WASHINGTON--The House easily passed a bill Wednesday designed to
encourage companies to share details of computer breaches with the
federal government, one of several initiatives from policy makers
responding to the spate of increasingly sophisticated
cyberattacks.
The bill passed 307-116, backed by a majority of both
Republicans and Democrats, and now moves to the Senate. But in a
reflection of widespread political anxiety about a new government
data-collection effort, lawmakers bucked the bill's author and
required that the measure phase out in seven years.
U.S. policy makers have struggled to address the growing problem
of data breaches at major U.S. companies and government agencies,
overwhelmed by the scale of the attacks and hamstrung by infighting
over how to respond. The White House, State Department and
Pentagon, along with entities including Target Corp., J.P. Morgan
Chase & Co., Sony Pictures Entertainment Inc. and Anthem Inc.
have suffered embarrassing breaches, prompting calls for new
strategies.
"This situation cannot continue," said Rep. Devin Nunes (R.,
Calif.), a lead author.
In addition to legislation, federal officials are readying steps
to both deter attacks and better protect companies from future
breaches.
But the efforts face opposition from both liberal and
conservative critics, and the government still lacks a unified
approach. The White House is challenging parts of the new
legislation, and many companies in Silicon Valley are skeptical
about the government's need to sweep up more data after numerous
reports of secret surveillance programs.
Administration officials have begun working to soften Silicon
Valley opposition.
Defense Secretary Ash Carter on Thursday planned to reveal a new
cyber military strategy during a visit to Stanford University,
where he was to call for a new Pentagon presence in Silicon Valley
to work more closely with technology firms. The Department of
Homeland Security announced a similar initiative this week.
The Pentagon also will work to revamp measures for deterring
cyberattacks and develop a range of options for conducting
"offensive" cyberattacks that can be used during hostilities.
The cybersecurity legislation advanced Wednesday would give
companies liability protection if they share certain information
about security threats with the government as long as they attempt
to scrub customer information. The government could then share the
information with other agencies, such as the National Security
Agency, though another agency would first have to perform a second
attempt to erase personal information before it could be
circulated.
Sharing information would be voluntary, and no company would be
compelled to participate. The legislation's impact could hinge
largely on whether companies decide to share information.
The White House largely supported more incentives for
information sharing, but it has signaled it wants changes to the
bill moving through Congress in order to limit legal liability from
shareholder lawsuits if a firm doesn't do enough to protect
consumer data. It also has called for a separate law that would
require companies to notify customers within 30 days if personal
information is stolen, but that measure is opposed by many business
groups and has had little traction in Congress.
The House on Thursday is expected to pass a second bill similar
to Wednesday's information-sharing bill, centralizing some power
within the Department of Homeland Security.
The bills are expected to be combined during negotiations with
the Senate, if senators are able to pass separate versions of the
measures.
The legislation comes as many firms, particularly technology
companies, remain worried about government surveillance programs.
Supporters of the measures have said they wouldn't enable any
government surveillance, but opponents have disagreed.
"The cybersecurity bills Congress is considering will in effect
increase surveillance of Internet users and authorize dangerous
countermeasures that could compromise their computer security,"
said Gregory Nojeim, senior counsel at the Center for Democracy
& Technology, a group that supports Internet-privacy laws.
Rep. Mick Mulvaney (R., S.C.), who wrote the amendment that
required the bill to expire unless it is renewed, said he thought
it was a necessary curb for legislation that deals with such
delicate issues.
"Any time you are balancing two very important
interests--security and liberty--it's a possibility that you don't
get the balance just right," he said. "What my amendment did was
force us to keep an eye on this legislation and force us to
continue to justify its existence seven years on."
Write to Damian Paletta at damian.paletta@wsj.com
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=JP3435000009
Access Investor Kit for Sony Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US8356993076
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Subscribe to WSJ: http://online.wsj.com?mod=djnwires