U.S. Chamber of Commerce - Key Vote Alert! - H.R. 3523, the "Cyber Intelligence Sharing and Protection Act"
April 26, 2012
TO THE MEMBERS OF THE U.S. HOUSE OF REPRESENTATIVES:
The U.S. Chamber of Commerce, the world’s largest business federation
representing the interests of more than three million businesses and organizations of
every size, sector, and region, strongly urges you to vote in favor of H.R. 3523, the
“Cyber Intelligence Sharing and Protection Act,” which represents an important step
forward on cybersecurity issues by removing legal hurdles that would prevent the private
sector and government from sharing cyber threat information. The Chamber opposes
three amendments that would weaken this bill.
Businesses are intensely focused on guarding their operations from interruption
and exploitation, preventing the loss of capital and sensitive information, and protecting
public safety. They devote significant resources to maintain their operations in the wake
of a natural hazard or man-made threat, such as cyber espionage. Today, economic
security is national security, and the federal government can do more to help the private
sector protect itself while not tying the hands of owners and operators in red tape.
H.R. 3523, sponsored by Reps. Rogers and Ruppersberger, was reported out of
the House Permanent Select Committee on Intelligence in December by a vote of 17 to 1
and currently has more than 100 co-sponsors. The business community has especially
embraced this bill because it represents a critical step towards answering a fundamental
question: How can policymakers truly help companies protect their computers and
networks against global cybersecurity threats? The Chamber believes that this legislation
would help tip the scales in businesses’ favor against online raiders who seek to steal
trade secrets or potentially disrupt infrastructure networks.
This bill would make limited and practical changes to policy. It would establish
an information-sharing framework that is strictly voluntary and would impose no new
federal mandates on private citizens or business entities. This legislation contains an
“anti-tasking” provision that would guard Americans’ privacy by prohibiting the
government from compelling private companies to hand over personal information. This
bill would encourage companies to anonymize and minimize the information that they do
share with appropriate entities. Indeed, the central purpose of this bill is to ensure the
security and resilience of a computer system or network, rather than to collect and
monitor personal information.
Reps. Rogers and Ruppersberger have written their bill in a bipartisan and open
manner, and they have worked diligently to seek common ground with privacy and civil
liberties organizations on issues such as the definition of cyber threat information and
how the government can use the information that it receives.
Most important, H.R. 3523 would enhance federal government’s ability to share
targeted cyber information with vetted businesses so that owners and operators can
improve the protection of their computer networks and customers’ personal data against
malicious actors. Businesses need timely and actionable information so that they can
mitigate advanced and sophisticated attacks coming from amply resourced criminal syndicates and
foreign governments or their proxies. Likewise, this bill would incentivize the private sector to share
cyber threat information with authorized federal partners to improve the government’s ability to
protect itself, the business community, and the nation. It would also give businesses much needed
certainty that specific cybersecurity information shared with the government would not lead to
frivolous lawsuits or would not be used to regulate them.
The Chamber strongly opposes several amendments that would weaken and impair this
needed legislation, including amendments offered by:
- Reps. Langevin and Lungren, which would nominally seek to expand the types of privately owned organizations that could participate in the voluntary information-sharing program. The amendment would insert “critical infrastructure owners and operators” into a substantive part of the bill that already aims to expand eligibility. The implications of the amendment are far from clear and need further analysis. Such language would layer additional regulations or mandates on critical infrastructure. Regulating critical infrastructure would impede, not enhance, security and innovation.
- Rep. Conyers, which would dilute some of the liability protections in the bill that are afforded to certified entities. The intent of the bill is to provide strong liability protections for private-sector entities to robustly monitor their networks and to report cyber threats and vulnerabilities to government officials to improve collective security. Legislation should incentivize owners and operators to take prompt and constructive actions to deal with cyber threats, not leave them feeling exposed to legal uncertainty.
- Rep. Mulvaney, which would unnecessarily sunset the provisions of the bill after five years—an arbitrary timeframe. The Chamber is confident that the information-sharing initiative in H.R. 3523 would work well and businesses would devote considerable resources toward implementing it. This amendment would unnecessarily inject unpredictability into the program.
In addition to H.R. 3523, the Chamber supports three other information security-related
measures that are expected to be considered under suspension this week. Two bills—H.R. 2096 and
H.R. 3834—would improve national efforts devoted to cybersecurity research and development. The
third, H.R. 4257, would update the Federal Information Security Management Act of 2002, or
FISMA, enabling the government to proactively counter risks based on continuous monitoring of
civilian government networks and system activity.
Passing H.R. 3523 is a specific action Congress can take to help the nation’s public and
private sectors to prevent, deter, and mitigate an array of cyber threats coming from illicit actors
without layering burdensome regulations on industry. The Chamber strongly supports H.R. 3523.
The Chamber may include votes on, or in relation to, H.R. 3523 in our annual How They Voted
scorecard.
Sincerely,
R. Bruce Josten
