Bipartisan cybersecurity bill aims to spur industry-government sharing

House Intelligence Committee Chairman Mike Rogers , R-Mich., and ranking member Dutch Ruppersberger , D-Md., introduced legislation on Wednesday that would provide a channel for the government to share classified intelligence with the private sector to protect against cyberattacks.

The bipartisan bill would make it easier for government to share information with companies, without forcing the firms to do anything about it. It would also exempt companies from any liability if they share information with the government--something that worries privacy advocates such as the American Civil Liberties Union.

"The American private sector is working incredibly hard to protect itself," Rogers told an audience at the National Cable and Telecommunications Association on Wednesday. "The best thing that we can do is remove the barriers that make it hard for industry to share information and defend themselves, and provide government information in support of these efforts."

"Our intelligence agencies collect important information overseas about advanced foreign cyber threats that could dramatically assist the private sector," he continued. "The government needs to be able to better share this threat intelligence so that the private sector can protect its own networks."

Under the Cyber Intelligence Sharing and Protection Act of 2011, the director of national intelligence would outline a framework for the intelligence community to share classified intelligence about cyber threats with the private sector. Information about systems' vulnerabilities--or direct attempts to disrupt them or steal information--could be provided to those with security clearances specially charged with receiving this information.

The private sector could then, in turn, share information about cyber threats with the federal government on an anonymous and voluntary basis, and with other participating companies so long as the information is not used to gain an unfair competitive advantage. Private companies would receive immunity from lawsuits if they act in good faith and share their data--and also could not be prosecuted for failing to act on the information about threats they receive.

"They're just going to blow a hole through all the privacy laws on the books for cybersecurity purposes," ACLU's Michelle Richardson told The Washington Post.

Rogers pushed back against criticism that the bill contains no mandate requiring companies to act on information they receive about critical vulnerabilities. "These companies are under assault every single day, in some cases, individual companies tens of thousands of times a day. Their IT shops can barely keep up," Rogers said, adding that these threats can cost companies millions of dollars. "It's in their own best interests to cooperate."

The bill is narrower than Senate proposals, which favor more sweeping cybersecurity regulations. House Republicans have largely steered away from significant government regulations or mandates on industry, instead favoring cybersecurity incentives for private firms to boost their own security and share information.

"Our challenge to the intelligence community, to Congress at large, to the White House, has been: 'Don't dangle this bill up with all your hopes and aspirations of the final solution to cybersecurity,' " Rogers said. "That's not what this bill does. This bill is a very narrow, very important first step of providing a forum to get classified threat information to the companies who can use it best to protect a broad swath of networks across the country."

Rogers said that lawmakers on both sides, including Reps. Jim Langevin , D-R.I., Michael McCaul , R-Texas, Adam Schiff , D-Calif., and Mac Thornberry , R-Texas, support the bill. "The reason you can get all those people is because it is a very narrow, focused bill," Rogers said.

Last month, a House GOP task force, composed of representatives of nine committees with jurisdiction over cyber issues, called for industry-friendly cybersecurity incentives. "Change occurs so fast in this area that attempts to directly regulate a specific cybersecurity solution will be outdated by the time it is written," the task force concluded.

The bill already has support from industry. IBM's vice president of government relations, Christopher Padilla, said that the legislation "provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers."