future of Cybersecurity Legislation
CISA has passed the House Intelligence Committee, but Congress has yet to vote on the bill. If it does come to the floor for a vote, failure to address privacy concerns may still draw a White House veto. Gridlock in Washington leaves businesses continually vulnerable to more cyberattacks.
The average cyberattack costs a large business $1 million per episode. The 2013 attack on Target cost the company $148 million and sent shares tumbling, according to recent reports. In the long run, cybersecurity legislation would not hurt business. It would protect companies and the customers in their databases from costly cyberattacks.