The House Intelligence Committee introduced bipartisan legislation Tuesday to grant legal immunity to firms that pass cyberthreat data to the government, as lawmakers expressed cautious optimism that there is finally enough support to pass a bill that the president will sign.
“We’re very optimistic about cyber legislation this year,” said Rep. Adam B. Schiff (Calif.), the panel’s ranking Democrat, noting that recent attacks against Sony Pictures Entertainment and health-care companies have heightened awareness of the threat. He said the committee worked closely with the White House and civil liberties advocates to work through privacy concerns arising from sharing Americans’ personal information with the government.
Chairman Devin Nunes (R-Calif.) said some privacy advocates “are going to be against the legislation no matter what.” But, he said, “we don’t view this as the end-all be-all.”
The Protecting Cyber Networks Act, which the committee will consider on Thursday, comes a week after the Senate Intelligence Committee advanced its own cyberthreat legislation and four days after the House Homeland Security Committee introduced its version. Aides to leadership say floor action is expected shortly after Congress returns from spring break in mid-April, in what some are branding “cyberama.”
Nunes said the House bill could be conferenced with the Senate bill or could be merged with elements of the homeland security panel’s version.
Schiff said he thinks the Intelligence Committee bill addresses the main concerns that have blocked similar efforts for the past five years. “This is not a new surveillance authority,” he said of the bill, in a briefing with Nunes for reporters. The text makes clear in several places that nothing in it may be construed to authorize the federal government “to conduct surveillance of any person,” he said.
A committee aide said the White House was briefed on the legislation Monday. “I think they were pretty favorably disposed,” said the aide, who, like others, spoke on the condition of anonymity in accordance with committee protocol.
All three bills would allow firms to share cyberthreat indicators — which could be malicious software, parts of an Internet protocol address, or parts of an e-mail — with a civilian agency such as the Department of Homeland Security without risking a privacy lawsuit.
The House and Senate intelligence-panel bills require the civilian agency to share the information in real time or near real time with other parts of the government, including the Defense Department and the National Security Agency. The bills require any cooperating firm to strip information such as names and Social Security numbers out of data before turning it over to the government. The House bill requires the civilian agency to take a second pass to screen out personal data before distributing it within the government.
In some respects, the House Intelligence Committee’s bill is preferable to the Senate’s, said Robyn Greene, policy counsel with the New America Foundation’s Open Technology Institute. But, she said, “it is still a surveillance bill.”
She pointed to language that describes the permitted uses for the cyberthreat data, including investigations of serious felonies such as murder, kidnapping and robbery.
“Everyone wants law enforcement to investigate these crimes, but not at the expense of Americans’ Fourth Amendment rights,” Greene said. She said law enforcement should be required to obtain a warrant before looking at the data for those purposes.
A House Intelligence Committee aide said that under the bill, data can be shared only for a cybersecurity purpose. If that shared data also indicates a serious crime, then a law enforcement agency can use it, he said.
Aides to leadership in both chambers indicated a desire to move cybersecurity legislation soon. “This bipartisan [Senate] legislation is a priority for the leader and our conference,” said Don Stewart, deputy chief of staff to Senate Majority Leader Mitch McConnell (R-Ky.).