Congressional lawmakers have approved a bill in committee that would encourage information sharing between the government and the private sector about cyber-attacks and threats.
The cyber-security data sharing bill is based on the U.S. Department of Defense's Defense Industrial Base pilot program in which the Pentagon shares sensitive and classified cyber-threat data with defense contractors. The bill, introduced on Nov. 30, passed the House Intelligence Committee in a near-unanimous vote of 17-1 on Dec. 1. It will now go before the entire House of Representatives and the Senate for debate.
If passed, the bill would allow private-sector companies such as cable, Internet and telecommunications providers to inform the government about cyber-attacks and also receive classified intelligence on cyber-security threats so that they can protect their networks. The companies that would be allowed to receive classified intelligence would be certified by the Director of National Intelligence.
"The bill is a critical, bipartisan first step to empowering the private sector to do even more to protect its own networks," said Rep. Mike Rogers, R-Mich., chairman of the committee and the bill's sponsor.
An "economic cyber-war" is under way as "economic predators," which includes nation-states stealing business secrets and innovation from U.S. companies, Rogers said. "There are two types of companies in this country: those who know they've been hacked and those who don't know they've been hacked," he added.
Sharing sensitive threat information is "essential" to prevent a widespread attack across different industries and verticals, Torsten George, vice president of worldwide marketing at Agillance, a risk and compliance management company, told eWEEK. Attacks against government networks, critical infrastructure operators and the private sector have increased in frequency and sophistication, he said.
Cyber-criminals are coordinating their efforts and are well-versed in sharing vulnerabilities and attack methodologies, according to George. "Government and private industry have to work hand-in-hand to quickly dissipate information about threats," said George. However, the group that the information would be shared with should be broadened, he said.
The initial version of the bill had raised privacy concerns from the White House and privacy and advocacy groups such as the American Civil Liberties Union. Amendments to the bill include specifications that make participation in the program strictly voluntary. The information can also be shared anonymously, and the company can decide to restrict the disclosure to specific agencies. Companies would be protected from civil or criminal lawsuits "for acting in good faith" if they informed the government about a cyber-attack or that sensitive personal information had been compromised.
Information that companies share with the government would be exempt from Freedom of Information Act requests and couldn't be used by the government for mandating regulations, according to the bill.
There were concerns that personal information would be part of the data handed over to the government, allowing it to use the data for matters unrelated to cyber-security. The amended bill specifies that the government would be barred from searching collected data unless the information was necessary to secure networks vulnerable to attacks or for national security purposes. The inspector general for U.S. intelligence agencies would also review and report on how the government was using the data provided by the companies.
"The best thing we can do is to remove the barriers that make it hard for industry to share information and defend themselves, and provide government information in support of those efforts," Rogers said.