CISA - the Cybersecurity Information Sharing Act - has
officially passed the Senate. While Congress is busy merging CISA
with two other so-called cybersecurity bills that passed the House
of Representatives, in this episode, by taking an in-depth look at
the contents of all three bills, we discover that these bills are
not what you're being lead to believe.
Please support Congressional Dish:
- Click here
to contribute with PayPal or Bitcoin; click the PayPal "Make it
Monthly" checkbox to create a monthly subscription
- Click
here to support Congressional Dish for each episode via
Patreon
- Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL
32536
Thank you for supporting truly independent media!
S. 754:
Cybersecurity Information Sharing Act of 2015
- Passed the Senate 74-21 on
October 27, 2015.
- Sponsored by Sen. Richard Burr of North Carolina
- 118
pages
Outline of the Bill
Definitions:
-
"Agency" = "Any executive department, military department,
Government corporation, Government controlled corporation, or other
establishment
in the executive branch of the Government (including
the Executive Office of the President), or any independent
regulatory agency, but does not include —
- The Government Accountability Office
- Federal Election Commission
- The governments of the District of Columbia and of the
territories and possessions of the United States, and their various
subdivisions
- Government-owned contractor-operated
facilities, including laboratories engaged in national
defense research and production activities
-
"Cybersecurity threat" = An action "not protected by the First
Amendment to the Constitution" that "may result in an unauthorized
effort to adversely impact the security, availability,
confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
information system."
- A "cybersecurity threat" does not include "any
action that soley involves a violation of a consumer term of
service or a consumer licensing agreement.
-
"Cyber threat indicator" = Information that is needed to
identify -
-
Spying, including strange patterns of communications that
appear to be collecting technical information
- Security breaches
- Security vulnerabilities
- A legitimate user being used to defeat a security system
-
Malicious cyber command and control
- The harm caused by a cybersecurity incident, including the
information taken as a result
- "Any other attribute of a cybersecurity threat, if disclosure
of such attribute is not otherwise prohibited by law"
-
"Entity" = "Any
private entity, non-Federal government agency or
department, or State, tribal, or local government
(including a political subdivision, department, or
component thereof)
- Does not include "a "foreign power", which means a
foreign government or a foreign based political organization.
Sharing of Information by the Federal
Government
Executive branch officials will write
procedures for sharing
classified and
unclassified "cyber threat indicators" and
Federal government information that would help the "entities"
to prevent cybersecurity threats.
- The officials writing the rules will be the Director of
National Intelligence, the Secretary of Homeland Security, the
Secretary of Defense, and the Attorney General.
- The rules they write have to:
- Their procedures
will be due 60 days after CISA becomes law.
Monitoring Authorizations
- Private companies
can monitor their own information systems, other private
information systems or Federal information systems with permission,
and monitor "information that is stored on, processed by, or
transiting these information systems"
-
Entities can share with and receive information from
any other entity or the Federal government.
- Before sharing information, it
must be reviewed and information known to be personal
information "at the time of the sharing" must be removed.
-
With the written consent of the sharing entity, information
shared with a State, tribal, or local government may be
used for
"preventing, investigating, or prosecuting"...*
-
An "imminent threat of death, serious bodily harm, or serious
economic harm"
- Identity theft,
transfers of stolen identification, possession of false
identification,
- Unauthorized use
of any card, plate, code, account number, or any equipment that can
be used to transfer funds (fraud),
- Use
of a "telecommunication instrument" that's been altered to obtain
unauthorized use of telecommunications services",
- Hacking and
releasing government or banking information,
- Extortion
- Harboring a
criminal,
- Collection and/or
communication of information about United States defense activities
and infrastructure, or failure to report a defense data
breach
- Disclosure of
classified information
- Violations, or
attempted violations, of NASA regulations
- Unauthorized use
of trade secrets
-
The information shared with the government as a "cyber threat
indicator" will be
except from public disclosure under any State, tribal or local
law.
-
Companies will not be punished under antitrust laws for sharing
information with each other "for cybersecurity purposes"
Sharing of Information by "Entities" with the
Federal Government
The Attorney General and Secretary of Homeland Security
will write the policies and procedures governing receipt of
information from private entities and local governments. The
policies must include...
The
Department of Homeland Security will receive and distribute all of
the cyber threat indicators shared with the government.
- Information shared
will be withheld from the public under the Freedom of
Information Act and all State, tribal, and local laws.
- In addition to the items of the list of allowed uses of
information by State, tribal, and local governments (see Monitoring
Authorizations section), the Federal Government can also use the
information to...
