U.S. House legislation calling for companies and the government to share data on hacker threats needs to be better defined to protect consumer privacy, Democratic lawmakers and cybersecurity specialists said.
The draft measure’s provision creating a quasi-governmental information-sharing organization should be tailored to avoid overlap with work already performed by the Homeland Security Department, Representative Yvette Clarke, a New York Democrat, said today at a House subcommittee hearing.
Lawmakers need “to explore the real-life implications of such a body and its actions, and how it would affect the department’s ability to enhance cybersecurity for our government agencies,” said Clarke, the senior Democrat on the House cybersecurity subcommittee, which held the hearing.
Data breaches this year at Sony Corp., Citigroup Inc. and Lockheed Martin Corp. sharpened government scrutiny of U.S. network defenses. The bill discussed today is one of several measures circulating in Congress aimed at safeguarding systems at companies and U.S. agencies that operate financial networks, power plants and telecommunications networks.
The information-sharing organization envisioned under the bill would be overseen by a board that includes officials from federal agencies, civil liberties groups and companies that own or operate critical infrastructure such as financial networks or utilities.
The measure, backed by Representative Dan Lungren, a California Republican and subcommittee chairman, doesn’t name participating agencies or specify a role for the Homeland Security Department.
Expand Existing Ties
Encouraging the government to “share information is a strong step in the right direction,” Cheri McGuire, vice president of global government affairs and cybersecurity policy for Symantec Corp., a Mountain View, California-based computer security provider, said during the hearing.
Companies that sell cybersecurity services would be more likely to support the clearinghouse by building the new organization on existing ties between the government and private sector, McGuire said. She cited the councils designated by the Homeland Security Department to work in concert with the government on protecting critical infrastructure.
“Questions remain about how we will continue to utilize the existing entities under the proposed framework,” said McGuire, who is chairwoman of the department’s council for information-technology companies. “This is important given the significant time and resources that companies have invested.”
Stronger privacy protections should be added to the bill, including clear definitions of the kinds of threat information private companies share with the government, said Gregory Nojeim, senior counsel at the Center for Democracy and Technology, a nonprofit based in San Francisco that supports innovative technology with strong privacy safeguards.
Nojeim urged lawmakers to restrict the government to using threat information only for improving cybersecurity, and prohibit its use for law enforcement purposes.
Lungren said in an interview after the hearing that he would incorporate more privacy protections in the bill based on Nojeim’s testimony and clarify that the clearinghouse would be civilian run. He said he plans to formally introduce the bill next week and bring it for a vote by the panel in January.
House Republican leaders haven’t decided when put any of their bills to a final vote, while Senate Majority Leader Harry Reid, a Nevada Democrat, said he plans to move on a comprehensive cybersecurity measure early next year.