McCaul readies cyber bill with added liability protections
- By Sean Lyngaas
- Mar 17, 2015
Rep. Michael McCaul (R-Texas)
House Homeland Security Committee Chairman Michael McCaul (R-Texas) said he hopes to send a cybersecurity information-sharing bill that includes added liability protections for companies to the House floor next month.
A legislative proposal the White House issued in January does not go far enough in offering companies legal protection when they share threat information, McCaul said March 17 in a speech at the Center for Strategic and International Studies in Washington, D.C.
"Companies are hesitant to share information about cyber threats and intrusions that take place in their networks" for fear of being sued for revealing customers' personal information, McCaul said. "As a result, the vast majority of cyberattacks go unreported, leaving others vulnerable to the same intrusions."
McCaul's work on liability protections could go beyond the forthcoming bill: He said he is working with the House Judiciary Committee to craft "a liability exemption standard that addresses these issues and will be used in other cyber information-sharing legislation in the House."
The White House's proposal would offer companies "targeted liability protection" when they share cyber threat information with the National Cybersecurity and Communications Integration Center, the Department of Homeland Security's hub for monitoring cyberspace and disseminating warnings.
McCaul said the government is not doing enough to encourage the private sector to be a full participant in the center. His bill would give companies further liability protection to encourage them to "monitor their own information systems and…use defensive measures to prevent intrusions," he added.
Under his legislation, a hacked bank, for example, would "not be held back from sharing details of the attack with either the government or other banks and businesses, as long as the sharing is done through the appropriate channels and does not compromise the private information of customers and citizens," McCaul said.
He touted DHS' involvement as a possible antidote to concerns that information-sharing legislation would expand government surveillance. Companies can trust NCCIC, he said, because it "is not a cyber regulator. It cannot prosecute you, and it is not a spy agency.
National Security Council spokesman Mark Stroh said the Obama administration would not comment on draft legislation. White House officials have tried to walk a fine line in supporting expanded information sharing while addressing the privacy concerns that have hampered similar legislation in the past.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.