The US House of Representatives Intelligence Committee has approved a recently introduced bill that would allow greater cyberthreat information sharing between intelligence agencies and private companies, even though privacy advocates say it would allow those agencies to spy on US residents.
The committee approved the Cyber Intelligence Sharing and Protection Act late Thursday by a 17-1 vote. The bill would allow intelligence agencies to share classified cyberthreat information with approved US companies, while encouraging companies to share their own information with the government or other companies.
The next step for the bill is a vote in the full House. That vote has not yet been scheduled.
The bill will protect privacy, said commitee chairman Representative Mike Rogers. "The decisiveness of the vote shows the tremendous bipartisan support for this bill," he said. "Through hard work and compromise we have struck a delicate balance that provides strong protections for privacy and civil liberties, while still enabling effective cyber threat sharing and providing clear authority for the private sector to defend its own networks."
The bill would help protect businesses from cyberespionage, Rogers said.
Information sharing is a good goal, but the bill goes too far, said Jim Dempsey, vice president of public policy for the Center for Democracy and Technology. The bill could give the National Security Agency new access to personal information held by US companies, given the legislation's broad definition of the kind of information that companies can share with the NSA and other government agencies, he said.
The bill allows companies to share any information pertaining to the protection of information systems, Dempsey said. That "potentially could be all traffic," he said.
The bill, although it says information sharing with the government is voluntary, could also allow the NSA to demand that private companies share their information in exchange for the cyber threat information the agency has, Dempsey said. "It creates an incentive structure as to who gets the NSA's secret sauce," he said. "We're afraid that the NSA would use that, basically, as a trading card. They would say, 'We'll give you our good stuff, if you give us a lot of your good stuff.'"
The bill would also shift responsibility for cybersecurity from private industry to the government, and from civilian agencies within the government to intelligence and military agencies, Dempsey said. "We think the government should not be involved in monitoring the private sector networks," he said.
Bill sponsors Rogers and Representative C.A. "Dutch" Ruppersberger introduced an amendment, approved by the committee, designed to limit government agencies' use of information they get from private companies.
The amendment prohibits the government from using cyberthreat information unless at least one significant purpose is cybersecurity or national security. It also prohibits the government from searching through any cyberthreat information it receives from the private sector for any purposes not authorised by the bill.