If you’ve noticed service interruptions on your bank’s website in recent months – you’re not alone. A number of U.S. banks have experienced “distributed denial of service” attacks by a group of “hacktivists” using cyberattacks as a way of protesting an anti-Muslim YouTube video. The group – known as the Izz ad-Din al-Qassam Cyber Fighters – has demanded that the U.S. government remove the video from YouTube. Until the video is removed, al-Qassam has promised to continue its attacks on banks, even though the banks have no connection to or influence over the U.S. government, YouTube or the video’s producers.
These attacks – and other, similar instances that have occurred around the world – highlight how cyberthreats affect everyday consumers and cost businesses billions of dollars. As the threats and costs continue to rise, Congress and the Obama Administration both have increased efforts to develop effective methods to address cybersecurity issues, including attempts to develop and improve industry-wide cybersecurity practices, protect consumers’ private information and create an information-sharing program between private and public sectors.
One piece of legislation drawing attention is the Cyber Intelligence Sharing and Protection Act (CISPA). The House Permanent Select Committee approved CISPA last week, and the full House is expected to debate the Act today and Thursday. The bill authorizes the government and the private sector to share information to address cybersecurity concerns on a voluntary basis, restricts the government and private company’s use of the shared information, and limits the private sector’s legal liability for sharing information.
These measures are not without controversy; House and Senate Democrats are preparing for a fierce battle, and the White House has threatened a veto over consumer privacy measures left out of the bill. Specifically, privacy advocates are concerned with the amount of personal information private companies will share with the government, how the information will be used within government agencies and the scope of legal protection for sharing that the private sector will receive.
Congresswoman Marsha Blackburn also introduced legislation last week – the “SECURE IT" Act of 2013 – which creates a mandatory information-sharing program but limits the information private companies may share with the government, criminalizes cyberattacks that cause damage to critical infrastructure computers and requires companies to inform individuals when their personal information is compromised because of a cyberattack. Like CISPA, SECURE IT allows the government and private companies to share information; SECURE IT, however, attempts to address some of the privacy and civil liberty concerns identified by critics of CISPA.
Separately, President Obama’s 2014 budget proposal allocates billions of dollars to cybersecurity initiatives and provides the NIST funding to implement the information-sharing framework described in Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Key features of the Order include a voluntary information-sharing program, like CISPA, and the authority to develop a framework to reduce cyber risks. The Order does not offer the broad liability protection found in CISPA (as such protection requires legislation), and it requires agencies to incorporate privacy and civil liberties protections into their cybersecurity frameworks.
While everyone seems to agree that cybersecurity is an important issue and requires immediate action, it is unclear whether and when Congress and the Obama Administration will settle on an agreed approach. One thing is certain, however: hacktivists like the al-Qassam and assorted other “bad actors” will continue cyberattacks on banks and on the private sector more generally. Just as we unfortunately have become used to routine traffic jams in the real world, we all may need to resign ourselves to the idea of increasingly frequent “cyber-jams” for the foreseeable future.