The Homeland Security Committee chairman said the White House's proposal does not do enough to alleviate private-sector liability concerns.
Rep. Michael McCaul (R-Texas)
House Homeland Security Committee Chairman Michael McCaul (R-Texas) said he hopes to send a cybersecurity information-sharing bill that includes added liability protections for companies to the House floor next month.
A legislative proposal the White House issued in January does not go far enough in offering companies legal protection when they share threat information, McCaul said March 17 in a speech at the Center for Strategic and International Studies in Washington, D.C.
"Companies are hesitant to share information about cyber threats and intrusions that take place in their networks" for fear of being sued for revealing customers' personal information, McCaul said. "As a result, the vast majority of cyberattacks go unreported, leaving others vulnerable to the same intrusions."
McCaul's work on liability protections could go beyond the forthcoming bill: He said he is working with the House Judiciary Committee to craft "a liability exemption standard that addresses these issues and will be used in other cyber information-sharing legislation in the House."
The White House's proposal would offer companies "targeted liability protection" when they share cyber threat information with the National Cybersecurity and Communications Integration Center, the Department of Homeland Security's hub for monitoring cyberspace and disseminating warnings.
McCaul said the government is not doing enough to encourage the private sector to be a full participant in the center. His bill would give companies further liability protection to encourage them to "monitor their own information systems and…use defensive measures to prevent intrusions," he added.
Under his legislation, a hacked bank, for example, would "not be held back from sharing details of the attack with either the government or other banks and businesses, as long as the sharing is done through the appropriate channels and does not compromise the private information of customers and citizens," McCaul said.
He touted DHS' involvement as a possible antidote to concerns that information-sharing legislation would expand government surveillance. Companies can trust NCCIC, he said, because it "is not a cyber regulator. It cannot prosecute you, and it is not a spy agency.
National Security Council spokesman Mark Stroh said the Obama administration would not comment on draft legislation. White House officials have tried to walk a fine line in supporting expanded information sharing while addressing the privacy concerns that have hampered similar legislation in the past.
NEXT STORY: Carter visits Cyber Command