By Tabassum Zakaria and Diane Bartz
WASHINGTON | Wed Nov 30, 2011 7:14pm EST
(Reuters) – Lawmakers on Wednesday proposed fighting the cyber threat that is taking a toll on American companies by allowing spy agencies to share threat intelligence with private firms.
Representative Mike Rogers, the Republican chairman of the House of Representatives intelligence committee, and the panel’s senior Democrat, Representative C.A. “Dutch” Ruppersberger, announced legislation to protect U.S. firms from cyber attacks by foreign countries and individual hackers by allowing information-sharing with agencies like the National Security Agency.
“Our intelligence agencies collect important information overseas about advanced foreign cyber threats that could dramatically assist the private sector,” Rogers said.
“The government needs to be able to share this threat intelligence so that the private sector can protect its own networks,” he said at the public unveiling of the bill.
Rogers has been outspoken in accusing China of widespread cyber espionage. An intelligence report released earlier this month accused China and Russia of using cyber espionage to steal U.S. trade and technology secrets.
“North Korea just attacked a major banking system in South Korea. That can happen today in the United States of America,” Ruppersberger said.
“We will have a catastrophic attack within the next year, whether it’s attacking a banking system, a grid system, this is going to happen and we have to make sure that we protect ourselves,” he said.
The legislation aims to expand to the broader private sector the theme of a pilot Pentagon program for sharing classified and sensitive threat information with defense contractors and their internet service providers.
Defense contractors like Lockheed Martin Corp have been among the high-profile victims of cyberattacks. Others include Google and Citigroup.
Sponsors of the bill envision, for example, that NSA would share with internet service providers information about the different types of cyber threats that the intelligence agency has detected so that the ISP can then block traffic to its customers from anything with that signature.
Internet service providers and other companies have long complained that they give information to the U.S. government about potential cyber threats but often do not find it a two-way street. They say the government is reluctant to reciprocate because the information is either classified or part of an investigation linked to a potential prosecution.
Some critics worry this type of sharing arrangement amounts to government surveillance of private data.
The bill would require a review to ensure the protection of privacy and civil liberties, the lawmakers said. It also offers protections from frivolous lawsuits to companies who shared cyber threat information with the government, they said.
At this early stage it was unclear how the legislation will fare in getting through the Republican-controlled House and the Democratic-controlled Senate before landing on President Barack Obama’s desk to be signed into law.
The White House said it was reviewing the bill but raised some initial concerns that it fell short of privacy protections in the administration’s own proposal released in May.
“The administration strongly believes that we need to make sure that any legislation put forward sufficiently protects U.S. citizens’ personal information and privacy,” Caitlin Hayden, National Security Council spokeswoman, said.
“Also, we believe that the inclusion of generous liability and antitrust protections could limit the government’s ability to protect citizens and hold corporations accountable,” she said.
Stewart Baker, a former Homeland Security official who is now a partner with the Steptoe & Johnson law firm, said, “What’s new is that the self-protected entity can share that information with the federal government. That’s new because there are provisions of law that prevent ISPs from sharing subscriber information with the federal government.”
But he was concerned that measures in the bill that would relieve companies of liability once they shared data with the government might be too broad.