What are Lawmakers Doing to Thwart Cybercrime?
A previous blog discussed the real and growing threat of cybercrime for businesses, particularly small businesses. So, a logical question may be what is being done about it, not just by individual businesses, but by our policy makers. Given the breadth of the threat and economic damage wrought by attacks, clearly it is in the interest of both government and business to thwart cybercrime and protect their systems.
Dating back to the Clinton Administration, the Federal government has encouraged information sharing between the public and private sectors to more quickly identify and respond to cyberthreats. However, despite these efforts to facilitate cooperation, hurdles in the form of legal liability, IP protection, antitrust violations and privacy concerns have hindered participation.
The good news is that Capitol Hill remains focused on the topic. In April of this year, the U.S. House of Representatives passed two cybersecurity information sharing bills to give businesses legal liability protections, while also addressing concerns of privacy and civil liberties advocates who wish to protect individuals and limit the use of information by the government.
The first bill, the Protecting Cyber Networks Act (H.R. 1560), was authored by the House Intelligence Committee. The Committee on Homeland Security produced the second bill, titled the National Cybersecurity Protection Advancement Act (H.R. 1731). Both bills seek to promote the timely sharing of cyberthreat information between the public and private sector with the goal of better protecting America against cybercrime and providing intelligence to identify the perpetrators. The sharing of information by private businesses would be purely voluntary and limited to a defined set of threat indicators. The legislation also restricts the use (to cybersecurity and law enforcement), retention, and searching of such information. In both bills, private companies will be required to remove any personal information before sharing the indicators, and the government will do its own check to remove any personal information that was not deleted by the private company before distributing the information among Federal agencies. Companies that share information in good faith will receive liability protections. Willful misconduct, however, will not be protected. With bipartisan support, the House passed H.R. 1560 on April 22, 2015 by a vote of 307 to 116, and passed H.R. 1731 on April 23, 2015, by a vote of 355 to 63.
The bills are designed to be complementary and were actually combined after both passed the House. The Senate is working on similar legislation (S. 754) that the Committee on Intelligence approved back in March. In the wake of the recent massive breach of federal employees’ personal information, some Senators tried to attach the Senate cybersecurity bill to the National Defense Authorization currently being considered on the Senate floor. The attempt was denied by those who want a fuller debate on the matter. Eventually (once the Senate passes a bill), the differences among the House and Senate bills will need to be reconciled through the legislative process so that both bodies pass an identical version that can be sent to the President for his signature. While there is still a lot of work ahead, the bipartisan interest in the bill, early action in the 114th Congress, and sense of urgency as more data breaches occur bodes well for a cybersecurity information sharing bill to be signed into law.
If you want to share your views on this legislation or cybersecurity in general (or on any issue for that matter) with your Member of Congress, contact your representative by going to http://www.house.gov/representatives/ or your Senator by going to http://www.senate.gov/ and entering your zip code or state in the top right corner.