When Congress returns after the election, there’s something a majority of Americans say they need to work on: Improving the country’s ability to prevent cyber attacks.
That makes sense, as Morning Consult polling conducted this month found 51 percent of Americans said they have either shopped at a retail store or banked with a financial institution that has been hacked in the past year. Given the high percentage of those hit by the cyber attacks, it is unsurprising that 52 percent of those polled also said Congress should address this issue when the new session begins in January.
The wealthier and more educated the person, the more likely they were to have been affected by recent cybersecurity breaches to large companies and institutions such as J.P. Morgan Chase and Co., the polling suggests. Sixty-four percent of those making over $100K a year responded they had done banking with or visited a retail location that had been hacked, as had 65 percent of those with a post-graduate degree and 57 percent of those who reside in suburban areas.
A cybersecurity bill that aims to curtail these attacks is currently stuck in the Senate. The bill allows the Department of Homeland Security and private companies to more easily share threat information. As reported by Morning Consult in September, many experts believe this bill has a slim chance of going through this year. But there is growing optimism that it could get passed during the lame-duck session.
Speaking at a Bloomberg event on Tuesday, the bill’s House sponsor, House Homeland Security Committee Chairman Michael McCaul (R-Texas), said he thinks there is an 80 percent chance his bill could pass through the Senate during the lame-duck session. McCaul said he was told the bill was making good progress in the Senate.
“It might be the one bill that passes this Congress and gets signed into law,” McCaul said at the event.
The House passed McCaul’s bipartisan cybersecurity bill in 2013. Both the House and Senate cybersecurity legislation has support from a wide group of organizations, from the American Bankers Association to the 9/11 Commission.
However, there are some groups who supported the House legislation who remain skeptical about the Senate version of the bill. The National Retail Federation thinks the scope of the senate bill may be too broad.
“NRF has supported the House-passed cybersecurity bill (CISPA) as we believe this type of legislation would increase retailers’ access to shared critical threat information,” wrote Paul Martino, vice president and senior policy counsel with the NRF. “We remain concerned, however, with the potential unintended consequences in the Senate Intelligence Committee’s cybersecurity bill (CISA), as well as with the expanding focus of the Obama Administration on commercial data regulation.”
Doug Johnson, vice president of payments and cybersecurity for the American Bankers Association, said that sharing about cyber threats among financial institutions and the federal government is already common practice. This bill, he said, will provide clarification on how sharing information should be done among sectors and between financial institutions.
“Anything we can do to enhance our capacity to share information between companies and, in effect, with the government is important to protecting our customers,” Johnson said.
Johnson said that concerns about personal information of U.S. citizens being shared do not apply to this law; what would be shared is the Internet Protocol addresses of potential threats, which are typically foreign.
When asked who should bear responsibility for addressing cyber threats to financial security, 51 percent of those polled by Morning Consult said the government should stay on the sidelines and allow companies to develop their own cybersecurity measures. Only 35 percent agreed more with the notion of the government stepping in to provide aid.
Johnson said that while financial institutions are mostly self-sufficient in protecting their customers, there are areas where government oversight is needed. This law, he said, would establish ground rules for how to share threat information and respond to attacks, which would make combating ever-complicating threats more effective.
“There is always a necessity to see how cyber threats are evolving,” Johnson said.