Cyber threat-sharing bill clears House committee, would give immunity to companies

Reuters / Larry Downing
The House Intelligence Committee unanimously approved its cyber threat data-sharing bill on Thursday. The measure provides liability protections for companies when sharing cyber attack information with government agencies.

The unanimous vote by the House panel on Thursday for the Protecting Cyber Networks Act marks the first step in a top bipartisan legislative priority on how to share information when a government agency or private company undergoes a cyber attack, according to The Hill.

We’re off to a great start,” the Committee’s ranking member, Adam Schiff (D-Calif.), told reporters after the markup. “I think the prospect for successful passage of cyber legislation have gone up dramatically.”

READ MORE:CISA text released: Cyber bill revisions fail to impress privacy campaigners

The bill is one of three working their way through Congress. Another is being proposed by the House Homeland Security Committee to allow data sharing between the Department of Homeland Security and the private sector. The Senate Intelligence Committee approved a similar measure in a 14 – 1 vote in early March, though it came under withering criticism from privacy advocates. It is uncertain for the moment how the two House bills and the Senate would merge for a conclusive vote, but they share many similarities.

All three bills would authorize liability protections for companies so they could exchange cyber threat data with government agencies.

Government agencies, as well as the retail and banking sectors, have had repeated cyber attacks exposing the personal details of millions of Americans. The FBI announced last week that it was working with Premera Blue Cross regarding 11 million medical records that were hacked during a breach in 2014.

READ MORE:Premera Blue Cross cyberattack affected 11 million people’s records

There has been opposition in the past to cyber info-sharing, due to concerns that it would enhance the National Security Agency’s surveillance powers. Those fears were raised again after the House committee moved forward with its bill.

"You have pretty much non-existent privacy protections, along with new powers to spy on and monitor users…all while being provided broad immunity,”Mark Jaycox, a legislative analyst with the Electronic Frontier Foundation who is following the House and Senate bills,toldWired.

READ MORE: FBI pushing for new domestic and global internet hacking powers

It creates a perfect storm for sharing personal information with intelligence agencies.

The House bill actually includes an amendment that would require companies to strip out personal data about their customers before submitting the information to a government agency. This amendment is stronger than the one in the Senate bill, though the bill is weaker in other areas. For example, unlike the Senate bill, the House bill allows the government to gather data on threats that are not “imminent.”

While the House bill states explicitly that the information cannot be used by the government to highlight individuals for surveillance, groups like the American Civil Liberties Union say that is not enough – especially if an agency decides to gather data under another name.