In an effort to bolster data protection practices in both the public and private sectors, U.S. lawmakers have proposed a new bill that urges companies to share information about cybersecurity threats with the government's spy agencies, and vice versa.
The proposal, introduced by Republican Representative Mike Rogers and Democrat C.A. "Dutch" Ruppersberger, would offer protection from lawsuits and certain public disclosure requirements for companies that share information about their data security vulnerabilities with the National Security Agency (NSA) and other branches of government.
The bill is more likely to affect larger companies, like Google, Lockheed Martin, Internet service providers (ISP) and others that are likely to be targeted by high-profile cyberattacks from foreign entities. By sharing information about the cyberattacks against their networks, these companies will assist the NSA and others in identifying threats and hackers.
However, the bill is intended to be a two-way street. Often, private sector organizations are reluctant to share information with the government because they feel agencies do not return the favor. Under the proposed bill, the agencies would also share certain information with companies about the different cyberthreats they detect, enabling ISPs and others to better protect themselves against hacks and cyberattacks.
"There are two types of companies in this country, those who know they’ve been hacked, and those who don’t know they’ve been hacked," Rogers said in a statement. "Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property."
It is unclear whether the legislation will ever make its way to the White House, but it is already generating enthusiasm among some of the private sector companies that may be affected.
According to a report from Businessweek, cable television and Internet service providers said the bill would remove much of the red tape that blocks companies from sharing vital information with government agencies.
"We appreciate that this legislation avoids a prescriptive regulatory regime that does not fit the constantly evolving cyberthreat environment and it appropriately allows individual companies to determine how they can best participate," said Michael Owell, president of the National Cable & Telecommunications Association, according to Businessweek.
However, not everyone shares this enthusiasm. Data privacy advocates were quick to raise concerns about the easing of regulations surrounding information sharing.
"Doesn’t it just become easier to dump information into the government’s hands rather than taking the time to minimize our personally identifiable or sensitive information?" Michelle Richardson, legislative counsel for the American Civil Liberties Unions, told Businessweek.
Even the White House expressed concern that the legislation did not meet adequate data protection measures.
"The administration strongly believes that we need to make sure that any legislation put forward sufficiently protects U.S. citizens' personal information and privacy," said National Security Council spokeswoman Caitlin Hayden, according to Reuters.
"Also, we believe that the inclusion of generous liability and antitrust protections could limit the government's ability to protect citizens and hold corporations accountable," she added.
The proposed legislation would clearly be a benefit to the cybersecurity community and bolster efforts to protect both government and private sector organizations from cyberattacks. However, for the bill to be successful, businesses will have to be cautious about what data they share with federal agencies to ensure they are not encroaching on individuals' rights to privacy.
It's a fair argument that relieving companies of liability when they share information with the government is a tricky situation. Though the proposal has positive signs, it will likely need some work before it becomes law.
Data Security News from SimplySecurity.com by Trend Micro