Laws won't stop cybercriminals, say experts

Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday.

Legislation that would require companies with data breaches to notify affected customers will create new expenses for companies, much the way the Sarbanes-Oxley Act did, said Bruce Kobayashi, a law professor at George Mason University. Congress passed Sarbanes-Oxley, or SOX, in 2002, and the law requires public companies to report their internal processes for ensuring the accuracy of financial reports.

"I think Congress has to ... slow down," said Kobayashi, speaking at a data security conference sponsored by conservative think tank the Progress & Freedom Foundation (PFF). "Otherwise, we're going to get some SOX-type legislation in which firms spend a lot of money sending out notifications."

Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification. Four bills are awaiting action on either the Senate or the House of Representatives floor, but the bills differ in their approach, and each would have to pass through the other chamber to become law. Congress is scheduled to adjourn for the year in early October.

The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars, Kobayashi said. "The model is a sledgehammer," he said. "What economists hope is Congress steps back and looks at the costs and benefits before they do something like that."

But others speaking at the PFF conference said cybersecurity problems are more serious than most people realize. The U.S. Federal Bureau of Investigation gets frequent reports of hackers attempting to extort companies by threatening to release customer data, and the U.S. Department of State has warned of terrorist organizations training hackers, said Alan Paller, director of research for the SANS Institute.

"You get shot trying to rob jewelry stores," Paller said. "[Hacking] is a much better way to raise money to buy the bombs."

Some consumer groups and businesses have called for a national data breach notification law. Businesses such as data broker ChoicePoint Inc., which in February 2005 announced a breach affecting about 150,000 people, have called for a national breach notification law instead of complying with a "patchwork" of nearly 30 such state laws.

Kobayashi called for Congress to pass a law allowing companies to comply with one state law, much the way U.S. corporations register in Delaware because of its corporate tax law. "We have seen innovation at the states," he said. "I don't have any answers, but I'm sure that neither does Congress."

Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products.

"We can't wait for Congress to solve this problem because it's not going to solve the problem," Silva said. "The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn't really solve the problem."