Compliance Management, Government Regulations

House panel gives go-ahead to cyber bill

Following years of wrangling in Congress and a slew of headline-grabbing breaches, the House of Representatives is expected to pass a cybersecurity bill on Wednesday that will require threat information-sharing between the private and public sectors.

The National Cybersecurity Protection Act – proposed on April 13 by two Republican representatives from Texas – is intended to foster sharing of data to bolster defenses against cyber threats. It was passed without opposition on April 14 by the House Homeland Security Committee, although debate continued during its final markup.

The bill, similar to another info-sharing bill, the Protecting Cyber Networks Act, currently working its way through committee in the House, would engage the Department of Homeland Security as an intermediary for the sharing of electronic information between private companies and the federal government. As a tradeoff, companies would be offered protection from civil suits sought by those who believe the data sharing violates privacy laws.

Democrats lost their bid to insert language to protect companies from inaction, while Republicans argued that such a clause would discourage companies from sharing data. There was agreement, however, on adding language that would forbid any shared intelligence from being used for surveillance purposes, a provision of paramount concern to privacy advocates.

The bill is seen as Congress's strongest push for cybersecurity legislation following earlier attempts that languished in committee. A major cyber attack on Sony and high-profile breaches of Anthem and Target are seen as the catalysts for the escalation of negotiation in Congress.

Experts on a Cybersecurity Legislation; Congressional & Administrative Action panel at the RSA Conference in San Francisco Tuesday roundly predicted that both House bills would make it through the House, where, Sarah Beth Groshart, director, government affairs and legislative counsel at the Information Technology Industry Council, said "they will be merged to negotiate with the Senate," which has a similar bill circulating.

“With the passing of this bill, Congress is formally recognizing the role that information sharing must play if we are going to have a chance of staying ahead of the bad guys," Paul Kurtz, CEO at TruSTAR Technology, told in an email. "While Congress has done a good job at defining what kind of information should be shared and recognizing that liability protection is critical, the next question is how can organizations protect themselves from the legal, regulatory or market risk associated with disclosing cyber attacks. Organizations will need to select the right technology partners that give them the freedom to share cyber incident data without the associated risks."

While the Obama administration expressed support for the bill, it had a reservations over liability provisions encased in the bill. In a statement, it said, “improvements to the bill are needed to ensure that its liability protections are appropriately targeted to encourage responsible cybersecurity practices,” adding that the bill's liability protections may "remove incentives for companies to protect their customers' personal information."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.