The House Intelligence Committee introduced legislation Tuesday to provide liability protection for companies that share threat intelligence information with one another or the federal government.
The bill deals only with the voluntary sharing of cyber-threat indicators by the private sector, and requires companies remove personal information before any data is shared. It also limits the private-to-private and private-to-government information sharing to cyber-threat indicators and defensive measures meant to combat a threat. The legislation does not permit the sharing of information for non-cyber purposes, and imposes restrictions on the use, storage and searching of any data voluntarily shared with the government.
The committee is expected to vote on the legislation Thursday. If it successfully passes, it would likely be sent to the full House for a vote in late April, according to Reuters.
“We cannot continue to allow outdated laws to be the barriers to solutions,” said Cybersecurity Subcommittee Chairman Lynn Westmoreland (R-GA), in a statement. “The Protecting Cyber Networks Act enhances our cybersecurity by allowing information sharing on imminent cyber threats between the private and public sectors, and by ensuring that personally identifiable information is not compromised during the process. When we empower American businesses and citizens to work together, we can fight back against hackers and cyberterrorists for the good of our nation and all its people.”
A similar bill, the Cybersecurity Information Sharing Act (CISA), was recently approved by the Senate Intelligence Committee.
Dave Meltzer, chief research officer at Tripwire, said the security industry has spent the past several years building up the technology to make the sharing of cyber-threat data possible. To really make implementing that a reality however will take legislation, he said.
“Corporations need to be protected when they share intelligence outbound from liability, and this bill covers that, and the government needs to have the directive to share that intelligence they receive, and intelligence generated inside the government, back out to the private sector, which is also covered,” he said. “It would be a shame if privacy concerns, which are really about future unintended consequences of this legislation than the reality to the actual cyber-threat indicators being shared today, torpedo these key parts of the legislation that are positive and needed to move our nation’s cyber-security forward. I hope the privacy concerns can and have been adequately addressed in the latest amendments, so that our Congress can come together to move this legislation forward quickly.”
Subcommittee Ranking Member Jim Himes (D-Conn.) called the legislation an important step.
“Experts from all corners agree that a balanced cyber information sharing bill is a critical next step in securing our networks, preserving our privacy and safeguarding against the kinds of cyber-attacks we’ve seen against Anthem, Target and Home Depot,” he said in a statement. “This legislation marks an important step and I look forward to working with my colleagues to improve the proposal as it moves forward and to ensure that Congress passes a comprehensive cybersecurity bill this year.”