Information sharing bills from the Homeland Security and Intelligence committees have won House passage this week.
The House overwhelmingly passed an information sharing measure April 23, the second in as many days that would create a long-sought legal indemnity framework for private companies to report to government on cyber threats and attacks, while giving government authority to share threat information with private companies.
The measure, which passed 355-63, originated in the House Homeland Security Committee. It would grant liability protection to companies that share details on cyberattacks with the Department of Homeland Security. The bill would establish the job of undersecretary for cybersecurity and infrastructure protection, to head a DHS operational component replacing the National Protection and Programs Directorate.
A privacy section would require companies sharing information and government to "reasonably limit, to the greatest extent practicable" the inclusion of personally identifiable information on individuals in shared threat indicators. An amendment added to the bill on the floor would sunset the legislation after seven years.
"This bipartisan, pro-privacy, pro-security bill has been three years and hundreds of stakeholder meetings in the making. I look forward to moving this landmark bill over to the Senate and getting it to the president’s desk as quickly as possible," said House Homeland Security Committee Chairman Michael McCaul (R-Texas).
The Obama administration has concerns about the extent of the privacy protections in the bill, and what it considers overly broad protection from liability. But the White House encouraged House passage, expecting to have another crack at making changes when the Senate considers information sharing legislation.
The House passed a competing measure that originated in the House Select Committee on Intelligence on a vote of 307-116 on April 22.
The Intel bill tasks the Office of the Director of National Intelligence with sharing cyber threat indicators with private firms, and would authorize private firms to defend their networks against attack. It also would provide statutory authority for the Cyber Threat Intelligence Integration Center, recently proposed as an addition to ODNI by the Obama administration.