A draft bill in the U.S. House would create an organization to share cybersecurity data between the government and companies, a move privacy advocates say must include safeguards to protect personal information.
The so-called National Information Sharing Organization would be overseen by a board of directors that includes officials from federal agencies, civil liberties organizations and companies that own or operate critical infrastructure such as financial institutions or utilities.
Details of the organization’s operations have yet to be set, and the board would designate agencies that belong. The House cybersecurity subcommittee plans a hearing on the draft tomorrow, and the National Cable and Telecommunications Association and Symantec Corp. (SYMC) said they’re reviewing the language.
“Information-sharing is often referred to as the key to combating cyber threats,” said Cheri McGuire, Symantec’s vice president of global government affairs and cybersecurity policy, who is scheduled to testify at tomorrow’s hearing. She said sharing data is a tool to allow protective actions.
Gregory Nojeim, senior counsel at the nonprofit Center for Democracy and Technology, said the draft takes a “good approach” toward improving cybersecurity. Nojeim, who is also scheduled to testify, said the bill must clarify the types of that data companies can share with the government and what federal agencies can do with the information.
“It’s important that information-sharing not devolve into governmental monitoring of private-to-private communications,” he said. Proposals should define the data shared, limit the use and purpose of sharing and include audits to ensure that rules are followed, said Nojeim, whose San Francisco-based group works to promote innovative technology with strong privacy protections.
The clearinghouse envisioned under the bill may share timely, classified information about threats to critical information technology networks, according to the draft.
Data shared by private companies with the organization would be exempt from public disclosure and shielded from use in federal or state lawsuits. The information could be used in federal investigations into criminal acts.
The draft bill doesn’t give the Homeland Security Department power to regulate private companies when it comes to cybersecurity, instead calling on the department to develop performance standards and market incentives for network protection. Those would be shared with other agencies that regulate important infrastructure, such as financial institutions, telecommunications companies and utilities.
“Agencies that currently have regulatory authority over this particular aspect of the economy would be required to incorporate identified performance standards,” said Brian Kaveney, a spokesman for Representative Dan Lungren, a California Republican who led the drafting of the bill and is chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
The draft specifies that the department would be responsible for developing and conducting risk assessments for federal information-technology systems. The department would work in consultation with private companies to improve security of their networks.
The draft is one of several cybersecurity measures circulating in the House. Republican leaders haven’t decided when to bring any of the bills to the House floor for a vote.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Michael Shepard at email@example.com