Following years of wrangling in Congress and a slew of headline-grabbing breaches, the House of Representatives is expected to pass a cybersecurity bill on Wednesday that will require threat information-sharing between the private and public sectors.
The National Cybersecurity Protection Act – proposed on April 13 by two Republican representatives from Texas – is intended to foster sharing of data to bolster defenses against cyber threats. It was passed without opposition on April 14 by the House Homeland Security Committee, although debate continued during its final markup.
The bill, similar to another info-sharing bill, the Protecting Cyber Networks Act, currently working its way through committee in the House, would engage the Department of Homeland Security as an intermediary for the sharing of electronic information between private companies and the federal government. As a tradeoff, companies would be offered protection from civil suits sought by those who believe the data sharing violates privacy laws.
Democrats lost their bid to insert language to protect companies from inaction, while Republicans argued that such a clause would discourage companies from sharing data. There was agreement, however, on adding language that would forbid any shared intelligence from being used for surveillance purposes, a provision of paramount concern to privacy advocates.
The bill is seen as Congress's strongest push for cybersecurity legislation following earlier attempts that languished in committee. A major cyber attack on Sony and high-profile breaches of Anthem and Target are seen as the catalysts for the escalation of negotiation in Congress.
Experts on a Cybersecurity Legislation; Congressional & Administrative Action panel at the RSA Conference in San Francisco Tuesday roundly predicted that both House bills would make it through the House, where, Sarah Beth Groshart, director, government affairs and legislative counsel at the Information Technology Industry Council, said "they will be merged to negotiate with the Senate," which has a similar bill circulating.
While the Obama administration expressed support for the bill, it had a reservations over liability provisions encased in the bill. In a statement, it said, “improvements to the bill are needed to ensure that its liability protections are appropriately targeted to encourage responsible cybersecurity practices,” adding that the bill's liability protections may "remove incentives for companies to protect their customers' personal information."