Protection from Liability
No private entity can be successfully sued in court for sharing
information with the government under CISA regulations.
- The only way a private entity can be sued is in the cast of
"gross negligence or willful misconduct"
Oversight of Government Activities
Federal Inspectors General will complete a
report every two years.
- The report may include recommendations for improvement
Other Rules
This bill does not permit price-fixing, attempting to
monopolize a market, boycotting, or exchanges of price or cost
information, customer lists, or information regarding future
competitive planning.
Intrusion Assessment Plan
The Secretary of Homeland Security will
create a plan to identify and remove intruders on agency
information systems.
- The plan will not apply to the Department of Defense, a
national security system or an element of the intelligence
community.
- The deployment and operation of the new monitoring system
can be privatized
- The activities carried out in this new monitoring plan need to
be
"reasonably necessary" to protect agency information systems
from cybersecurity risks
Federal Cybersecurity Requirements
Agencies will have to
encrypt or render indecipherable information that is stored or
transmitted by their information systems, create a single sign-in
method for individuals accessing their websites, and implement
identity management systems for remote access for each user
account.
- This
will not apply to the Department of Defense, a national
security system, or elements of the intelligence community.
Emergencies
The Secretary of Homeland Security
can authorize "intrusion detection and prevention capabilities" on
another agency's information systems in the case of an
"imminent threat"
Study on Mobile Device Security
The Secretary of Homeland Security
will study threats caused by the shift of technology from desktops
to mobile in the Federal Government
Health Care Industry Sharing
Creates a task force to create a plan for sharing with private
health care entities specifically
Strategy for Protecting Critical
Infrastructure
The Secretary of Homeland Security will have 180 days to develop a
strategy ensuring that cyber security incidents would probably
not be catastrophic for public health or safety, economic security,
or national security. The strategy must include...
- An assessment of whether each entity should be required to
report cyber security incidents
- A description of security gaps
- Additional power needed
- Some of this report can be classified.
Sunset
The provisions of this bill would
expire 10 years after enactment
H.R. 1731:
National Cybersecurity Protection Advancement Act of 2015
For reference, here's the
text as of March 2015 of the Homeland Security Act, which is
amended by this bill.
This bill:
H.R. 1560:
Protecting Cyber Networks Act
- Contains the text of H.R. 1731: National Cybersecurity
Protection Advancement Act
- Within
90 days of enactment, the
Director of National Intelligence must develop procedures for
sharing classified "cyber threat indicators" with "non-Federal
entities"
- Allows cybersecurity monitoring of government systems
to be privatized
- Allows "non-Federal entities" to
share information to with anyone other than the Defense
Department.
- The entity sharing information must
"take reasonable efforts" to remove personally identifiable
information on people "not directly related" to the cybersecurity
threat.
-
The President will develop polices governing what happens to
information received by the Federal Government,
within 90 days of the bill becoming law.
-
The Attorney General will create policies relating to privacy
and civil liberties, within
90 days of the bill becoming law.
- A new branch, with
50 or less employees, will be created within the Office of the
Director of National Intelligence called the Cyber Threat
Intelligence Integration Center, which will
"serve as the primary organization within the Federal Government
for analyzing and integrating all intelligence possessed or
acquired by the United States pertaining to cyber
threats."
- Information shared with the government is
exempt from public disclosure.
- Information given to the government
"shall not be subject to a rule of any Federal department or agency
or any judicial doctrine regarding ex parte communications with a
decision-making official."
-
The government can keep and use information given to it to
investigate, prosecute, prevent or mitigate a threat of "death or
serious bodily harm or an offense arising out of such a threat" and
to investigate, prosecute, prevent or mitigate a threat to a minor.
The information can also be used to prevent, investigation,
disrupt, or prosecute fraud,
unauthorized
access to computers and transmission of information taken from
it, "serious violent
felonies" including murder, manslaughter, assault, sexual
abuse, kidnapping, robbery, carjacking, extortion, firearms use,
firearms possession, or attempt to commit any of these crimes,
espionage
including photographing or sketching defense installations, and
theft
of trade secrets.
- Passed 307-116 in
the House
- Sponsored by Rep. Devin Nunes of California
- 121
pages
Audio Sources
Senate Floor Proceeding CISA debate, October 27, 2015 (Transcript)
House Rules Committee: Hearing about HR 1731 and HR 1560, the
House cybersecurity bills, April 21, 2015
Additional Information
Article:
The fight over CISA is far from over by Eric Geller, The Daily
Dot, October 28, 2015.
Webpage:
About the National Cybersecurity and Communications Integration
Center, Department of Homeland Security.
Music Presented in This Episode