Sharing Threat Intel Is Voluntary in New Bills

Posted April 27, 2015 at 2:08pm

Neither cybersecurity bill passed by the House last week would require that companies share information about cyber-threats. It’s voluntary.

But if companies choose not to participate, the congressional sponsors will likely blame the House’s decision to adopt amendments to both measures sunsetting them after seven years.

During the floor debates over their bills, both Intelligence Committee Chairman Devin Nunes of California and Homeland Security Committee Chairman Michael McCaul of Texas tried unsuccessfully to block the amendments. A majority of both Republicans and Democrats disagreed and voted for an amendment by Republican Rep. Mick Mulvaney of South Carolina to the Nunes bill.

The next day, McCaul protested but accepted a voice vote in favor of Mulvaney’s amendment to his bill.

Mulvaney said it made good sense to force Congress to ensure the bill was working as intended. But Nunes and McCaul argued companies wouldn’t take the time to set up systems for sharing information, or take the legal risk of doing so, if Congress might kill the liability protections after seven years.

Companies bolstered that view with their protests. As the amendments were coming up for consideration, groups including the Securities Industry and Financial Markets Association and the Financial Services Roundtable, which represent banks and investment firms, urged a no vote.

That prompted McCaul, who’d said during a Rules Committee markup earlier in the week that he could accept a seven-year sunset, to do an about-face on the floor. “Since the time the Rules Committee discharged the amendment, there’s been tremendous opposition from industry which concerns me about the participation in this program and the success of this program,” he said.