White House, lawmakers resume cybersecurity bill talks

The Michigan Republican told Reuters that both sides are "very close" on agreeing about the roles that the Department of Homeland Security and other government agencies would play to better defend against cyber attacks.

They are also negotiating ways to minimize the transfer and use of personal information from companies to the government, Rogers said. No written drafts have been exchanged, the talks are informal and no deal is imminent, a committee staffer said.

In a joint interview with the senior Democrat on his committee, Dutch Ruppersberger, Rogers said the talks have been aided by increasing concerns about the costs of cyber attacks.

"What helped is that The New York Times, Washington Post and Wall Street Journal were all hacked and they talked about it publicly," Rogers said. "It is starting to raise awareness. I can feel movement."

Though thousands of important companies have been losing data to hackers in China and elsewhere for a decade, the number of companies publicly admitting such breaches has been growing. Apple, Microsoft, Twitter, and Facebook confirmed attacks in a recent campaign.

Rogers said both sides of the talks and an expanding part of the public understand that the likelihood of a devastating destructive attack is growing as the list of cyber powers lengthens to include actors like Iran.

He said he had "a high degree of confidence" that Iran was behind the August 2012 attack on Saudi Aramco that crippled some 30,000 PCs.

He also blamed Iran for a campaign against banks in recent months with what are known as denial-of-service attacks, which have disrupted access to some websites, and he said more intrusive or destructive hacking could follow.

"That's a probing action," said Rogers, who is privvy to classified intelligence reports. "We know it's not the best they have to offer.

"You have this non-rational actor that has the capability to cause chaos to people's networks and could be economically destructive."

The joint bill by Rogers and Ruppersberger emphasizes sharing threat information among companies and the government. It passed the Republican-dominated House last year, but failed in the Democrat-controlled Senate after administration objections.

The White House wants a more comprehensive bill that also sets minimum security standards for vitally important companies. But Ruppersberger said last month's executive order on that issue eased some pressure to include such provisions.

A second gulf between the parties has been over the personal information on customers and users that would be turned over to the government.

The current House bill would give broad protection from lawsuits to companies that surrender user data believed to be related to "threats" to their networks to DHS, which could then share it with intelligence agencies that could use it for other national security matters.

But Rogers said the personal information was not essential. "Candidly, you don't need a lot of personal information to fight the threat," he said, adding that details of new malicious software was essential.

Ruppersberger, of Maryland, said companies complained that they had no way to "minimize" personal information attached to "millions of conversations" and that they were working through that issue in the White House talks.

Their comments follow an interview with White House cybersecurity policy adviser Michael Daniel on Monday at the same RSA conference, the largest annual gathering of security professionals.

Daniel told Reuters then that the administration would identify its goals for a new law within two months.

Only after a law passes to shore up defense, the House members said, can the country focus on building support among allies to confront economic espionage from China and others.

(Reporting by Jim Finkle and Joseph Menn; Editing by Tiffany Wu and Leslie Gevirtz)