House passes bipartisan cybersecurity information-sharing bill

Erin Kelly | USA TODAY

WASHINGTON - The House on Wednesday passed a bipartisan cybersecurity bill to make it easier for companies to share cyber-threat information with the government and thwart hacks by criminals, terrorists and rogue nations.

It was the first action in the new Congress in response to recent high-profile cyber attacks that have included Sony Pictures, Home Depot, JPMorgan Chase, Target, Anthem health insurance, the State Department and the White House.

Lawmakers voted 307-116 to approve the Protecting Cyber Networks Act, which was passed last month by the House Permanent Select Committee on Intelligence.

"The increasing pace and scope of cyber attacks cannot be ignored," said Rep. Devin Nunes, R-Calif., chairman of the intelligence committee. "This bill will strengthen our digital defenses so that American consumers and businesses will not be put at the mercy of malevolent cyber thieves."

Although the Obama administration has not endorsed any specific bill, President Obama has called on Congress to pass strong cybersecurity information-sharing legislation, and lawmakers have been moving quickly to do that.

"Every day we delay, more privacy is stolen, more jobs are lost, and more economic harm is done," said California Rep. Adam Schiff, the senior Democrat on the intelligence panel. "Let's stop sitting by and watching all of this happen. Let's do something."

House leaders plan to take up a separate, similar bill on Thursday that was approved unanimously last week by the House Homeland Security Committee. The idea is for the House to merge the two bills and take them into conference with the Senate to craft compromise legislation. The final bill would then have to be approved by both chambers.

"These bills represent a unified front in the House for strengthening cybersecurity while protecting Americans' privacy," said Rep. Michael McCaul, R-Texas, chairman of the Homeland Security Committee.

The Senate intelligence committee passed its own cybersecurity information-sharing bill in March. Senate leaders have said they hope to bring it to the floor in a few weeks.

Both the House-passed bill and the bill approved by the Senate intelligence committee offer liability protection to companies to shield them from lawsuits that could arise from the sharing of business records with the government and with one another. Businesses have been reluctant to tell the government about cyber attacks because of their fear of lawsuits from consumers or privacy groups.

One key difference between the two bills is that the Senate bill requires any information shared by private companies to first go through the Department of Homeland Security. The House bill would allow companies to share their cyber-threat information with any civilian agency. A bank, for example, could go straight to the Treasury Department for help.

Supporters of the bill passed Wednesday said it contains stronger privacy protections than legislation considered by previous Congresses. The bill states that it does not authorize the Department of Defense, the National Security Agency nor any other part of the intelligence community to target a person for surveillance. Instead, the bill aims to give government agencies the ability to see how a hack occurred and take action to prevent more attacks.

Companies would voluntarily report cyber threats to civilian agencies rather than to the NSA or the Defense Department. The NSA, which is part of the Defense Department, is viewed with suspicion by privacy advocates because of its mass collection of phone records of millions of Americans.

The bill also makes the federal government liable for violations of privacy and civil liberties and allows citizens who believe their privacy has been violated to seek damages from the government in court.

On Thursday, the House will take up the National Cybersecurity Protection Advancement Act, the bill approved by the Homeland Security Committee.That bill, like the Senate legislation, would require information from the private sector to go through the Department of Homeland Security first.

Sen. Ron Wyden, D-Ore., a member of the Senate intelligence committee and a strong privacy rights advocate, has so far been the only lawmaker of either party to vote against a cybersecurity information-sharing bill in committee this year. When he opposed the Senate bill, he warned that such legislation could end up giving the federal government more personal information about Americans.

"Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name," Wyden said.

Business groups have been largely supportive of the cybersecurity information-sharing bills.

"Today's action by the House is an important step forward in the fight against cyber-attacks and cyber-crime," said Scott Vernick, partner and head of data security and privacy practice at Fox Rothschild law firm. "Any meaningful offense requires joint action by both the private sector and the government in real time."

Follow @ErinVKelly on Twitter