Congressional aides announced yesterday that the House of Representatives is expected to pass a cybersecurity bill today with support from both Republicans and Democrats. The bill, the National Cybersecurity Protection Act, will push private companies to share access to their computer networks and records with federal cyber crime investigators.
Last month the House Intelligence Committee unanimously passed the bill. That was somewhat of a surprise given that the bill has been years in the making. A bipartisan effort in 2012 failed twice over concerns—including from the White House—that the private sector would be too burdened with the legislation and that such a bill may jeopardize the privacy rights of consumers. The current bill, however, is expected to pass with bipartisan support because it will increase liability protections for the private sector, which fears lawsuits for sharing customer information.
“I very much present this as...one that accomplishes that balance of facilitating the sharing of cyberinformation, cyber threat indicators, to make our personal and business information safer on the networks,” says Rep. John Ratcliffe, R-Texas, who helped write the bill. “At the same time, this bill very much ensures that people’s privacy is protected.”
The difference over the years is that the nature and severity of cyberattacks has changed. Last fall, the attack on Sony Pictures, which the FBI blamed on the North Korean government, prevented the wide release of a comedy portraying the assassination of North Korea’s leader, Kim Jong-un, as a New York Times article points out. Early this year, healthcare company Anthem reported a major breach that exposed the records of nearly 80 million people. Just last week, Target agreed to reimburse MasterCard $19 million for losses associated with the theft of 40 million credit and debit card numbers from its computer network in December 2013.
The current House bill would provide legal liability protections for companies that share cyberthreat information with one other or with the government. But negotiators added what they see as critical privacy protections. If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information—once by the company before it gives the data to the government and another round by the government agency that receives the data, the New York Times article reports. What’s more, the data would first go to a civilian agency, not the National Security Agency or the Defense Department, for that scrub.
President Barack Obama’s administration supports the passage of the current cybersecurity protection bill, but states that “improvements to the bill are needed to ensure that its liability protections are appropriately targeted to encourage responsible cybersecurity practices.” The administration also notes that adding the bill’s liability protections may “remove incentives for companies to protect their customers’ personal information.”
The Obama administration isn’t alone in voicing hesitation regarding the current bill. Some privacy advocates strongly oppose the legislation, saying it would do too little to prevent more data collection by the National Security Agency and other U.S. intelligence agencies, a Reuters article reports. Such surveillance has come under scrutiny since 2013 disclosures by former NSA contractor Edward Snowden.
Be all of that as it may, some corporations have been calling for Congress to extend legal liability protections so they can more easily share data with the government to help prevent and respond to cyberattacks. For example, several major companies, including Microsoft, Lockheed Martin and Morgan Stanley, had pushed for a threat-sharing bill.
What are your thoughts on cybersecurity and the supply chain? How much of a concern is it for you?