New Legislation Seeks To Keep Hackers, NSA at Bay

Reps. Pat Tiberi, Devin Nunes, and Paul Ryan gather before a hearing of the House Ways and Means Committee, on April 9, 2014.

J. Scott Applewhite/AP

AA Font size + Print

Reps. Pat Tiberi, Devin Nunes, and Paul Ryan gather before a hearing of the House Ways and Means Committee, on April 9, 2014.

While the legislation seeks to promote information sharing, lawmakers will need to assuage privacy concerns.

The House Intelligence Committee will introduce legislation Tuesday designed to improve the nation’s defenses against cyberattacks like the one that recently brought Sony Pictures to its knees.

The bipartisan measure intends to cajole the private sector to voluntarily share more digital information with the government by offering expanded liability protections for companies that participate, as long as they make efforts to scrub out personally identifiable data. Despite added privacy protections, however, the bill will need to overcome fears it may embolden government spying before it can become law.

The intelligence committee plans to hold a vote on the bill, titled the Protecting Cyber Networks Act, on Thursday. The Senate Intelligence Committee passed a similar measure 14-to-1 earlier this month.

The quick movement on the bill is due in part to a desire in Congress on both sides of the aisle to get something done soon on cybersecurity, Rep. Devin Nunes, the chairman of the Intelligence Committee, told reporters during a briefing Tuesday. Leadership in both parties as well as the White House have highlighted cybersecurity legislation as a top priority, as it is viewed as one of a few policy areas where genuine bipartisan consensus is achievable.

You’re seeing this spiral out of control,” Nunes said, referencing recent cyberattacks on health-insurance companies like Anthem. Without the liability protections the bill affords, “companies won’t feel confident that they can share certain information [with the government] when they are attacked, and that will make them more vulnerable.”

The bill has been crafted to some degree in tandem with separate legislation being put forth by the House Homeland Security Committee, which details the parameters for information-sharing through a so-called “cyber portal” housed within the Homeland Security Department. 

The intelligence panel’s bill is “agnostic” on what portals are used, Nunes said, as long as it is a civilian portal—meaning not the National Security Agency or Defense Department. The choice of a portal is left up to the White House. That also differs from the Senate version, which specifies that the hub be set up within DHS. Both measures would set up a regime of “real-time” sharing with other agencies, however, including the NSA, which privacy advocates have sharply criticized.

Before any data can be handed over to the NSA, it must go through two rounds of scrubbing out personally identifiable information—once by the business and again after the government’s intake.

In addition, the House measure limits liability protection coverage to “defensive measures,” meaning so-called “hack backs” would not be permitted. It also codifies the establishment of the Cyber Threat Intelligence Integration Center at DHS but would require its personnel to be borrowed from existing staff.

Information-sharing legislation has been dogged for years by fears from privacy groups that such measures could lead to more government snooping of Americans’ personal data. But Rep. Adam Schiff, the top Democrat on the intelligence panel, has vowed that this bill will not contain any new surveillance authorities, calling it a “strong improvement” over what the committee offered last Congress.

People should recognize that we’re in a far better place with a bill in respect to privacy,” Schiff said. “We’re doing everything we can to meet the issues that have been raised.”

To combat privacy concerns, the bill being introduced Tuesday contains three separate passages that explicitly prohibit surveillance.

Nothing in this Act or the amendments made by this Act shall be construed to authorize the Department of Defense or the 18 National Security Agency or any other element of the intelligence community to target a person for surveillance,” the bill reads.

House Intelligence Committee aides said that level of explicit language is absent from a Senate information-sharing bill that passed the Senate Intelligence Committee earlier this month.

Both Nunes and Schiff indicated they hoped their measure could earn movement on the House floor in April. The lawmakers said they have been engaged with the White House about the bill and believe administration officials are encouraged by how the bill differs from earlier iterations, which President Obama threatened to veto due in large part to privacy concerns.

If they issue a veto threat or say anything about this legislation, it’s dead,” Nunes said. “There is no reason why the president of the United States should not issue full-throttle support of this legislation.”

Close [ x ] More from DefenseOne