House Intel Committee announces cybersecurity bill without mandates

The leadership of the House Intelligence Committee announced a bill on Wednesday morning that would make it easier for companies to share information with the government about threats and cyberattacks.

Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) said they introduced the Cyber Intelligence Sharing and Protection Act in hopes of advancing the debate over compehensive cybersecurity legislation in the House. It tracks closely with the legislative recommendations released last month by the House GOP Cybersecurity working group, which was led by Rep. Mac Thornberry (R-Texas).

The bill would reduce the barriers for information sharing between the private sector and the government while releasing firms acting in good faith from any legal liability. Unlike comprehensive legislation proposed in the Senate, the bill's provisions are entirely voluntary and include no security mandates. 

"We appreciate that this legislation avoids a prescriptive regulatory regime that does not fit the constantly evolving cyber threat environment and it appropriately allows individual companies to determine how they can best participate," said National Cable and Telecommunications Association President Michael Powell in a statement.

The sponsors view the legislation as complementary to legislation offered by House Cybersecurity sub-panel Chairman Dan Lungren (R-Calif.), which again favors incentives for industry to increase network security and information sharing. They see it not as a cure-all but an important step toward passing cybersecurity legislation in the House.

“There is an economic cyber war going on today against U.S. companies. There are two types of companies in this country, those who know they’ve been hacked, and those who don’t know they’ve been hacked," Rogers said.

“We simply can’t stand by if we have the ability to help American companies protect themselves. Sharing information about cyber threats is a critical step to preventing them," Ruppersberger said. "This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems."

Critical infrastructure firms have indicated they prefer the House GOP's light-touch approach to the more heavy-handed regulatory regime proposed by the Senate and White House. Both IBM and the Information Technology Industry Council (ITI) voiced support for the legislation, which is scheduled for markup on Thursday afternoon.

"While the Internet is largely owned and operated by the private sector, the government often has unique intelligence on cyber threats," said ITI senior vice president of government relations Ralph Hellmann. "Ensuring that the government's intelligence information is shared in real time with those in the private sector who can act on it is critical to improving the security of cyberspace.” 

Recent indications are that Congress might settle for some type of information-sharing legislation rather than the comprehensive bill that has been debated for the past two years because the House has shown strong resistance to passing new regulations that could burden businesses.

However, because cybersecurity is still a relatively young policy area, people invested in the issue view the passage of any legislation as a step forward. That makes it likely that any bill passed by the House would gain bipartisan support in both chambers, even if it falls short of mandating that critical infrastructure firms beef up their protection.