Congressional Efforts to Address Cybersecurity Heat Up

Cybersecurity is moving to the fore on Capitol Hill.

Rep. Marsha Blackburn, R-Tenn., introduced legislation Wednesday to strengthen the nation's safeguards against cyberattacks while a House of Representatives panel passed a measure to promote sharing of information about cyber threats.

On Tuesday, Sen. Jay Rockefeller, D-W.Va., called on the Securities and Exchange Commission to require publicly owned companies to disclose information to investors about cyber threats.

The push picks up where Congress left off last year after failing to advance cybersecurity legislation. It follows reports in February that hackers backed by China's military have stolen business secrets from U.S. companies and a wave of cyberattacks on some of the nations' biggest financial institutions.

Blackburn's bill would change how the government manages its own information systems, criminalize damage to computing infrastructure and call for companies to notify consumers if cyberattacks result in theft or financial harm.

The bill also would ease antitrust laws to encourage sharing about cyber threats among companies and the government while defining such threats narrowly in an effort Blackburn says aims to protect privacy. The bill further aims to prioritize funding for federal research into cyber threats.

"We cannot afford to sit idly by as malicious hacker groups, and the states that sponsor them like China and North Korea, devise more sophisticated and effective ways to attack our citizens, businesses, and government institutions," Blackburn said in a press release.

Separately, the House Permanent Select Committee on Intelligence adopted by a vote of 18 to 2 a measure sponsored by committee chairman Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., the panel's top Democrat.

Their bill also aims to encourage sharing of information between companies and government agencies about cyber threats. The committee's action means the bill advances to the full House of Representatives, which could take up the measure as soon as next week, according to news reports.

Mike Reynard, a spokesman for Blackburn, told American Banker the two measures complement each other. "It's not either-or," Reynard said.

Rogers and Ruppersberger backed amendments to the bill that attempt to mollify the measure's critics, who charge it would allow companies to share online users' personal information with the National Security Agency and other government entities without sufficient safeguards to protect personal privacy.

The House passed a similar measure last year although President Obama threatened to veto the bill because of privacy concerns, which critics charge remain.

Alexis Ohanian, a co-founder of the news website Reddit, called on Google, Facebook and Twitter to oppose the bill.

The companies should "take the stand that their privacy policies matter, that their users' privacy matters, and no legislation like CISPA should take that away," Ohanian charged in a video posted on Wednesday on YouTube.

Rep. Adam Schiff, D-Calif., one of two panel members who opposed the bill, told the Los Angeles Times he felt hopeful the privacy concerns can be addressed as the bill advances to the full House. "I think the legislation is worthwhile," Schiff told the publication. "And it shouldn't be that hard to require the steps that would protect people's privacy while also preventing the massive theft of America's work product that's going on."

Rogers also is reportedly readying a bill that would punish companies from China and elsewhere that use secrets stolen by cyberthieves.

Senators, meanwhile, also are at work on a cybersecurity thrust of their own.

Commerce Committee Chairman Jay Rockefeller, D-W.Va., on Tuesday again asked the SEC to give companies guidance on when they should disclose cyber risks. "Investors deserve to know whether companies are effectively addressing their cybersecurity risks — just as investors should know whether companies are managing their financial and operational risks, Rockefeller wrote in a letter to SEC Chairman Mary Jo White.

Though Rockefeller made a similar request two years ago of White's predecessor, the senator said recent reports that hackers are targeting companies that control financial networks, energy grids and other critical infrastructure lend added urgency to the task. Though the commission's staff in October 2011 issued guidance on disclosure obligations regarding cybersecurity risks, with "the growing influence of cybersecurity on investors' and stockholders' decisions, the SEC should elevate this guidance and issue it at the commission level as well," Rockefeller added.

In January, Rockefeller joined with Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif., and Homeland Security Committee Chairman Tom Carper, D-Del., to introduce a bill that also aims to spur companies and the government to work together to safeguard computer networks.

The Senate last year twice failed to pass cybersecurity legislation after some business groups opposed it, citing concerns over the security of data and how companies were expected to handle security breaches.

Senators are expected to renew the effort, which Rockefeller has called a priority.

Still, despite the legislative activity on varied fronts, politics remained. Blackburn on Wednesday blasted an order in February by the White House that calls for a voluntary program to encourage information sharing about cyber threats among financial firms, utility operators and other owners of critical infrastructure. Thinking that the problem of swiping business secrets by state-sponsored hackers "can be subtly deposited in our desktop recycling bin is just as much a losing proposition as President Obama's heavy-handed executive order," Blackburn charged.