Republican and Democrat leaders of the House Intelligence Committee on Tuesday introduced legislation to promote the voluntary sharing of cyber threat data between the federal government and private sector and within the private sector, adding to a number of other information security bills put forth in the current Congress.
To help incentivize the sharing of cyber threat indicators by industry, the Protecting Cyber Networks Act would provide limited liability protections to the private sector, a provision that is also contained in other bills introduced in the 114th Congress and is seen as a key ingredient to getting companies and other private organizations to more routinely disclose network breaches.
“Gangs of cyber criminals, sometimes supported by hostile governments, are increasing their attacks on U.S. networks and American businesses,” Rep. Devin Nunes (R-Calif.), chairman of the committee, said in a statement. “These assaults are costing our economy billions of dollars and are compromising American citizens’ personal and financial information. The Intelligence Committee is acting to mitigate this growing problem by advancing a bill that will encourage businesses and the federal government to share information on known cyber threats.”
The bill requires the Director of National Intelligence (DNI), working with the heads of other “appropriate” federal entities and the national laboratories, to develop procedures “for the timely sharing of classified threat indicators” that the government has with relevant private sector representatives, for sharing declassified cyber threat data with industry, and for sharing information the government has “about imminent or ongoing cybersecurity threats to such entities to prevent or mitigate adverse impacts from such cybersecurity threats.”
To bolster privacy protections, the bill also requires federal agencies to review cyber threat indicators they receive from the private sector to ensure there is no information that identifies a specific person that has nothing to do with the threat. It also requires the private sector to “take reasonable efforts” before sharing threat data to ensure there is no information that identifies a specific person.
“Our bipartisan bill will ensure that businesses and government have the information they need to help defend against this growing threat, while safeguarding the privacy of the targets of these attacks,” Rep. Adam Schiff (D-Calif.), the ranking member on the committee, said in a statement. “It’s my hope that the House takes up this bipartisan bill soon after the House Intelligence Committee advances it, and that we work with the Senate, the White House and outside stakeholders to make any necessary improvements on it’s way to the president’s desk.”
The bill would also authorize private entities to conduct defensive monitoring of their own networks and information systems of other private organizations that agree to such monitoring.
The bill also authorizes the Obama administration’s recent establishment of a Cyber Threat Intelligence Integrations Center (CTIIC) within the Office of the DNI. The primary missions of the CTIC, which will be the government’s main organization for integrating and analyzing all cyber threat intelligence obtained by the United States, include ensuring that federal entities have all-source cyber threat intelligence support, distribute cyber threat analysis to the president and other appropriate federal agencies and congressional committees, conduct cyber threat intelligence planning for the government, and coordinate federal cyber threat intelligence activities.
The bill also limits the size of the CTIIC to no more than 50 permanent staff.
The Protecting Cyber Networks Act is expected tol be marked up by the committee on Thursday.