NYTimes: House Passes Cybersecurity Bill After Companies’ Data Breaches
WASHINGTON — Responding to a series of computer security breaches in government and the private sector, the House passed an expansive measure Wednesday that would push companies to share access to their computer networks and records with federal investigators.
The bill, which came after years of false starts and bitter disappointment for the Obama administration, is similar to a measure approved by the Senate Intelligence Committee and headed for that chamber’s floor this spring. The House measure, already largely embraced by the White House, passed, 307 to 116.
Should the House and Senate come together on final legislation, it would be the federal government’s most aggressive response yet to a spate of computer attacks that helped sink a major motion picture release by Sony Pictures Entertainment, exposed the credit card numbers of tens of thousands of customers of Target stores and compromised the personal records of millions of people who did business with the health insurer Anthem.
“The gravity of the emergency we have in cyberspace is setting in with lawmakers,” said Paul Kurtz, a cybersecurity expert who worked in the Bush and Obama administrations on the issue. “They now understand that companies can no longer fight the bad guys individually.”
The House bill would provide legal liability protections for companies that share cyber threat information with each other or with the government. But negotiators also added what they see as critical privacy protections.
If a company shares information with the government, it would receive liability protection only if its data undergoes two rounds of washing out personal information — once by the company before it gives the data to the government and another round by the government agency that receives the data, which many experts believe is critical in getting companies to comply.
“Liability protection is something needed to help companies share,” said Sarah Beth Groshart , director of government affairs at the Information Technology Industry Council. “And only Congress can provide that.”
Policing the nation’s computer networks has been complicated over the last decade by concerns from Republicans, who expressed concern for burdens placed on the private sector, and from those arguing for more stringent privacy protection in both parties.
The 2013 exposure of the government’s extensive surveillance programs into American lives through the leak of classified documents by Edward Snowden further muddied an agenda that many national security experts insisted was critical to preventing large scale cyber attacks on American infrastructure and businesses. Further, jurisdiction for cybersecurity snaked over an array of congressional committees, making unified legislation at times difficult.
Lawmakers have been grappling with cybersecurity legislation since 2012, when a bipartisan Senate effort twice failed over business concerns that the legislation was putting too onerous a burden on the private sector.
Leon E. Panetta, who was defense secretary at the time, and intelligence leaders implored lawmakers to shrug off the furious opposition of the U.S. Chamber of Commerce, but lawmakers were not persuaded.
A House effort in the last Congress mustered strong opposition from the White House, which was concerned that it would jeopardize the privacy rights of consumers.
But since then, a series of cyberattacks has changed the political equation. The attack on Sony Pictures — Mr. Obama blamed the North Korean government for the attack — thwarted the wide release of a comedy portraying the assassination of North Korea’s leader, Kim Jong-un.
Early this year, Anthem reported a major breach that exposed the records of nearly 80 million people. Just last week, Target agreed to reimburse MasterCard $19 million for losses associated with the theft of 40 million credit and debit card numbers from its computer network in December 2013.
“We are under attack as I speak,” said Representative Dutch Ruppersberger, Democrat of Maryland. “To do nothing is not an option.”
Privacy advocates continued to express anger legislation Wednesday on the House floor, creating unlikely alliances between some conservatives and left-leaning members.
“We’ve seen before that the federal government has a poor track record of safeguarding our information when entrusted with it,” said Representative Jared Polis, Democrat of Colorado, on the House floor. “The last thing we should be doing,” is empowering them with more information access, he said.
His comments were echoed by Representative Darrell Issa, Republican of California. “Since 9/11 the government has begun to know more and more about what we are doing, where are, where we sleep, who we love,” he said, while consumers, “have known less and less.”
At the same time, some feel the bill does not go far enough on the national security front. “I do believe we will see a cybersecurity bill enacted and signed into law,” said Senator Susan Collins, Republican of Maine who has worked on the issue for years. “But it won’t be as strong as it should be to protect critical infrastructure.”
However security experts said that the government would benefit from the information sharing as well. “The net effect of this legislation will be positive on national security side and economic security side,” said Mr. Kurtz.
The White House issued a statement on Tuesday that commended the effort in the House but did raise concerns about the liability protections offered to private companies in the House bill, raising fears that they would be so sweeping that they might backfire and prevent companies from reporting cyberthreats.
Privacy changes in the bill won over Representative Adam Schiff, Democrat of California and ranking member on the House Intelligence committee, who opposed it last year, and both parties expect the president to come along as well.
The timing for passage of the Senate version of the bill may be impeded by time-consuming amendments. That chamber is already snarled over a bill that would give Congress more say in a nuclear deal with Iran and a major trade measure. The Highway Trust Fund is nearly broke and requires legislative action before the end of the month, and a national security program at issue also requires renewal.
Indeed there is some concern among some Republicans that the cybersecurity bill could become a vehicle for a debate about the broader national security and privacy matters. Senator Dianne Feinstein, Democrat of California who is the ranking member on the Senate Intelligence Committee said Wednesday she was confident that a bill would be passed and conferenced successfully with the House. “What matters is that we get it up,” she said.
The New York Times Politics and Washington on Facebook and Twitter, and sign up for the First Draft politics newsletter.