Leaders of the House intelligence committee have crafted bipartisan legislation aimed at fostering the exchange of online information between the private sector and the government to better protect commercial computer networks from cyberattacks.
The bill, introduced Wednesday by the committee’s chairman, Mike Rogers (R-Mich.), and ranking Democrat, C.A. “Dutch” Ruppersberger (Md.), has strong support from the telecommunications industry. The White House and civil liberties advocates, however, have raised concerns that the bill could jeopardize individuals’ privacy.
The Cyber Intelligence Sharing and Protection Act of 2011 exempts private firms from liability for sharing data with the government, as well as for any failure to use that data to improve their networks. The goal, Rogers said, is to encourage the private sector and the government to exchange information that could be useful in protecting systems that are critical to the nation’s security and economic interests.
Data that could flow from companies to the government include Internet protocol addresses that a firm detects in a hacking incident on its network or samples of malicious software that turn up on its computers. The government could share classified intelligence it has gathered about online threats.
Companies would not be forced to share data, and they could decide which government agency to share it with.
“The whole purpose of this bill is to create an environment in which companies want to cooperate” to share information, Rogers said at a news conference Wednesday.
The Obama administration has concerns that industry liability exemptions are too generous, but Rogers said that protecting them from lawsuits for sharing data or failing to act on the data was a key incentive. He suggested that companies did not need a mandate to improve their network defenses because “it’s in their own best interests to cooperate.”
He called the bill “a very narrow, very important first step” in encouraging data sharing to prevent attacks that take down systems and intrusions resulting in tens of billions of dollars in stolen intellectual property annually.
“We appreciate that this legislation avoids a prescriptive regulatory regime,” Michael K. Powell, president and chief executive of the National Cable and Telecommunications Association, said in a statement. “This legislation will protect both our national security and our customers.”
But White House spokeswoman Caitlin Hayden said “the inclusion of generous liability and antitrust protections could limit the government’s ability to protect citizens and hold corporations accountable.”
The administration and civil liberties advocates said the bill as written does not sufficiently protect Americans’ privacy.
“The administration will not support anything that does not include a customized set of requirements for privacy protection,” said Hayden, noting that an administration-proposed bill released in May included such provisions.
“They’re just going to blow a hole through all the privacy laws on the books for cybersecurity purposes,” said Michelle Richardson, legislative counsel for the American Civil Liberties Union. “The concern is that the government will be able to create records of people’s Internet use in the name of cybersecurity.”
Greg Nojeim, senior counsel for the Center for Democracy and Technology, said the legislation ought to put strict limits on the government’s use of consumer data shared by the private sector. Under the bill, he said, if a company shares information on a person’s Internet activities that the company collected to help prevent the user’s account from being hacked, the government could use that data for any purpose. That might include criminal prosecutions unrelated to cybersecurity and to identify targets for intelligence collection, which could include the user, he said.
“This legislation allows for the information to be shared without a court order or other protections,” he said.
A senior House aide said he could not rule out that “some incidental data” could be transferred to the government, but said there would still be restrictions on the data’s use. He said that the FBI, for example, must still meet a certain standard to open a criminal investigation.
“We’re not talking about companies dumping terabytes of private e-mail content” on the government, said the aide, who spoke on condition of anonymity because he was not authorized to speak publicly about pending legislation.
He said companies could require that their security providers — for example, Verizon or Symantec — remove any reference to the firm’s name, employees or customers before sharing the data with the government.
Stewart A. Baker, a former National Security Agency general counsel and senior Department of Homeland Security official, said much of the online data can already be provided under exceptions built into existing law but that companies are afraid that the law bars them from doing so.
That is why, the House aide said, “we felt they needed a clear statement: There is no legal reason why you can’t share information.”
The committee could consider the bill as soon as Thursday.