The House Intelligence Committee is in the calm before the storm on cyber legislation.
While all eyes are on the committee’s Senate counterpart, which passed the Cybersecurity Information Sharing Act (CISA) last week, the House is quietly getting close to its own companion legislation.
{mosads}CISA would provide legal liability protection for companies sharing cyber threat data with the government. It’s been a top legislative priority for many industry groups, lawmakers and government officials, who argue such an exchange is needed to prop up the nation’s faltering cyber defenses.
House Intelligence Committee members said during a Thursday hearing that they were also getting ready to release their own bill to facilitate this exchange.
“We look forward to hopefully having some legislation out of this committee soon,” said Chairman Devin Nunes (R-Calif.).
Like the Senate’s offering, the House measure will be bipartisan.
“If we do not pass cyber information sharing legislation, we will be foreclosing one of the most important steps we can take against criminals and countries that will continue to steal our most private and valuable information,” said ranking member Adam Schiff (D-Calif.).
Privacy concerns helped stall lawmakers’ previous attempts to pass a cyber information-sharing bill.
Civil liberties-focused lawmakers are worried the increased flow of data to the government could further enhance the National Security Agency’s (NSA) surveillance authority.
Privacy groups are already opposing the Senate’s CISA bill. The White House and several Senate Democrats also expressed concerns about a CISA draft, but have not yet weighed in on the final text.
Senate leaders have said they want to get CISA to a floor vote by mid-April and have it in the House soon after if it passes, putting pressure the House Intelligence panel to move quickly on its bill as well.
Lawmakers wondered Thursday if it was possible to balance security and privacy needs in such a bill.
Or, as Rep. Mike Conaway (R-Texas) put it, “Can we have our cake and eat it too?”
Congress must enhance security in order to protect privacy, replied Richard Bejtlich, chief security strategist at leading security firm FireEye.
“An intrusion is the worst privacy violation possible,” he said.
All sides agree the public and private sectors need to be swapping more cyber threat data. It’s a necessary step, they say, to stop the rise of data breaches at companies like Target, Home Depot and health insurers like Anthem and Premera Blue Cross.
But exactly what type of data should be shared, and how much personal information is contained in that data, has been a major point of contention.
“We have these privacy advocates which have stressed great concern about sharing information on these cyber threats with the government,” said Rep. Lynn Westmoreland (R-Ga.), who chairs the House Intelligence Subcommittee on the NSA and Cybersecurity. “Is there cause for that concern? How can we get rid of that concern?”
Industry leaders and security experts insisted Thursday the type of cyber threat data that should be exchanged — details about malware and hacking tools, information on cyber crooks’ infrastructure — does not contain personal information.
“Post-Snowden, people conflate the sharing of threat information with personal and private information,” said Tim Pawlenty, president of the banking advocate Financial Services Roundtable and a former governor of Minnesota, referring to NSA leaker Edward Snowden.
The one category that may cause issues, Bejtlich said, is IP addresses, the numbers assigned to any device when connected to a network. Many European countries consider IP addresses to identifying information.
“There might be problems there,” he said.
Several witnesses suggested inserting into the bill examples of specific categories of data that would be shared.
“That might give people a little bit more trust about what is happening,” Bejtlich said.
— Updated 12:50 p.m.