Truman National Security Project

The Senate Cybersecurity Bill: A Start, But Not an Answer

By Richard Wheeler | 7.17.12

It has become a depressing but now familiar pattern: in the space of a week, reports surfaced both that LinkedIn’s mobile app scraped information from users’ mobile devices and stored it on LinkedIn’s servers—without informing it’s users of the practice—and that LinkedIn user passwords had been broken and stolen by hackers since LinkedIn had only lightly encrypted and poorly defended the data. To make matters worse, like many of the similar breaches of recent years, these weren’t discovered or disclosed by LInkedIn but by private security researchers.

There are a number of concerns here, but one of the biggest is that for many workers today LinkedIn has become part of their “critical infrastructure”. It’s used for business development and networking to such a level that it’s unthinkable to remove yourself from the system—even if LinkedIn can’t keep your data safe. And without the pressure of losing users, LinkedIn may have little financial incentive to clean up its security practices. Which leaves users in the position of having to trust that LinkedIn will learn from it’s mistakes—a pretty shaky proposition given recent events.

There is a common refrain from hordes of industry lobbyists that cybersecurity should be left up to industry to define and implement and that legislation and regulation—read any legislation and any regulation—is anti-business and anti-growth. This argument usually continues by saying that we should trust industry because it knows best.

Part of this is sometimes true: industry does often know how to protect cyber assets. The problem is that it doesn’t always implement common sense and common practice. In an age when even Facebook can’t get it’s IPO right, is it really any surprise to learn that a tech company has cut corners? And what about companies that use technology don’t see it as the core of their business? The IT department of most companies is seen as a cost center, so even if it knows how to implement a complete cybersecurity plan, would it be surprising to hear that the plan wasn’t followed to cut costs?

The bipartisan cybersecurity bill that is now before the Senate
addresses these realities by proposing comprehensive guidelines for cybersecurity. It patches gaps and standardizes and streamlines requirements so that companies have an easier time figuring out what they should be doing to maintain their defenses. Far from imposing undue burdens on industry, by setting common sense standards it makes it easier for businesses to know what they are responsible in ensuring cybersecurity. It’s not a complete answer, but it’s a good start.

Richard Wheeler is a Truman Security Fellow.