Legislation to give Verizon Communications Inc. (VZ:US) and Google Inc. (GOOG:US) legal protection for sharing cyber-attack information with the U.S. government has stalled after leaks about spy programs showed the companies are already turning over data.
Lawmakers have stopped advancing cybersecurity legislation until at least September as they gather more information about the National Security Agency surveillance programs and hear from constituents to assess the political fallout, Senate and House members from both parties said in interviews.
Disclosure of the NSA programs “probably couldn’t have come at a worse time” for advancing a cybersecurity bill, said Representative Michael McCaul, chairman of the House Homeland Security Committee. The Texas Republican said he’s postponed introducing his legislation at least until September.
“There’s very little faith in the institutions of government right now,” said Representative Tom Cole of Oklahoma, a Republican party leader. “If you look like you’re not sufficiently critical and sufficiently vigilant in defending people’s liberties I think they’ll express that at the polls.”
Former NSA contract worker Edward Snowden this month exposed classified programs, authorized by a secret surveillance court, that collect phone-call records of millions of U.S. citizens from New York-based Verizon and monitor Internet communications of suspected foreign terrorists.
Corporate officials have testified before Congress about the need for legislation, while Verizon, Comcast Corp. (CMCSA:US) and McAfee Inc., now part of Intel Corp. (INTC:US), as well as Google Chief Executive Officer Eric Schmidt, have written letters in support of legislation.
Those companies have now become silent in the wake of the leaks on whether they still support it. Delaying action leaves the rules unclear about what data can be shared and whether the companies can be sued by customers for providing data to the government.
Google, based in Mountain View, California, was among the Internet companies said to be providing data for the Internet communications monitoring effort, known as Prism. The company has asked the surveillance court for permission to disclose intelligence agencies’ requests for user data.
Prior to Snowden’s leaks, lawmakers and officials from President Barack Obama’s administration were calling with increasing urgency for legislation to defend banks, utilities and telecommunication networks from potentially devastating computer attacks.
“This has become a radioactive fallout zone for a while in terms of new legislation,” said Stewart Baker, former general counsel for the NSA, in an interview.
The House in April passed a bill, H.R. 624, that would shield companies from lawsuits for sharing information about hackers with each other and the government, and authorize corporations to receive classified data from U.S. intelligence agencies about threats.
Companies had been asking the Senate, which hasn’t introduced a bill this year, to follow the House.
Sena Fitzmaurice, spokeswoman for Philadelphia-based Comcast, declined to comment about whether the company still supports the House bill. Verizon spokesman Edward McFadden didn’t respond to phone calls and e-mails for comment.
Michigan Democrat Carl Levin, chairman of the Senate Armed Services Committee, said passing a cybersecurity measure has become more difficult in the Senate.
“People’s demand for transparency has definitely increased,” said Jan Schakowsky, of Illinois, the top Democrat on the House Intelligence Oversight and Investigations subcommittee.
Senator Dianne Feinstein, a California Democrat and chairwoman of the Senate Intelligence Committee, said she plans to introduce similar legislation to the House bill, though wouldn’t say when.
Feinstein is reviewing whether companies should be allowed to directly share information about online attacks with the NSA or be required to interact with a civilian agency, like the Homeland Security Department.
Legislation is needed “to ensure that voluntary information sharing is lawful,” Feinstein said an e-mailed statement. She said it should include liability for companies and privacy protections for citizens.
McCaul said his bill will require companies to share data with Homeland Security. Last year, Senate Republicans blocked cybersecurity legislation in part because of objections that the department would be the contact point for data sharing and setting the rules.
“People get spooked by the fact that the NSA has housed everybody’s phone records,” he said.
The scope of information companies are sharing with the government under the spy programs isn’t clear, said Michelle Richardson, legislative counsel for the American Civil Liberties Union in Washington.
The ACLU has opposed cybersecurity legislation on grounds that citizens’ personal information might not be protected if turned over to the government as part of sharing data on cyber threats. Richardson questioned whether a new law is needed given the amount of data already being exchanged.
The government can order telecommunications and Internet companies to provide data related to national security investigations under sections of the Patriot Act and Foreign Intelligence Surveillance Act. The companies are given legal protections for doing so.
In some cases, data is used to defend computer networks from hacking attacks, according to the Office of the Director of National Intelligence (0113121D:US). These communications have “provided significant and unique intelligence regarding potential cyber threats to the United States including specific potential computer network attacks,” the office said June 8.
Frank Shaw, a spokesman for Redmond, Washington-based Microsoft Corp. (MSFT:US), and Michael Fey, McAfee’s worldwide chief technology officer, said their companies also voluntarily provide intelligence agencies additional data on threats to computer networks.
It’s wrong to lump together the type of information being shared under the spy programs with what would fall under a cybersecurity bill, said Michael Chertoff, Homeland Security secretary under President George W. Bush.
“They’re completely different things and they shouldn’t be confused, although inevitably they will be,” Chertoff said in an interview.
“What you’re looking for in cyber is information about what’s in the packets moving across the Internet and the malicious code,” said Chertoff, who founded a security consulting company in Washington. “The collection of phone data doesn’t help you with cyber. The other stuff only looks at foreign communications.”
Legislation to defend computer networks would enable automated sharing about new hacking attacks and involve more companies than are covered under the spy programs, such as utilities, Chertoff said.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com