Will new laws give federal cybercops too much power?

The House of Representatives recently passed the Protecting Cyber Networks Act (HR 1560), which would establish new sharing guidelines and liability protections, and the Senate is expected to take up the bill in the coming weeks. At the same time, many see PCNA and other bills like it as an unprecedented intrusion into otherwise neutral networks -- what Sen Ron Wyden (D-OR) described as "a surveillance bill by another name." While most researchers still see themselves as engineers, there's a growing fear that these new measures will turn them into detectives. The result is one of the more puzzling privacy fights in recent memory, as Congress looks to legally authorize the information sharing that's already taking place, and privacy advocates say the bills in question aren't about sharing information at all. So what's wrong with the way data is shared, and how do the new bills plan to fix it? And more importantly, can they do it without turning network operators into spies?

For law enforcement agencies, the point of tracking a threat is to catch the criminals behind it, not just to fix the vulnerability that let them get in. If there's technical evidence in the wake of an attack like Target, agencies like the FBI want to use that evidence to find the parties responsible, and hopefully throw them in jail. That's a shift from the current research landscape, which generally sees attribution as secondary to patching vulnerabilities and identifying malicious code, but many in government see it as a necessary change. It's also a priority for President Barack Obama, who laid out the plan in his 2009 Cyberspace Policy Review, a document that insiders say is still guiding the White House's agenda in the area. "Key elements of the private sector have indicated a willingness to work toward a framework under which the government would pursue malicious actors," reads one passage from the review. At the same time, much of the security community sees the drive to catch criminals as a distraction from the more important work of securing system. It’s hard to say whether these measures will be enough, and it will be difficult for any info-sharing bill to split the difference between patching vulnerabilities and chasing criminals. Whatever happens in Congress, that larger split may be much harder to fix.