WASHINGTON — The House is preparing to vote on two cybersecurity bills this week, kicking off the latest push to improve information sharing between private companies and the government about potential attacks and threats.
The National Cybersecurity Protection Advancement Act, approved by the Homeland Security Committee last week, and the Protecting Cyber Networks Act, by the Permanent Select Committee on Intelligence, both seek to foster rapid data sharing by granting firms certain liability protections to participate. The bills also make some efforts to limit how government officials can use the information they collect and to ensure consumer privacy, though the legislation still concerns some critics.
But despite widespread support from the business community for the measures, the effort is facing last-minute pushback ahead of votes on Wednesday and Thursday, after the House Rules Committee agreed Tuesday night to offer an amendment by Rep. Mick Mulvaney, R-S.C., calling for a seven-year sunset provision on the bills. If approved, the measure could complicate support for the broader legislation and hamper efforts at fostering shared information, financial industry officials warned.
"This nation's cybersecurity problems won't dissolve after seven years. If anything, they will become increasingly more complicated," said Tim Pawlenty, president and chief executive of the Financial Services Roundtable, in a press release Wednesday. "The uncertainty caused by the need to reauthorize this legislation will disincentivize businesses from engaging in this critical process, leaving more American consumers at risk for cyberattacks."
The American Bankers Association agreed that the sunset provision could "hinder" efforts to improve data sharing.
"The Mulvaney amendments would put in place a sunset that would have the unintended consequence of interrupting the development of these programs and could hinder improved information security across the whole sector. Rather than increasing security, a sunset would weaken this country's security over time," said James Ballentine, ABA's executive vice president of congressional relations and political affairs, in a letter to the House on Wednesday.
Still, the financial industry has been pushing hard for information-sharing legislation for several years, and banking officials have been largely supportive of the latest House efforts.
"We support your continued efforts to advance legislation that further strengthens the ability of the private sector and the Federal government to work together to develop a more effective information sharing framework to respond to cyber threats, providing liability protection while balancing the need for privacy protection," a coalition of 14 financial services trade groups wrote in a letter Tuesday.
The White House said it supported advancing the two bills in separate Statements of Administration Policy on Tuesday, while urging that both measures need additional improvements to limit the scope of proposed liability protections. President Obama has signed several executive orders this year beefing up cybersecurity efforts, and has called on Congress to address concerns around information sharing.
Critics, meanwhile, remain concerned with efforts to broaden information-sharing capabilities, warning that the two House bills, along with pending Senate legislation, still permit private information to be shared.
"These bills permit overbroad sharing far beyond the [indicators of compromise] that are necessary to respond to an attack, including all 'harms' of an attack. This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats," one group of security experts and academics wrote to House leaders last week.