Next stop: House floor.
The House Intelligence Committee on Thursday passed a cybersecurity data-sharing bill after making changes aimed at addressing privacy concerns raised by the White House and civil liberties groups.
White House spokeswoman Caitlin Hayden said Friday that the White House was reviewing the new bill to see if it addressed their concerns.
Advocates are optimistic that the bill, which has strong industry support, will pass given the urgency of the cyber threat and the stated intention of House Speaker John Boehner to move cybersecurity legislation this session of Congress.
The legislation, cosponsored by the intel panel’s chairman, Mike Rogers (R-Mich.), and its ranking Democrat, Dutch Ruppersberger (Md.), seeks to foster the exchange of online cyber threat data between the private sector and the government, as well as among private sector entities.
But the White House and civil liberties advocates have previously said the bill jeopardized Americans’ privacy. The administration also raised concerns that antitrust and liability protections would limit efforts to hold companies accountable for failure to boost computer network defense.
In response to the privacy concerns, the committee amended the bill so that the U.S. government could use or comb through data shared by companies only if “at least one significant purpose” is for cybersecurity or national security.
The committee also specified:
* Private sector data-sharing must be voluntary and the government cannot force companies to give up data or condition the receipt of government data on private sector sharing of information.
* The intelligence community inspector general must submit to Congress an annual review of how the government used the private sector data, including impact on privacy.
Civil liberties advocates said the changes were an improvement, but not enough. Greg Nojeim, senior counsel for the Center for Democracy and Technology, said that the bill ought to specify that information gathered for cybersecurity purposes can be used only for cybersecurity purposes, including to prosecute people who conduct cyber crimes.
American Civil Liberties Union legislative counsel Michelle Richardson said the legislation should designate which federal agencies may obtain the data, and require companies to redact consumers’ personal information before handing over the information.
Advocates of the legislation say it could help protect the nation’s infrastructure against cyber attacks.
The bill “gives us an arrow in the quiver that will actually make a difference in our ability” to detect, prevent and mitigate cyber attacks and intrusions, said Robert Dix, vice president of government affairs for Juniper Networks and chairman of a cyber task force representing critical sectors.