WASHINGTON – A House panel voted overwhelmingly Wednesday in favor of a new data-sharing program that would give the federal government a broader role in helping banks, manufacturers and other businesses protect themselves against cyberattacks.
The bill, approved 18-2 by the House Intelligence Committee, would enable companies to disclose technical threat data to the government and competitors in real-time, lifting antitrust restrictions and giving legal immunity to companies if hacked, so long as they act in good faith. In turn, companies could get access to government information on cyberthreats that is often classified.
It's a defiant move by pro-business lawmakers who say concerns by privacy advocates and civil liberties groups are overblown. But even while the panel's approval paves the way for an easy floor vote next week, the legislation has yet to be embraced outside the Republican-controlled House. Last year, a similar measure never gained traction and eventually prompted a White House veto threat.
"We've struck the right balance," said Rep. Mike Rogers, R-Mich., the committee's chairman. "It's 100 percent voluntary. There are no big mandates in this bill, and industry says under these conditions they think they can share (information), and the government can give them information that might protect them."
The Cyber Intelligence Sharing and Protection Act, or CISPA, is widely backed by industry groups that say businesses are struggling to defend against aggressive and sophisticated attacks from hackers in China, Russia and Eastern Europe.
Privacy and civil liberties groups have long opposed the bill because they say it opens America's commercial records to the federal government without putting a civilian agency in charge, such as the Homeland Security Department or Commerce Department. That leaves open the possibility that the National Security Agency or another military or intelligence office would become involved, they said. While the new program would be intended to transmit only technical threat data, opponents said they worried that personal information could be passed along, too.
Democratic Reps. Adam Schiff of California and Jan Schakowsky of Illinois were the lone dissenters. At a press conference, they said they would push for amendments on the House floor next week that would specifically bar the military from taking a central role in data collection and instead put the Homeland Security Department in charge. They also want a requirement that industry scrub any data of personal information before giving it to the government -- a stipulation that Rogers and business groups say would be too onerous and deter industry participation.
Rogers, who co-sponsored the bill with Rep. Dutch Ruppersberger, D-Md., the panel's top Democrat, said they altered the bill to address other concerns by privacy groups raised last year. But a lawyer for the American Civil Liberties Union, Michelle Richardson, said the bill is still objectionable because it could allow the military to review data on private commercial networks.
"A couple of cosmetic changes is not enough to address the concerns of members" in the Senate, Richardson said.
Rogers says the political calculus has changed and that China's hacking campaign was too brazen for the White House to justify the status quo.
"There's a line around the Capitol building of companies willing to come in and tell us in a classified setting (that) `my whole intellectual property portfolio is gone,"' Rogers said. "I've never seen anything like this, where we aren't jazzed and our blood pressure isn't up."
In February, Obama signed an executive order that would help develop voluntary industry standards for protecting networks. But the White House and Congress agreed that legislation was still needed to address the legal liability companies face if they share threat information. Senate Majority Leader Harry Reid, D-Nev., promised at the time to advance a bipartisan proposal "as soon as possible," although one hasn't emerged.
Sen. Jay Rockefeller, D-W.Va., chairman of the Senate Commerce Committee, is expected to take the lead on a cybersecurity proposal that would likely address the issue of information sharing. A panel spokesman said Rockefeller plans to work with Sen. John Thune, R-S.D., to introduce a plan to committee members "in the near future."