House Passes Protecting Cyber Networks Act
The House passed the Protecting Cyber Networks Act (HR-1560) Wednesday on a 307-116 vote, the first of two cybersecurity information sharing bills the House was to consider this week. HR-1560 would offer liability protections for information sharing to many federal agencies except the Department of Defense and the NSA. The National Cybersecurity Protection Advancement Act (HR-1731), set for a House vote Thursday, would establish the Department of Homeland Security’s National Cybersecurity and Communications Integration Center as the main federal civilian hub for information sharing. Industry lobbyists said earlier this week that they believed both bills were likely to pass (see 1504200047).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Opposition to the bill Wednesday proved to be more vocal on the House Rules Committee's ruling Tuesday against including a spate of amendments aimed at improving privacy protections in the bill. Rep. Jared Polis, D-Colo., said he was concerned that HR-1560 and HR-1731 would do “more harm than good” by opening up personally identifiable information to potential government scrutiny. House Intelligence Committee Chairman Devin Nunes, R-Calif., and other proponents of HR-1560 repeatedly said the bill would require both the private sector and federal agencies to “scrub” cyberthreat information of personally identifiable information except when that information directly pertains to a potential cyberthreat. The bill's standard for what constitutes personal information that relates to a cyberthreat is “too vague,” allowing a major loophole in the scrubbing process, Polis said.
Democratic support for HR-1560 was ultimately larger than for the House Intelligence-passed Cyber Intelligence Sharing and Protection Act, which the House passed in the two previous Congresses. HR-1560 got the backing of 105 House Democrats, while 92 voted for CISPA in 2013. HR-1560 "makes clear in black and white legislative text that nothing in the bill authorizes government surveillance," said House Intelligence ranking member Adam Schiff, D-Calif. Rep. Dutch Ruppersberger, D-Md., who sponsored CISPA this year (HR-234) and co-sponsored two previous iterations of the bill, said HR-1560 is "very similar" to CISPA.
Multiple House Democrats said they believed HR-1560 differed substantially from CISPA. Rep. Jim Himes, D-Conn., said the privacy protections in HR-1560 are "considerably" better than those contained in CISPA. Rep. Terri Sewell, D-Ala., said HR-1560 "is a vast improvement" over CISPA, noting HR-1560's requirement for a double scrubbing of personal information from shared threat information.
The White House urged Congress Tuesday to pass HR-1560 and HR-1731 but noted in a policy statement that it's concerned about HR-1560's “sweeping liability protections” because they could “ remove incentives for companies to protect their customers' personal information and may weaken cybersecurity writ large.” The White House said it believes HR-1560's language “should also ensure that information is not shared for anticompetitive purposes.”
Polis said he was also concerned by House Rules' decision to let the House combine provisions of HR-1560 and HR-1731 into a single bill if both bills pass for the purposes of conferencing that legislation with the Cybersecurity Information Sharing Act (S-754). The Senate is expected to vote on S-754 as soon as next week. House Rules' rules for combination of HR-1560 and HR-1731 make it “unclear” which bill's provisions would prevail when the House combines them, which is problematic because the bills contain contradictory provisions, Polis said. Rep. Doug Collins, R-Ga., defended the House Rules ruling and said there had been sufficient oversight of the bills' provisions within House Intelligence and the House Homeland Security Committee. House Homeland Security Chairman Michael McCaul, R-Texas, said he and Nunes had “worked in lockstep” on HR-1560 and HR-1731 and the bills “represent a united front.” The House ultimately approved the House Rules ruling 238-182.
The House voted to approve all five amendments that House Rules ultimately cleared for full House consideration. The House voted 313-110 to approve an amendment requiring Congress to go through a reauthorization process for HR-1560 after seven years, despite opposition from Nunes and other Republican leaders. Nunes argued that a “sunset clause” would make private sector entities less willing to voluntarily share threat information with federal agencies because of potential uncertainty about the bill's chance for reauthorization. Rep. Mick Mulvaney, R-S.C., said he offered the amendment because he wanted a “hardwired” provision in HR-1560 to force Congress to revisit the bill and ask “'did we get it right?'” A seven-year window before reauthorization is appropriate for HR-1560 because of the complexities involved in implementing information sharing, Mulvaney said.
The House approved a manager's amendment containing a revised version of HR-1560 on a unanimous voice vote, and easily cleared three other amendments. One amendment would require agencies' inspectors general to issue reports on their information sharing procedures, procedures for scrubbing personal information from cyberthreat data and any incidents in which personal information is mistreated. A second amendment would require a GAO report within three years on federal agencies' removal of personal information from shared cyberthreat information. The other amendment would require the Small Business Administration to assist small businesses and small financial institutions with participating in information sharing programs and to issue a report on small business participation in information sharing.