House set to produce first major cyber legislation in years

The House on Wednesday passed a bill that would grant legal immunity to companies that share cyberthreat data with the federal government, a vote that could pave the way to Congress’s adopting the first major piece of cybersecurity legislation in years.

A similar bill is expected to pass the chamber Thursday. Both measures will then be fashioned into a package to be sent to the Senate.

Lawmakers have struggled for the past five years to pass legislation that would improve cyber­security without compromising Americans’ privacy. Critics of the legislative efforts have pointed to concerns that in sharing information with the government, businesses would be divulging personal information about their customers. Businesses, meanwhile, have pushed for government protections from legal action.


The Protecting Cyber Networks Act, sponsored by the chairman and the ranking Democrat of the House Intelligence Committee, was adopted by a 307-to-116 vote. The White House had expressed concerns about the bill’s “sweeping liability protections” but supported passage so that lawmakers could advance legislation on the issue and refine it on the floor or in conference committee.


The White House and lawmakers have expressed growing concern about cyberattacks and stressed the need for cooperation between the private sector, which is often the target of hackers, and U.S. law enforcement and intelligence agencies. After highly publicized intrusions involving Target, JPMorgan Chase, Home Depot and Sony Pictures Entertainment, President Obama has called for legislation on the sharing of relevant information.


“Congress today took an important step forward in the fight against devastating cyberattacks on American businesses by passing a bipartisan cyber-information-sharing bill with strong privacy protections,” said Rep. Adam B. Schiff (D-Calif.), the panel’s ranking minority-party member.


House aides said they felt confident that legislation would be passed this year, not only because of greater awareness of the cyberthreat, but also because they had worked, they said, to address privacy concerns raised in the past.


To receive immunity from lawsuits, a firm would have to share cyberthreat indicators with a civilian agency such as the Department of Homeland Security. But the agency would be required to share that data in real time with relevant intelligence and defense entities such as the National Security Agency. The bill calls for firms to strip out personal information such as names and Social Security numbers before turning data over to the government. It also requires the civilian agency to take a second pass to screen out personal data before distributing the data to other agencies.


“This bill does not provide the government with any new surveillance authorities,” said the committee’s chairman, Rep. Devin Nunes (R-Calif.). “To the contrary . . . it only authorizes the sharing of cyberthreat indicators and defensive measures — technical information like malware signatures and malicious code.”


He noted that the bill requires biennial inspector general reports from appropriate federal entities on the government’s use and dissemination of cyberthreat indicators. The executive branch’s privacy watchdog, the Privacy and Civil Liberties Oversight Board, must also submit a biennial report on the bill’s privacy impact.


Lawmakers adopted five amendments, including one adding a seven-year sunset. But none addressed the White House’s concern that the immunity provision would grant protection to a company that fails to act on information it receives about the security of its network or to a company that is “grossly negligent” or “reckless” in failing to remove personal data.


Privacy advocates expressed disappointment.


“Saying that legislation isn’t about surveillance doesn’t make it so,” said Robyn Greene, policy counsel with the New America Foundation’s Open Technology Institute, one of 55 groups and security experts signing a letter urging a “no” vote. “This bill not only does a dismal job of protecting Americans’ personal information, it would also allow the NSA and the FBI to use any of the information it receives to investigate a myriad of crimes that have nothing to do with cybersecurity.”


Gregory Nojeim, senior counsel for the Center for Democracy and Technology, said he feared the bill might enable a company to undertake “defensive measures” or measures that could constitute hacking of a third party’s computer in an effort, for instance, to retrieve stolen data. “Attribution is an imperfect science at best,” he said. “So authorization to hack back could hurt innocent victims of someone else’s cyberattack.”


Rep. Jared Polis (D-Colo.) spoke against the intelligence panel’s bill and the one prepared by the Homeland Security Committee, which faces a vote Thursday. “The problem with these bills goes far beyond the fact that they don’t address existing privacy abuses; they open the door wide open to new abuses,” Polis said.


Under both bills, he said, the standard for masking or deleting cyberthreat data is “too vague” and includes “an implicit assumption that Americans’ personal information should be shared, unless federal officials have evidence that it is unrelated to a cybersecurity threat.”

Source: Washington Post