On Wednesday, April 22, by a vote of 307-116, the House passed its first major cybersecurity bill of 2015, the Protecting Cyber Networks Act (PCNA), backed by the leadership of the Committee on Intelligence, which would shield private companies when sharing cyber threat data with government civilian agencies, including the Commerce and Treasury Departments. A second bill, The National Cybersecurity Protection Advancement Act of 2015 (NCPAA), which amends the Homeland Security Act of 2002, was passed by the House the following day, Thursday April 23, by a vote of 355-63. The second bill, supported by the House Committee on Homeland Security, gives private companies additional protections against liability when sharing data with the Department of Homeland Security.
The PCNA affords its protections by requiring dismissal of any action against a private entity “for the monitoring of an information system and information” and “for the sharing or receipt of a cyber threat indicator or defensive measure” when “conducted in good faith.” Similarly, the NCPAA insulates against liability by prohibiting and requiring dismissal of actions for engaging in network awareness or information sharing, when conducted in good faith. The NCPAA also requires development of a rapid automated sharing of information, to be supervised by the Under Secretary for Cybersecurity and Infrastructure Protection, and additional reporting requirements on the Department of Homeland Security. Both bills provide similar definitions of “cyber threat indicator” that together encompass technical information necessary to establish vulnerability monitoring systems, to defeat information system security controls, to identify anomalous technical behavior and vulnerabilities and other risks associated with authorized users, as well as malicious communications.
Supporters of these bills argued that data sharing will help both the government and private enterprise better understand both risks and defenses against increasing attacks, while opponents feared such laws would only give the National Security Agency additional power to monitor American citizens. More information is available here and here. The White House had given a “cautious” thumbs-up to the House’s legislation, and “appears positive” to the Senate’s efforts, and voiced concerns the protections may protect companies that fail to act. With the passing of both bills, the House must now work to provide a single bill to the Senate by combining the two through a pre-approved process.
The Senate Majority Leader has indicated that the chamber’s version of the bill, which would also give private companies protections against liability when sharing threat data with government agencies, would be introduced on the Senate floor in the near future. The Senate Intelligence Committee had approved the Cybersecurity Information Sharing Act on March 12, which also raised criticisms that the bill allowed the intelligence community to gather unnecessary sensitive data on American citizens.
These three bills are a historic effort by Congress to enact the nation’s first comprehensive cybersecurity legislation, but there are several hurdles that must be crossed, including a joint House and Senate bill, as well as Presidential execution, before such efforts culminate in an actual law.