The House on Wednesday passed the first major cybersecurity bill since the calamitous hacks on Sony Entertainment, Home Depot and JPMorgan Chase.
Passed 307-116, the Protecting Cyber Networks Act (PCNA), backed by House Intelligence Committee leaders, would give companies liability protections when sharing cyber threat data with government civilian agencies, such as the Treasury or Commerce Departments.
“This bill will strengthen our digital defenses so that American consumers and businesses will not be put at the mercy of cyber criminals,” said House Intelligence Committee Chairman Devin Nunes (R-Calif.).
{mosads}The legislation is the first of three measures Congress must pass to finally get a cyber info-sharing law in place. The White House has put its hesitant stamp of approval on two House bills, and seems open to supporting the Senate’s companion legislation.
Congress has contemplated some form of this law for nearly five years. But catastrophic data breaches within the last year have laid bare hundreds of millions of Americans’ credit card data and Social Security numbers, raising public awareness and putting the onus on Capitol Hill to act.
The goal is to increase the public-private flow of information about hacking attempts. Advocates say such an exchange is the biggest first step the country can take to thwart hackers.
Lawmakers, government officials and most industry groups argue more data will help both sides better understand their attackers and bolster network defenses that have been repeatedly compromised over the last year.
Privacy advocates and a group of mostly Democratic lawmakers worry the bill will simply shuttle more sensitive information to the National Security Agency (NSA), further empowering its surveillance authority. Many security experts agree, adding that they already have the data needed to study hackers’ tactics.
Before final passage, the House adopted an amendment from Rep. Andre Carson (D-Ind.) by voice vote requiring the inspector general to report on how personal information is removed from data shared with federal agencies.
“For all the benefits of this bill, the American people still rightfully so expect oversight that is consistent and comprehensive,” said Carson, a member of the Intelligence Committee. “It will ensure Congress and the public that sharing is happening properly and the public is being protected.”
The House will vote Thursday on a complementary measure from the Homeland Security panel — the National Cybersecurity Protection Advancement Act — which would extend liability protections to companies only when giving data to the Department of Homeland Security.
If the Homeland bill passes, as expected, the two offerings will be combined through a pre-approved process before heading to the Senate.
PCNA’s passage is a huge win for industry and the Intel committee and a loss for privacy groups. For years, banks, retailers and the U.S. Chamber of Commerce have spent millions on lobbying for the measure.
Industry groups this week blanketed Congress — even D.C. Metro cars — with messages urging support for the bill. Privacy advocates made their own counter-push to no avail.
The Intelligence panel also brought a number of previously skeptical Democrats on board with Wednesday’s vote.
A 2013 referendum on an Intelligence panel cyber info-sharing bill from then-Chairman Mike Rogers (R-Mich.) and former ranking member Dutch Ruppersberger (D-Md.) received 288 votes, including 92 Democrats.
On Wednesday, PCNA picked up 105 Democrats, including Intelligence Committee ranking member Adam Schiff (Calif.). Schiff and others were brought over by privacy enhancements to the bill, such as a clause that would not allow information to be shared directly with the NSA or Defense Department.
“Lest anyone be confused, this bill makes clear in black and white legislative text that nothing in the bill authorizes government surveillance in this act, nothing,” Schiff said.
The House also adopted an amendment from Rep. Mick Mulvaney (R-S.C.) by a vote of 313-110 that would sunset the bill’s provisions after seven years despite concerns from a top financial services lobbying group that businesses would sit out the voluntary program.
Senators had been hoping to bring its companion bill, known as the Cybersecurity Information Sharing Act, to the floor sometime in April.
But a faction of privacy-minded senators planning to offer floor amendments has potentially delayed the bill. Legislators are also tied up trying to resolve a number of pressing issues, including the Iranian nuclear negotiations, a human trafficking bill and a fast-track trade deal legislation.