The U.S. government and companies would be encouraged to share information about cybersecurity threats and hacker attacks under legislation unveiled by House Intelligence Committee Chairman Mike Rogers.
The measure would shield companies from lawsuits and public disclosure requirements when they inform federal agencies about their security vulnerabilities and the type of cyber attacks they experienced, Rogers, a Michigan Republican, said today.
“There is an economic cyberwar going on today against U.S. companies,” Rogers said in a statement. “Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property.”
U.S. lawmakers have increased scrutiny of network security in the wake of hacking incidents at companies including Sony Corp. and Citigroup Inc. The National Counterintelligence Executive said this month that hackers and illicit programmers in China and Russia are pursuing American industrial secrets, jeopardizing an estimated $398 billion in U.S. research.
Rogers has accused the Chinese government of launching attacks, saying at a hearing last month that attacks from China have reached an “intolerable level.”
Under the bill, companies would be protected from civil or criminal lawsuits for “acting in good faith” to inform the government that hackers have attacked their computer systems or compromised people’s personal information.
Trade groups representing cable television and Internet-service providers praised the legislation, saying it would help break down barriers that prevent information sharing while sparing companies from additional government rules.
“We appreciate that this legislation avoids a prescriptive regulatory regime that does not fit the constantly evolving cyberthreat environment and it appropriately allows individual companies to determine how they can best participate,” Michael Powell, president of the Washington-based National Cable & Telecommunications Association, said in a statement.
Internet-service providers, including AT&T Inc. and Comcast Corp., may be asked to create a voluntary industry standard for fighting computer viruses known as botnets under a proposal from U.S. regulators. The Homeland Security and Commerce departments have said they may give companies protections from lawsuits when they develop that standard
“There is a critical role for government in security cyberspace, and today’s bill sets forth a path that would enable government and network providers to better share information in real time, while relying on market incentives,” Walter McCormick, president of the U.S. Telecom Association, a Washington-based group that represents Internet-service providers, said in a statement.
The American Civil Liberties Union criticized the bill, expressing concern that it will circumvent existing law, enable companies to turn over people’s personal information to the government while giving companies legal protections from lawsuits consumer advocates or citizen groups may want to bring.
“Doesn’t it just become easier to dump information into the government’s hands rather than taking the time to minimize out personally identifiable or sensitive information?” Michelle Richardson, legislative counsel for the ACLU, said in an interview.
Rogers disagreed with that assessment. “They’re not going to share information about something outside of that realm,” he said in an interview.
“The whole purpose of this is to get their IT networks ready to stop something before it gets into their system,” he said. “Some notion that there is wholesale content being transferred is just blatantly wrong.”
The bill was written by Rogers and the committee’s top Democrat, C. A. “Dutch” Ruppersberger of Maryland. It doesn’t require companies to report their cybersecurity vulnerabilities to the government or tell businesses which agencies to contact.
Information that companies provide to the government would be exempt from Freedom of Information Act requests and couldn’t be used by the government for mandating regulations, according to the bill.
The bill calls on the Office of the Director of National Intelligence to establish procedures that allow intelligence agencies to share classified cyberthreat information with private companies that are certified by the government to receive such data.
The bill would let the Director of National Intelligence expedite issuing security clearances to certified companies so they can receive classified information. It also calls on the U.S. Privacy and Civil Liberties Oversight Board to provide Congress with an unclassified report yearly on sharing and use of cyber threat information. The Obama administration has yet to constitute the board.