AFTER YEARS of failure to find a consensus on cybersecurity, the Senate is expected to vote early next week on a bill that would enable the government and the private sector to share information about malicious threats and respond to them more quickly. The legislation is not going to completely end the tidal wave of cyberattacks against the government and corporations, but passing it is better than doing nothing — and that is where Congress has left the matter in recent years.
The legislation, approved by the Senate Select Committee on Intelligence on a bipartisan 14-to-1 vote in March, is intended to iron out legal and procedural hurdles to sharing information on cyberthreats between companies and the government. Private-sector networks have been extremely vulnerable, while the government possesses sophisticated tools that might be valuable in defending those networks. If threats are shared in real time, they could be blunted. The legislation is not a magic wand. Hackers innovate destructive and intrusive attacks even faster than they can be detected. The information sharing would be voluntary. But the bill is at least a first step for Congress after several years of inconclusive debate over how to respond to attacks that have infiltrated networks ranging from those of Home Depot to the Joint Chiefs of Staff.
The biggest complaint about the bill is from privacy advocates, including Sen. Ron Wyden (D-Ore.), who cast the sole dissenting vote on the intelligence committee. His concerns have been amplified recently by several tech giants. Apple told The Post this week that it opposes the legislation because of privacy concerns. In a statement, the company said, “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” Some other large technology firms are also opposing the bill through a trade association. Separately, alarmist claims have been made by privacy advocates who describe it as a “surveillance” bill.
The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security. Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”
The status quo is intolerable: Adversaries of the United States are invading computer networks and hauling away sensitive information and intellectual property by the gigabyte. A much stronger response is called for in all directions, both to defend U.S. networks and to punish those, such as China, doing the stealing and spying. This legislation is a needed defensive step from a Congress that has so far not acted on a vital national concern.