The Cybersecurity Act of 2015 is approaching its three-month birthday, but you can be excused if you’re oblivious to that. After all, many people probably don’t know it even exists. Very quietly, the law—the first major piece of Congressional cybersecurity legislation, one designed to address the explosive growth of successful cyberattacks—was signed into law in mid-December 2015 by President Obama.
The act didn’t attract much attention because it was embedded in a $1.1 trillion omnibus spending bill to fund the government. The dim spotlight aside, what is the verdict on this historic legislation—a compromise bill based on competing cybersecurity information sharing bills that passed the House and Senate earlier in 2015?
It has some strengths and some weaknesses. Overall, what can be said is that it has insufficient teeth but nonetheless is a good starting point in getting the government involved in the global cybersecurity war—and yes, it is a war. The good guys need all the help they can get against the bad guys. The cost of global cyber espionage has soared to about $500 billion annually, and when you add in the cost of stolen intellectual property, it tops $1 trillion annually. Unfortunately, the bad guys are winning.
Bear in mind that this act is a product of Washington, and so, of course, it is a patchwork of compromise. The victory is modest and lies mostly in the passage itself. The day that occurred—December 18—even President Obama conceded “I’m not wild about everything in it . . .”
As a venture capitalist, I would like to see this legislation become the first step toward a broader and more sophisticated cybersecurity sharing network. That’s because I want the startups I back to push the cybersecurity envelope—and to correctly anticipate the future course of attacks—as much as possible. An improved sharing network would help achieve that goal because a better job could be done protecting against many standard attacks, allowing young cybersecurity companies to focus more on chronically evolving state-of-the-art attacks.
The legislation calls on businesses, government agencies and other organizations to share information about cybersecurity threats with each other. The belief is that, overall, this will help them prepare themselves better to identify and defend against cyber attackers. The Department of Homeland Security is the ring leader and can share the information with other government agencies and companies. It isn’t clear how this information will be shared, however, and, with the notable exception of IBM, some technology companies have said they will not participate because they don’t think there is sufficient consumer identity protection. This is a reasonable concern given the government’s own challenges in protecting sensitive data. The provisions of the law are voluntary.
People can debate the latter point endlessly and reach no clear-cut conclusion. What is much more significant, in fact, is that this legislation is behind the times.
By itself, sharing information about new types of malware, suspicious network activity and other indicators of cyber attacks won’t thwart much cybercrime. Given that the vast majority of cyber attacks are focused on data, what is really needed is the implementation of encryption to secure that data. Also crucial eventually is diligence in patching of outdated software. These steps can go a long way in making systems less vulnerable and lay the foundation for innovation focused on hardening next-generation IT infrastructure against cyberattacks.
As things stand today, even the sponsors of the legislation admit that the new law would not have helped against the highly destructive, allegedly North Korean-orchestrated attack against Sony Pictures Entertainment in 2014. Why? That attack, like many today, was not based on previously known computer viruses or other malicious tools that companies and the government could warn each other about.
Similarly, this law would not have fended off the theft of millions of personnel records from the U.S. Office of Personnel Management. In that case, the government failed to install sufficient cybersecurity protection in the first place. Poor computer hygiene, in fact, is rampant.
Businesses are encouraged to share more information about cyberattacks because the law minimizes the threat of private lawsuits, such as suits over violations of electronic privacy protections. In addition, companies are generally required to strip personal information about customers out of the shared data so that the government cannot amass records on individual behavior. The government is also required to ensure that all personal information, such as customer records, has been scrubbed.
While the law in its current form is lacking, it isn’t altogether ineffective. Take, for example, lower-level cyber-attacks. The notion of companies and governments sharing data about the “signatures” of cybersecurity thieves is worthwhile. This is the digital trail that shows where the attackers came from and what their code looks like. Given that most cyber-attacks are lower-caliber attacks assembled from non-proprietary code or programs and from off-the-shelf components on the black market, how can this not be helpful?
We have to start somewhere to begin improving U.S. cyber defenses. Washington, despite its foibles, has managed to do that. I prefer to look at this ultimately as something good, not bad, and that a stake has been put in the ground in the nation’s capital to step up the U.S. counter-attack against cyber intruders.
Robert Ackerman Jr. is founder and managing director of Allegis Capital, a Palo Alto-based early stage venture capital firm specializing in cybersecurity. Some of Allegis Capital’s cybersecurity investments include Shape Security, vArmour, and Red Owl.