The House Intelligence Committee passed a bill that would make it easier for the private sector and the federal government to share cyber-threat data.
Congressional lawmakers have approved a
bill in committee that would encourage information sharing between the
government and the private sector about cyber-attacks and threats.
The cyber-security data sharing bill is
based on the U.S. Department of Defense's Defense Industrial Base pilot program
the Pentagon shares sensitive and classified cyber-threat data with defense
contractors. The bill, introduced on Nov. 30, passed the House Intelligence
Committee in a near-unanimous vote of 17-1 on Dec. 1. It will now go before the
entire House of Representatives and the Senate for debate.
If passed, the bill would allow
private-sector companies such as cable, Internet and telecommunications
providers to inform the government about cyber-attacks and also receive
classified intelligence on cyber-security threats so that they can protect
their networks. The companies that would be allowed to receive classified
intelligence would be certified by the Director of National Intelligence.
"The bill is a critical,
bipartisan first step to empowering the private sector to do even more to
protect its own networks," said Rep. Mike Rogers, R-Mich., chairman of the
committee and the bill's sponsor.
An "economic cyber-war" is
under way as "economic predators," which includes nation-states
stealing business secrets and innovation from U.S. companies, Rogers said.
"There are two types of companies in this country: those who know they've
been hacked and those who don't know they've been hacked," he added.
Sharing sensitive threat information is
"essential" to prevent a widespread attack across different
industries and verticals, Torsten George, vice president of worldwide marketing
at Agillance, a risk and compliance management company, told eWEEK
. Attacks against government
networks, critical infrastructure operators and the private sector have
increased in frequency and sophistication, he said.
Cyber-criminals are coordinating their
efforts and are well-versed in sharing vulnerabilities and attack
methodologies, according to George. "Government and private industry have
to work hand-in-hand to quickly dissipate information about threats," said
George. However, the group that the information would be shared with should be
broadened, he said.
The initial version of the bill had
raised privacy concerns from the White House and privacy and advocacy groups
such as the American Civil Liberties Union. Amendments to the bill include
specifications that make participation in the program strictly voluntary. The
information can also be shared anonymously, and the company can decide to
restrict the disclosure to specific agencies. Companies would be protected from
civil or criminal lawsuits "for acting in good faith" if they
informed the government about a cyber-attack or that sensitive personal
information had been compromised.
Information that companies share with
the government would be exempt from Freedom of Information Act requests and
couldn't be used by the government for mandating regulations, according to the
There were concerns that personal
information would be part of the data handed over to the government, allowing
it to use the data for matters unrelated to cyber-security. The amended bill
specifies that the government would be barred from searching collected data
unless the information was necessary to secure networks vulnerable to attacks
or for national security purposes. The inspector general for U.S. intelligence
agencies would also review and report on how the government was using the data
provided by the companies.
"The best thing we can do is to
remove the barriers that make it hard for industry to share information and
defend themselves, and provide government information in support of those
efforts," Rogers said.