House approves controversial cybersecurity bill

Opponents worry that data-sharing legislation could lead to increased government surveillance.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read

Newly passed legislation could lead to improved cybersecurity -- or surveillance, depending on whom you believe. Image by Dennis Skley, CC BY-ND 2.0

The House of Representatives passed bipartisan legislation on Wednesday designed to help companies and the federal government better defend against the growing threat of cyberattacks, despite opposition from privacy advocates.

Passed by a 307-116 vote, the controversial Protecting Cyber Networks Act encourages US companies to share information about security breaches with the federal government by providing them with expanded legal liability protections. Prompted in part by a recent uptick in high-profile data breaches, the legislation would allow companies to share information through a "cyber portal" administered by the Department of Homeland Security.

Supporters say the legislation -- similar to a measure approved last month by the Senate Intelligence Committee -- could help prevent and mitigate the effects of cyberattacks, which typically result in the theft of consumers' personal information. A hack at Home Depot last year exposed 56 million credit card numbers, while another at Target yielded credit card data of 40 million Target customers and the personal information for an additional 70 million customers. In January, insurance provider Anthem revealed that hackers had accessed the personal data of as many 80 million people, including their Social Security numbers.

"At some point, we need to stop just hearing about cyberattacks that steal our most valuable trade secrets and our most private information and actually do something to stop it," Rep. Adam Schiff (D-Calif.), the top Democrat of the House Intelligence Committee, said on the House floor.

The bill requires companies to remove personal information before data is shared with the government. But opponents worry -- particularly since former NSA contractor Edward Snowden released details of the National Security Agency's secret spying programs -- that the legislation could reinforce government powers to conduct surveillance on US citizens.

A coalition of 19 security researchers and 36 privacy organizations, including the American Civil Liberties Union, urged the House to reject the bill, contending that it would lead to "overbroad law enforcement uses" beyond its intended scope.

"Law enforcement would be allowed to use cyberthreat indicators to investigate crimes and activities that have nothing to do with cybersecurity, such as robbery, arson, carjacking or any threat of serious bodily injury or death, regardless of whether the harm is imminent," according to a letter (PDF) sent to members of the House on Monday.

The White House also raised issues with the bill, calling the liability protections too sweeping.

"The breadth of the liability protections could provide immunity to entities that are grossly negligent or even reckless," according to a statement of administration policy issued Tuesday. "Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks."

The legislative attention comes amid an uptick in data security breaches. Hacks on businesses and government agencies ran rampant in 2014 -- there were more than 1,500 data breaches worldwide, up nearly 50 percent from 2013, according to Netherlands-based security firm Gemalto.

The increase in cyberattacks against US businesses and organizations has forced the Obama administration to grapple with the best way to deal with massive data leaks and thefts. Obama has earmarked $14 billion in the 2016 budget proposal to beef up US efforts against such attacks. In February, the Obama administration announced the creation of a new government agency, the Cyber Threat Intelligence Integration Center, that will fuse information from various intelligence-gathering services to thwart cyberattacks, in much the same fashion as government counter-terrorism task forces share information.