House Intelligence Committee leaders defend aim of cybersecurity bill

The two intelligence committee leaders surveyed the panel of four industry witnesses, all of whom support CISPA, about the cyber threat information they would share with the government under the bill. The industry representatives responded that companies would share technical information — such as IP addresses sourced to hackers, domain names, the IDs of computers used by hackers — not people's personal information or communications.

"If I walked in this room and dropped it all on the floor, you'd never know where it came from and you wouldn't get any [personally identifiable information]. It just wouldn't happen," said Kevin Mandia, CEO computer security firm Mandiant, which was hired by The New York Times to address the recent spate of hacker attacks it suffered.

BITS President Paul Smocer said the financial services industry would agree to minimize the personal information included in the cyber threat data they share with the government. However, he said the bulk of the data they share doesn't include personal information.

"I honestly struggle a bit with the amount of private information that even exists in the kind of threat information that we share with each other," said Smocer, who oversees the technology policy division of the Financial Services Roundtable. "I don't know if there would be that much in it."

The industry representatives said they the believe the top way to prevent hackers from cracking into companies' computer systems and networks is to receive intelligence about forthcoming cyber threats from the government in real time, which is the intended aim of CISPA. They said companies would be able to thwart attacks on their systems if the government shared its valuable intelligence data about cyber threats with them.

"By sharing threat information more effectively between business and government, we can anticipate and repel most serious threats," said Business Roundtable President Gov. John Engler (R), the former governor of Michigan. 

"It's clear that today's escalating [cyber] threat requires timely and actionable information," he added.

Mandiant said the government holds the majority of cyber threat intelligence that would help companies beef up the cybersecurity of their networks.

When asked by Rep. Adam Schiff (D-Calif.) about whether companies would agree to take "reasonable steps" to minimize personal information in the cyber threat information they relay to the government, Engler answered in the affirmative. That language was included in the information sharing provision of a cybersecurity bill in the Senate last year, which was supported by the American Civil Liberties Union (ACLU).

"I think there's every intent and desire to … protect privacy," he said.

Engler argued that hackers pose a grave threat to American's privacy because they seek to crack into companies' systems and access sensitive data.

"I think the greater threat is from the attacker coming in and making something public that shouldn't be," he said.

Following the hearing, Schiff said he is considering offering an amendment that would align the bill text of CISPA with the privacy safeguards included in the Senate bill.

"It's plain that industry can be asked to make reasonable efforts to remove personality identifiable information and I didn't sense any strong reservation about doing that," Schiff said. "The fear that it would drive industry away doesn't seem to be the case."

During the hearing, some privacy advocates noted that the witness panel lacked a representative from the privacy advocacy community.

When asked for comment, Kelsey Knight, a spokeswoman for Rogers, said the hearing "focused on the threat and how industry is dealing with it, particularly through information sharing." 

"The committee regularly engages with the privacy community," Knight said. "Their voices have been heard at every step of the process for our bill and we will continue to engage with them."

Privacy advocates say they are still concerned that the bill allows for broad sharing of information other than malicious source code and technical information.

"That limitation is not in the bill," said Michelle Richardson, a legislative counsel at the ACLU. "The bill is much broader and allows for more broader sharing than the sponsors are letting on."