WASHINGTON — Financial institutions pushed Friday for the enactment of cyber-security legislation that would allow for greater sharing of information between the private sector and the federal government.
At a hearing of the House financial institutions subcommittee, industry witnesses sought to assuage the concerns that privacy watchdogs have raised about the legislation.
"There are legitimate reasons to share this information to benefit citizens," said Paul Smocer, who heads the Financial Services Roundtable's technology policy division. "Sharing details about breached customer information and sharing it quickly would allow institutions to take action to prevent fraud against their commercial and retail customers."
The hearing came more than a month after the House passed a bill — known as the Cyber Intelligence Sharing and Protection Act, or Cispa — by a 248-168 margin.
Though the cyber-security debate has now shifted to the Senate and the White House, where President Obama is threatening to veto the House bill, Friday's hearing offered a platform for the legislation's supporters in the financial industry and in Congress to press their case.
The hearing was convened by Rep. Scott Garrett, R-N.J., a supporter of the House bill, who issued a warning about the threat that cyber criminals pose to consumers, financial institutions and U.S. government agencies.
"Fortunately, as we saw in the terrible attacks a decade ago in New York City, our markets are resilient," Garrett said. "And I'm confident they only have become more resilient and more reliable ever since. But it is important to let them tell the story today in their own words. And so we are holding these hearings to discuss current and potential threats against our financial service industry."
More information-sharing between the private and public sectors would allow financial institutions to draw on the expertise and resources of the federal government in the perpetual cat-and-mouse game between hackers and their targets, supporters said.
Industry witnesses did not specifically mention the cyber threats emanating from China, but they spoke in general terms about the role that some foreign governments are playing in such attacks, arguing that their involvement underscores the need for greater cooperation between the U.S. government and private-sector firms.
"It's our position that it's not reasonable to expect individual companies — no matter how large or sophisticated — to independently stave off cyber-attacks that are coordinated and backed by a foreign government," said Mark Graff, chief information security officer for NASDAQ OMX.
The hearing came as the New York Times reported on U.S. cyber-attacks against Iran, highlighting the growing role of such tactics in international relations.
Few congressional opponents of the House legislation spoke at Friday's hearing, although Rep. David Schweikert, R-Ariz., who voted against the bill, said that he is concerned about the growing role of the government in cyber-security.
He said that "government so often becomes so bureaucratic and moves so slowly that, Will they actually make reaction time worse and therefore raise our exposure?"
But it is the concern among many Democrats that the bill's privacy protections are inadequate that pose the biggest barrier to enactment.
In announcing the threat of a veto of the House bill on April 25, the White House stated: "The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cyber-security and privacy are not mutually exclusive."
The Senate is expected to consider its own cyber-security bill later this month. The legislation's sponsors, led by Sen. Joseph Lieberman, have reportedly been meeting with civil-liberties groups in an effort to satisfy their concerns about the legislation's impact on privacy.
At Friday's hearing, witnesses from the financial industry were careful to say that they share an interest in protecting their customers' privacy.
"Access to threat information must be administered in a manner that can provide broader cyber-security protection, without compromising ongoing investigations or the privacy of individual Americans," said Errol Weiss, director of Citigroup's cyber intelligence center.
