Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee, is introducing a draft of new cybersecurity legislation that would make it easier for private sector companies to share cyber threat information with the government and with each other.
In a speech at the Center for Strategic & International Studies (CSIS), McCaul said that "criminals, hacktivists, terrorists, and nation-states have managed to exploit our networks by staying at the cutting edge of technology. In the meantime, our defenses have lagged behind."
To help catch up, McCaul said the committee would try and mark the new bill up within the next few weeks and take it to the House floor next month, where he promised to be "forward-leaning" and "reach across the aisle" to get a bill passed.
Earlier cybersecurity bills have fallen prey to partisanship on an issue that both sides argue should not be a partisan one.
He said the bill will provide for the voluntary exchange of “government-to-private” and “private-to-private” threat information, and would provide liability protection for companies who monitor their information systems and take measures to defend them from attack.
One of the political divides has been over how insulated companies should be from liability.
McCaul says the bill would insure that the sharing is done without compromising customers' private information. He said that would mean that when breach information is shared, it will be "thoroughly scrubbed [of] personal information."
"In the current environment, companies do not feel they have the adequate legal protection to take these measures," he said.
He said his committee is working with the House Judiciary Committee on a liability exemption standard that would be used "in other cyber information-sharing legislation in the House."
It also requires the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), which he calls the "primary federal civilian interface for the sharing of cyber threat information," to destroy any personal information unrelated to a threat or incident. He said that is an issue he takes "very seriously."
"Today we have a dangerous incomplete picture of the cyber weapons being used against us," he warned the crowd. "More rapid and frequent information-sharing about these threats will give us the ability to head off cyber adversaries before they can do more damage—both to the public and to private networks."
The President last month signed an executive order encouraging more cyber threat info sharing, but McCaul says more needs to be done.
"The President has also proposed steps to enhance liability protection, and I was pleased that he did so because it moves the debate and the discussion forward on both sides of the aisle," he said. "I would submit though, that it does not go far enough on liability protection, which is why our bill aims to create more robust liability protections."