A Senate panel approved a bill that would give Bank of America Corp., Visa Inc. and other companies operating critical U.S. computer systems legal protections for sharing hacking threats with each other and the government.
Backed by industry groups including the American Bankers Association and the Financial Services Roundtable, the bill is designed to address concern that disclosing hacking vulnerabilities could expose companies to lawsuits or that communications with competitors could invite antitrust actions.
“This is the first bill in a very difficult arena,” Senator Dianne Feinstein, a California Democrat and chairman of the Senate’s intelligence committee, told reporters after her panel approved the bill. “It’s very much a first step. Later on there may be other steps that need to be taken.”
The House has passed a similar bill, and lawmakers backing the legislation say they believe they have the momentum to get it onto President Barack Obama’s desk this year.
While companies won’t be obligated to share data under the bill, there’s clearly a need. Cybercrime costs banks, retailers, energy companies and others as much as $575 billion a year and rising, according to a report published last month by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.
The Senate’s bill “is a very good step forward” to promote the sharing of hacker threat data, three top industry officials wrote in a letter of support yesterday to Feinstein and Senator Saxby Chambliss of Georgia, the top Republican on the intelligence panel.
“The threat of cyber attacks is a clear and present danger to our industry and to other critical infrastructure providers that we and the nation as a whole rely upon,” according to the letter from Frank Keating, president and chief executive officer of the American Bankers Association; Tim Pawlenty, president and CEO of the Financial Services Roundtable; and Kenneth Bentsen, president and CEO of the Securities Industry and Financial Market Association.
“It is critical for Congress to take action to enhance, facilitate and protect threat information sharing across sectors and with the federal government,” they wrote.
SIFMA, Wall Street’s biggest trade group, has proposed a government-industry cyberwar council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The Senate bill would authorize the Department of Homeland Security to serve as the primary federal civilian agency for coordinating information-sharing efforts. That would enable the five-year-old DHS National Cybersecurity and Communications Integration Center to bolster its role as an anti-hacking coordinator between U.S. banks, utilities and other companies operating the networks that millions of Americans use daily.
“If we don’t know what’s going on, we can’t respond to it,” Larry Zelvin, director of the center, said in an interview. “Sometimes we don’t know about an attack until it comes up in the news or social media.”
Recent examples have shown the growing threat of hackers. A Russian group known as “Energetic Bear” is attacking energy companies in the U.S. and Europe and may be capable of disrupting power supplies, security company Symantec Corp. said in a blog post last month.
The hackers, also called “Dragonfly,” appear to have the resources, size and organization that suggest government involvement. The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other “strategically important” energy companies, the company said.
The U.S. Department of Justice in May indicated five Chinese military officials for stealing the trade secrets of major global companies like U.S. Steel Corp. and Alcoa Inc. One of the indicated hackers known as UglyGorilla was seeking access to parts of a U.S. utility that would let him cut off heat or explode pipelines.
However, almost two dozen privacy advocates including the Electronic Frontier Foundation and the American Civil Liberties Union told Feinstein and Chambliss in a June 26 letter they “strongly oppose” the bill because it could allow private communications to flow to the NSA and law-enforcement agencies. It also doesn’t have adequate controls to protect personal data or limit how information is used and gives companies overly broad liability protection, the groups wrote.
The House voted 288-127 in April 2013 to pass its bill, H.R. 624, giving companies legal protections for sharing information about hacking threats. A number had not yet been given to the Senate bill.