One down, one to go on info sharing legislation

Congress is poised to pass sweeping legislation that sets up an information sharing regime between private companies that want to report cyberattacks and the federal government, after years of wrangling over the right balance between privacy for individuals and liability protections for companies.

The House passed the measure, which originated in the House Select Committee on Intelligence, on a bipartisan vote of 307-116 on April 22. A vote is scheduled for April 23 on a companion bill approved by the House Homeland Security Committee.

The Intel bill charges the Office of the Director of National Intelligence with sharing cyber threat indicators known to the government with private firms, and gives license to private firms to defend their networks against attack. It also provides statutory authority for the Cyber Threat Intelligence Integration Center, recently proposed as an addition to ODNI by the Obama administration.

"Businesses across the country are being cyber-attacked billions of times a day, and it is costing American workers and companies billions of dollars in stolen research and development, intellectual property and life savings. These threats also jeopardize critical infrastructure -- both public and private,” said Rep. Adam Schiff (D-Calif.), ranking member on the Intelligence Committee. “Our bill will ensure that we have the tools to address these attacks by enabling voluntary information sharing of cyber threats between and among the private and public sectors."

The Homeland Security bill establishes the DHS as the hub of information sharing from private companies to the government. Taken together, both bills are intended to prevent the National Security Agency or other non-civilian government entities from receiving threat indicators directly from private network operations. The bills also have privacy provisions that would require some scrubbing of personally identifiable information on consumers from information submitted to the government.

Opponents of the bills say that these protections are not sufficient, and that the Intelligence Committee bill in particular endorses new surveillance by government and private firms on individual customers of network operators.

"This bill not only does a dismal job of protecting Americans' personal information, it would also allow the NSA and the FBI to use any of the information it receives to investigate a myriad of crimes that have nothing to do with cybersecurity," said Robyn Green, policy counsel at the New America Foundation's Open Technology Institute. "This bill is a wolf in sheep's clothing, doing at least as much to enable cyber-surveillance as to enhance cybersecurity-related information sharing."

The Obama administration put out statements before the vote pointing out what it sees as insufficient privacy protections for individuals, overly generous liability protections and concerns about the authorization of cyber combat by companies in the name of network defense. Nevertheless, the administration urged the House to pass both bills, to preserve the opportunity to make changes later on in the legislative process.