October 29, 2015

Banks hail passage of cybersecurity bill

The banking sector largely applauded the recent passage through the Senate of a sweeping cybersecurity bill. But while the leaders of financial institutions mostly embraced the bill, critics in the tech sector lambasted the effort as privacy nightmare that won't even stop cyberattacks.

The Senate version of the bipartisan Cybersecurity Information Sharing Act will now need to be reconciled with the House bill passed back in the spring. Both bills aim to pave the way for private companies to share data on cyber threats with the government. In several high-profile data breaches, had companies been aware of what other firms were dealing with, the threats might have been neutralized.

Liability protections included for companies
Frank Keating, president and CEO of the American Bankers Association, called the 74-21 Senate vote, "an essential step toward the passage of critical information-sharing legislation in this Congress. It would enhance ongoing efforts by the private sector and the federal government to better protect both our critical infrastructure and Americans from all walks of life from cyber criminals."

One reason financial executives are pleased with the bill is the inclusion of liability protections for companies that send data to federal authorities, American Banker reported.

Homeland Security's role raises eyebrows
There are still provisions, however, that do not sit well with groups like the Securities Industry and Financial Markets Association.

"While we are supportive of the process moving forward to a conference," said Ken Bentsen, president and CEO of the trade group, "SIFMA does have serious concerns with language adopted during the Senate process which would give an outsize and inappropriate role to the Department of Homeland Security in making information sharing determinations and could lead to burdensome regulation that would undermine the voluntary nature of CISA, which is at its core. We strongly urge the Conference Committee to strike this provision."

'A surveillance bill in disguise'
Outside the financial industry, however, vocal opposition to the bill remains. It's especially fervent among some in the tech sector broadly and cybersecurity sector in particular.

Trevor Trimm, who writes about cybersecurity for The Guardian, lacerated the bill.

"Make no mistake: Congress has passed a surveillance bill in disguise, with no evidence it'll help our security," writes Trimm.

Like other technology-side critics, Trimm hones in on a key phrase from the bill, "cyber threat indicators" as being too vague since they could be anything from emails to Social Security numbers. Similarly to SIFMA's Bentsen, he decries putting Homeland Security in charge of the data, but for a different reason: He sees that provision as a pipeline to the National Security Agency for more warrant-free searches.

Fails to encourage private security efforts
Brian Krebs, a cybersecurity expert who writes the influential blog "Krebs on Security" takes a more nuanced critical stance, saying the bill as it stands is a "let's do something law" that fails to encourage companies to invest in and increase their own security standards. He quotes a letter from a group of two dozen academics who argue that Congress' approach is wrong-headed.

"CISA creates new law in the wrong places," the letter read. "For example ... security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction."

In this line of argument, more cooperation by companies against cyberattacks is a good thing, but forcing that data sharing under a government rubric would blunt the effectiveness of such efforts.

The bill, four years in the making, must make it through conference committee before heading to the president's desk to become law. American Banker reported that the House might not even take up the measure unless the Senate makes more changes.

Loan sale advisory firm Garnet Capital Advisors keeps a close watch on any regulations that may impact the banking sector and the buying and selling of loan portfolios.