House panel releases bill on cyber threat data-sharing

A discussion draft of a House Homeland Security Committee bill to give companies legal liability protections when sharing cyber threat data with the Department of Homeland Security (DHS) was released Friday.

Committee Chairman Michael McCaul (R-Texas) had said earlier this week that the measure, named the National Cybersecurity Protection Advancement Act, was on the brink of release.

Cybersecurity information sharing has been a top legislative priority this year for lawmakers, industry groups and government officials. The public and private sectors must share more cyber threat data, they argue, if either wants to stop the glut of cyberattacks that have hammered major companies and government agencies.

{mosads}McCaul’s bill did not contain any major surprises.

It names the DHS as the “primary interface” in the public-private cyber threat data exchange. It does leave the door open for companies to share with other agencies such as the Treasury Department or National Security Agency, although would not explicitly authorize that sharing.

The measure also allows for sharing among agencies within the government.

The privacy language has been strengthened throughout from previous iterations of a similar bill, according to Alex Manning, staff director of the House Homeland Security subcommittee on cybersecurity last Congress.

“The text made a more concerted effort to appease some of the privacy advocates,” said Manning, currently senior government relations director with Arent Fox.

There’s a greater focus on the role the DHS privacy office will play, with specific guidelines for how it should monitor and file oversight reports on the data sharing program, Manning explained.

The bill also bolstered the language requiring companies to strip personal information from their data before sharing it with the government. The DHS is already required to do a scrub of sensitive information in the cyber data it receives.

If DHS officials notice a certain company is repeatedly failing to redact personal information, McCaul’s bill would allow the department to terminate the company’s ability to share with the agency.

The alterations will likely appeal to numerous privacy groups. The ACLU already supported a version of the bill last year.

But some privacy advocates may still take issue with several previous sticking points, such as sharing within the government or the door left open for NSA sharing.

Lawmakers are currently debating several bills that would achieve this goal in different ways.

The Senate Intelligence Committee recently passed legislation to provide many of the same elements as McCaul’s bill, encouraging companies to share electronically with the DHS.

But the measure, the Cybersecurity Information Sharing Act (CISA), would also authorize companies to share cyber threat data non-electronically with intelligence agencies.

Privacy advocates have come out against that offering, which is seen as the Senate’s all-encompassing cyber info-sharing bill.

The House is trying to move two complementary info-sharing bills instead of one omnibus measure.

The House Intelligence Committee will soon release a draft of its legislation that would address cyber threat data between private firms and intelligence agencies. The House committees on Homeland Security and Intelligence see their bills as complementary.

Committee leaders plan to markup their bills in mid-April and get them to the floor the week of April 20.

See the full text of the bill here: 

National Cybersecurity Protection Advancement Act_Draft 3-20-15