The first line of defense against cybercriminals is to have the companies and individuals who connect to the Internet hew to industry standards for minimizing risks. Many of them have so far failed to do so, however, enabling hackers to steal trade secrets, knock sites offline and vacuum up credit card numbers. Sadly, a new Senate bill aimed at improving cybersecurity wouldn't address those security gaps as forcefully as its sponsors originally proposed. But at least it's better than the alternative that passed the House.
At issue is what role, if any, the federal government should play in improving private industry's practices. Business groups have urged Congress to let government and the private sector share more information about hacking threats and defenses. That's necessary, but not sufficient. And if it's done the wrong way, as in the House-passed cybersecurity bill, information "sharing" can become a pretext for government surveillance and privacy violations.
The Senate bill is more sensitive to privacy concerns than the House's. Just as important as information sharing, however, is persuading corporate networks and sites to follow the tech industry's best cybersecurity practices. The Senate bill's sponsors originally proposed to require operators of critical infrastructure — e.g., power grids, water plants and payment processing networks — to meet federal security standards, using the techniques of their choice. But when business groups and their Senate allies howled about regulation, the sponsors dropped the mandate in favor of a voluntary program that merely encourages companies to adhere to cybersecurity standards.