House Passes Cyber Threat-Sharing Bills

Debate over liability protection for companies ongoing

By Roy Maurer May 8, 2015

Congress is closer to enacting public-private cyber threat-sharing legislation nearly five years in the making.

The House of Representatives approved two complementary bills that would increase the exchange of cyber threat data and also shield companies from legal liability when sharing that data with government agencies.

Both the House Intelligence Committee and the House Homeland Security Committee approved separate versions of the legislation, which are now in the process of being combined for consideration in the Senate.

Sen. Tom Carper, D-Del., said he anticipates a vote on the upper chamber’s cyber threat-sharing legislation, known as the Cybersecurity Information Sharing Act, sometime this month.

More Information, Better Security

The legislation aims to strengthen the flow of information about cybersecurity threats and attackers’ tactics between the government and private sector. Advocates argue that both sides need more data on cyber threats to protect their networks.

“Information sharing within the same industry provides those participating in that industry or sector advantages in understanding industry-specific threats and may enhance the ability of that industry to develop best practices to meet threats,” said Marc Noble, cyber/information security practices manager at ISACA, an international professional association focused on IT governance.

The National Cybersecurity Protection Advancement Act encourages voluntary information sharing about cyber threats between the private sector and the Department of Homeland Security (DHS) specifically. The bill names the DHS National Cybersecurity and Communications Integration Center as the central information-sharing hub where cyber threat indicators and defensive measures would be shared. DHS is seen as the agency most technically capable of stripping personal information from any data received before it is shared with the rest of the federal government.

The Protecting Cyber Networks Act would enable private companies to monitor their networks and to voluntarily share cyber threat indicators with one another and with a number of different government agencies. Companies can choose to share cyber threat information with the federal agency to which they are most closely tied. For example, banks can share cyber threat information with the Department of the Treasury and power plants can share with the Department of Energy, according to the House Intelligence Committee report on the bill.

The sharing of information is completely voluntary, but companies that share cyber threat indicators or defensive measures will receive legal liability safeguards if they comply with the appropriate privacy protections.

“With carefully crafted liability protections, private entities would finally be able to share cyberthreat indicators with their private-sector counterparts without fear of liability,” said Rep. John Ratcliffe, R-Texas.

“It is unclear whether the liability protections offered in the bill will be sufficient enticement for businesses to participate in the program,” Noble said. “Many companies, however, view liability protection as a minimum requirement to take part in any information-sharing arrangement.”

There’s also the cost to consider. “There is a cost to members of a particular industry in developing defenses and capturing malicious activity as well as the cost of sanitizing information to be sent and shared within that sector,” Noble said.

Both bills contain sunset provisions that cause the acts and their amendments to terminate seven years after their enactment.

Green Light from the White House

President Barack Obama called for cyber information-sharing legislation in his State of the Union Address in January 2015, and the White House has given a thumbs-up to both bills, with the condition that legal immunity for companies not be overly broad.

“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said in a statement.

Lawmakers have agreed to refine the liability language. “Current liability language in the bill could allow for protections for companies that don’t act on cyber threat indicators,” Rep. Jim Langevin D-R.I., told The Hill. Langevin questioned the liability protection companies would receive even if they sat on threat information that could be damaging to industry partners and competitors. “I really think​​ that’s egregious, and I think that they should be held accountable in that respect,” he said. “It would be unconscionable not to act on information if they receive credible threat information.”

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Link:

SHRM Online Safety & Security page

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect