The House on Wednesday passed long-awaited legislation designed to thwart cyberattacks by encouraging private companies to share information about the attackers’ methods with each other and the government.
The measure, which passed 307 to 116, grants protection from liability if companies follow certain procedures. Many companies have been reluctant to share internal data about cyberattacks for fear of being sued, leaving both the firms and the government less equipped to battle an onslaught of cyberintrusions, including state-sponsored campaigns to purloin American intellectual property.
“At some point, we need to stop just hearing about cyberattacks that steal our most valuable trade secrets and our most private information, and actually do something to stop them,” said Rep. Adam Schiff, ranking Democrat on the Intelligence Committee and one of the measure’s principal authors.
In a statement, the White House praised the bill that passed Wednesday while also expressing concerns, arguing that the liability protections in some cases went too far and could ultimately reduce the incentive for companies to report breaches. The White House also called for language ensuring that data is not shared by businesses to thwart competition.
Wednesday’s bill came out of the Intelligence Committee. The House is expected to pass a similar bill on Thursday that emerged from the Homeland Security Committee. The two measures will be reconciled into a single piece of legislation before heading to the Senate, where a similar bill has been introduced with bipartisan support.
Information sharing is badly needed, backers say, so that government agencies can help the private sector defend against sophisticated cyberattacks, many of which are undertaken by intelligence agencies in countries such as Russia, China, North Korea and Iran.
The House bill passed Wednesday would grant companies liability protection if they stripped out personal information from the data and shared it in real time through a civilian portal, most likely run by the Department of Homeland Security.
Similar efforts have foundered in previous years over concerns by privacy groups that personal information held by companies would end up in the hands of the National Security Agency, the digital spying agency that is the country’s foremost repository of cyberexpertise. The House bill would allow the NSA to get the data, but not until private information had been removed.
“This bill does not provide the government with any new surveillance authorities,” said chief sponsor Devin Nunes, the House Intelligence Committee chairman. “To the contrary, it includes robust privacy protections.”
The bipartisan action comes amid the increasing pace of cyberattacks against private companies, including one against Sony Pictures Entertainment that the U.S. government says was carried out by North Korea. The hackers damaged Sony computers and released secret corporate information. Another attack in late 2013 on U.S. retail stores, including Target, exposed the credit and debit card numbers of millions of Americans.
U.S. officials have long warned of the risks that cyberattacks could do physical damage, including poisoning water systems, blowing up chemical plants and shutting down parts of the U.S. power grid.
(AP)