The Cybersecurity Information Sharing Act: What’s Needed is Education Not Legislation
Many years ago, Will Rogers, noted Oklahoman and media start of the 1920s and 1930s, quipped “you can’t legislate intelligence and common sense into people.” While it’s universally true, this aphorism is particularly appropriate for information security.
This week, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA) by a vote of 74-21, which paves the way for a combined version of the House and Senate bills to become law. Cyber security and technology companies along with data privacy advocates are united in their harsh criticism of the bill in its near final form.
The intent of CISA is to “stem the rising tide of corporate data breaches” through information sharing between private companies and government agencies in order to effectively create a pre-emptive strike capability. More than likely, the near universal support for the bill in both the House and the Senate is a well intentioned desire to be doing something, if not anything, to support the toll that cyber attacks have taken both on corporate America and, more importantly, individuals, it does rather miss the mark for what really ought to be done to provide more robust security and more resilient infrastructure.
I’m not going to pile on the same criticisms as the privacy groups – that CISA opens the way for more government surveillance, but do we really need to legislate information sharing that will likely not improve cyber security defenses to any significant extent?. It’s true that part of good data and network security does come from knowing what threats are out there and what vulnerabilities they exploit, so you can pen test, patch, monitor, and move on. But most companies can get these types of updates from either free services, paid subscriptions, or from their cybersecurity services providers. But while the most fundamental element of security – password security — remains so poorly understood, so badly executed that a cat can hack your Wi-Fi, bills like CISA won’t do much to save our data from getting into the hands of bad actors.
Where we really need to start with is cyber security education from the classroom, to the breakroom, to the boardroom, and more than likely even the committee rooms of Congress. These days, the overwhelming reason that hackers hack is to obtain personally identifiable information, which is stored on systems from your email account to your company’s HR database and, of course, in the data centers of government agencies. And, when it’s combined with information – like our birthday, address, best friends, and dog’s name — that we all share willing through our social media presence this information becomes the basis of long-lasting identity appropriation. If we start by working on fixing passwords, which are effectively the keys to all these systems, then we’ve added a huge obstacle for bad actors to overcome.
However you choose to add layers of security to your own password structure – by poetry, song, two factor authentication, or obfuscation, that’s the step that needs to be taken first. And we can’t legislate, we just need to educate.