The U.S. House of Representatives will take up a cybersecurity bill at the end of April that lets the government and corporations share information about hacking attacks on U.S. networks, with amendments intended to ease civil liberties concerns, lawmakers said on Tuesday.
Representatives Mike Rogers, a Michigan Republican, and C.A. "Dutch" Ruppersberger, a Maryland Democrat, are pushing legislation that would expand a Pentagon pilot program for sharing classified and sensitive threat information from just defense contractors and their Internet providers to a broader segment of the private sector.
Rogers and Ruppersberger are the top two lawmakers on the House Permanent Select Committee on Intelligence.
But the bill, which has 105 co-sponsors, has come under attack from groups like the Electronic Frontier Foundation, which said in a blog post last month that the bill failed to use narrow enough language to define a cyber threat.
The group said the bill would give the government free rein to monitor communications, filter content from sites like WikiLeaks, or possibly shut down access to online services.
In a news conference on Tuesday, Rogers and Ruppersberger said their bill had no such intent. They said they would clarify that private companies would give information about threats only to the U.S. Department of Homeland Security.
This would cut out the National Security Agency, which has the best cybersecurity expertise in government but is distrusted by civil liberties groups because of warrantless wiretapping as part of the war on terror.
And they stressed that the bill's goal was only to share information about malicious software code - not content.
"Malicious code will be caught before it gets into networks. That's where we think we make the biggest bang for the buck," Rogers said.
Rogers and Ruppersberger plan to introduce language that says if the government uses the gathered data for any purpose outside of cybersecurity that it will be vulnerable to private lawsuits.
A number of bills are moving through Congress as U.S. policymakers become increasingly concerned that terrorists could mount a cyber attack that could shut down critical infrastructure, such as electricity plants or financial systems.
There have also been a number of high-profile private-sector breaches, including ones involving defense contractors such as Lockheed Martin Corp, Google and Citigroup.
The most recent target that received wide attention was Global Payments Inc, which said on March 30 that a data breach compromised the account numbers of 1.5 million credit card holders.
Internet service providers and other companies have long complained that they give information to the U.S. government about potential cyber threats but often do not find it a two-way street.
They say the government is reluctant to reciprocate because the information is either classified or part of an investigation linked to a potential prosecution.
Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, said he had not seen the proposed amendments, and could not say if they would allay his group's concerns.
The Senate is considering two cybersecurity bills, both of which overlap with the information-sharing measure proposed by the Rogers-Ruppersberger bill.
James Lewis, a cybersecurity expert who calls the Rogers-Ruppersberger bill "nice to have but not enough," predicted a rough road for the legislation.
"You're going to see a bill out of the Senate and out of the House that are markedly different," he said.