WASHINGTON (Reuters) - U.S. lawmakers on Wednesday proposed fighting the cyber threat that is taking a toll on American companies by allowing spy agencies to share threat intelligence with private firms.
Representative Mike Rogers, the Republican chairman of the U.S. House of Representatives intelligence committee, and the panel’s senior Democrat, Representative C.A. “Dutch” Ruppersberger, announced legislation to protect U.S. firms from cyber attacks by foreign countries and individual hackers by allowing information-sharing with agencies like the National Security Agency.
“Our intelligence agencies collect important information overseas about advanced foreign cyber threats that could dramatically assist the private sector,” Rogers said.
“The government needs to be able to share this threat intelligence so that the private sector can protect its own networks,” he said at the public unveiling of the bill.
Rogers has been outspoken in accusing China of widespread cyber espionage. An intelligence report released earlier this month accused China and Russia of using cyber espionage to steal U.S. trade and technology secrets.
“North Korea just attacked a major banking system in South Korea. That can happen today in the United States of America,” Ruppersberger said.
“We will have a catastrophic attack within the next year, whether it’s attacking a banking system, a grid system, this is going to happen and we have to make sure that we protect ourselves,” he said.
The legislation aims to expand to the broader private sector the theme of a pilot Pentagon program for sharing classified and sensitive threat information with defense contractors and their internet service providers.
Defense contractors like Lockheed Martin Corp have been among the high-profile victims of cyberattacks. Others include Google and Citigroup.
Sponsors of the bill envision, for example, that NSA would share with internet service providers information about what different types of cyber threats look like that the intelligence agency has detected so that the ISP can then block traffic to its customers from anything with that signature.
Internet service providers and other companies have long complained that they give information to the U.S. government about potential cyber threats but often do not find it a two-way street. They say the government is reluctant to reciprocate because the information is either classified or part of an investigation linked to a potential prosecution.
Some critics worry this type of information-sharing arrangement amounts to government surveillance of private data.
Sharing of information with the government is voluntary and the legislation would require a review to ensure the protection of privacy and civil liberties, Rogers said.
It also offers protections to companies who shared information from frivolous lawsuits, the lawmakers said.
“(The bill) is a good thing,” said Stewart Baker, a former Homeland Security official who is now a partner with the Steptoe & Johnson law firm.
“What’s new is that the self-protected entity can share that information with the federal government. That’s new because there are provisions of law that prevent ISPs from sharing subscriber information with the federal government,” he said.
But he was concerned that measures in the bill that would relieve companies of liability once they shared data with the government might be too broad.
For example, perhaps they could be used as a defense if companies failed to disclose material breaches to the Securities and Exchange Commission, he said.
At this early stage it was unclear how the legislation will fare in trying to get through the Republican-controlled House and the Democratic-controlled Senate before landing on President Barack Obama’s desk to be signed into law.
But it was an unusual display of bipartisanship in a year of a deeply divided Congress.
“This bill is bipartisan, and in this environment, that fact is a credit to everyone involved. I hope we can find other areas of agreement on this growing issue,” Republican Representative Mac Thornberry, the leader of the House Cybersecurity Task Force, said.
Writing by Tabassum Zakaria; Editing by Bill Trott