The House Permanent Select Committee on Intelligence voted 18-2 Wednesday to pass legislation that would allow private companies to share cybersecurity information with federal agencies.
In a closed-door session, the committee adopted amendments designed to assuage fears that the bill would allow broad government monitoring of domestic electronic communications and scoop up the personal data of Americans for analysis by the National Security Agency.
The bill is expected on the House floor as early as next week.
“This is not a surveillance bill,” said Rep. Mike Rogers, Michigan Republican and committee chairman. “This bill does not allow the NSA or any government agency to plug into domestic networks and listen in.”
However, the committee rejected two amendments supported by civil liberties advocates and proposed by the two Democrats who ended up voting against the bill Reps. Adam B. Schiff of California and Janice D. Schakowsky of Illinois.
The Schiff amendment would have required companies sharing cybersecurity information for instance, samples of network traffic data in real time to make “reasonable efforts (which may include automated processes)” to strip out the personally identifiable or private data of individuals “unrelated to a cyberthreat.”
Mr. Schiff expressed disappointment that his amendment was voted down.
“It is not too much to ask that companies make sure they aren’t sending private information about their customers, their clients and their employees to intelligence agencies, along with genuine cybersecurity information,” he said.
The Software and Information Industry Association, which represents the big companies that make software, games and other digital content, opposed the amendment.
Personal or private data “may be intertwined with cybersecurity information in ways that make it hard to remove. That was our concern,” said David LeDuc, head of public policy for the association.
Mr. LeDuc offered as an example data tracing a hacker’s route into a compromised network, which might include him impersonating or taking over the machine of a person at the company to get the access he needs. That trace data might contain names and passwords, Mr. LeDuc said.
Committee staffers said lawmakers had adopted a different amendment, one that would require the government to strip out personal data.
The amended bill would “require government to establish procedures to minimize the [cybersecurity threat] information they receive of any” personally identifying information, said Rep. C.A. Dutch Ruppersberger of Maryland, the committee’s ranking Democrat. His district includes NSA’s headquarters at Fort Meade.
Congress has struggled and failed for years to pass broad cybersecurity legislation to protect nationally vital computer and communications networks such as the phone system or the computer systems of major banks from infiltration and attack by hackers, criminals and even foreign espionage or military agencies.
But the Cyber Intelligence Sharing and Protection Act, its authors say, would remove legal barriers that stop private-sector network owners and federal agencies from sharing real-time data with one another so online intruders or attackers can be detected and thwarted.
CISPA has “very narrowly drawn authorities with no room for misuse or abuse,” Mr. Rogers said.
He and Mr. Ruppersberger spoke with reporters on a conference call this week ahead of the closed-door session.