Cybersecurity or surveillance? What does the language attached
at the last minute to the 2,009 page omnibus government funding
bill actually authorize? In this episode, we take a close look at
what just became law.
Please support Congressional Dish:
- Click here
to contribute with PayPal or Bitcoin; click the PayPal "Make it
Monthly" checkbox to create a monthly subscription
here to support Congressional Dish for each episode via
- Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL
Thank you for supporting truly independent media!
The Cybersecurity Act of 2015 was attached at the last minute to
the "omnibus" government funding bill, which was 2,009 pages long
and available to read for less than three days before it became
law. This is and outline of what became law:
Section 102: Definitions
"Any executive department, military department, Government
corporation, Government controlled corporation, or other
establishment in the executive branch of Government"
- Does NOT include the Government Accountability Office, Federal
Election Commission, or Government-owned contractor-operated
threat": An action that "may result in an
unauthorized effort to adversely impact the security, availability,
confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
threat indicator": "Information that is necessary to describe
- Spying, including strange patterns of communications that
appear to be collecting technical information
- Security breaches
- Security vulnerabilities
- A legitimate user being used to defeat a security system
- Malicious cyber command and control
- "The actual or potential harm caused by an incident,
including a description of the information exfiltrated as a result
of a particular cybersecurity threat"
- "Any other attribute of a cybersecurity
threat, if disclosure of such attribute is not otherwise
prohibited by law"
private entity, non-Federal government agency or department, or
State, tribal, or local government (including a political
subdivision, department, or component thereof)"
Section 103: Sharing of Information by the Federal
Section 104: Authorizations for Preventing, Detecting, Analyzing,
and Mitigating Cybersecurity Threats
Use of Cyber Threat Indicators by Government
State, tribal, or local governments and
the Federal Government can use the information they receive
- Preventing a specific threat of death, serious bodily harm, or
specific threat of serious economic harm
- Investigating, prosecuting, and preventing serious threats to
minors, including sexual exploitation and threats to physical
Preventing, investigating, disrupting, or prosecuting...
- Identity theft,
transfers of stolen identification, possession of false
- Unauthorized use
of any card, plate, code, account number, or any equipment that can
be used to transfer funds (fraud),
of a "telecommunication instrument" that's been altered to obtain
unauthorized use of telecommunications services",
- Hacking and
releasing government or banking information,
- Harboring a
- Collection and/or
communication of information about United States defense activities
and infrastructure, or failure to report a defense data
- Disclosure of
- Violations, or
attempted violations, of NASA regulations
- Unauthorized use
of trade secrets
Information shared will be
"exempt from disclosure under any provision of
State, tribal, or local freedom of Information law, open government
law, sunshine law, or similar law requiring disclosure of
information or records"
Information shared between private entities can not be
considered violations of "any provision of antitrust
Section 105: Sharing of Cyber Threat Indicators and Defensive
Measures with the Federal Government"
Section 106: Protection from Liability
- The courts must dismiss any lawsuits against
"any private entity" for monitoring information systems or
sharing/receiving "cyber threat indicators"
Section 107: Oversight of Government Activities
- Heads of "appropriate Federal entities" will submit a
- Inspectors General of the "appropriate Federal entities" will
submit reports every two years
- The Comptroller General of the United States will submit a
report on actions taken by the Federal Government to
remove personal information. Report will be due in three
- Unclassified portions of the reports will be available
to the public.
Section 108: Construction and Preemption
- Lists what this bill is not intended to do
Section 109: Report on Cybersecurity Threats
- Report will be submitted by the Director of National
Section 110: Exception to Limitation on Authority of Secretary of
Defense to Disseminate Certain Information
- Specifically allows the Secretary of Defense to share
Section 111: Effective Period
- These provisions expire on September 30,
Section 203: Information Sharing Structure and Processes
Sections 206-209: Reports that will
expire after 7 years
Subtitle B: Federal Cybersecurity Enhancement Act of
Section 223: Improved Federal Network Security
- Requires the Secretary of Homeland Security and the Director of
the Office of Management and Budget to
develop a plan to proactively detect,
identify, and remove intruders in agency information systems.
Section 225: Federal Cybersecurity Requirements
- The Secretary of Homeland Security will issue binding
operational directives for agencies to secure their
networks within a year. Agencies will have to...
- Identify sensitive and mission critical data stored by the
- Assess the need to store that data and determine which
individuals need access to it
- Encrypt the data
- Implement a single sign-on platform for people using the agency
website that requires user authentication
- Require multi-factor authentication for remote access
- Agencies will not have to comply if they say it's "overly
burdensome to implement" or that it's not necessary.
- These binding operational directives
will not apply to the Defense Department, a "national security
system", or the intelligence community.
Section 227: Termination
- The directives and reports on them will expire in 7 years,
Section 229: Direction to Agencies
- The Secretary of Homeland Security can order the head of other
agencies to take "lawful actions" in response to security
Section 303: National Cybersecurity Workforce Measurement
- Requires an assessment of all Federal positions that have
Section 401: Study on Mobile Device Security
- Orders a study on the security of mobile devices of the Federal
Section 402: Department of State International Cyberspace Policy
- Orders a State Department report on threats from foreign
sources and cooperation strategies within 90 days.
Section 403: Apprehension and Prosecution of International Cyber
- The Secretary of State must consult with government officials
in countries where we don't have an extradition treaty to determine
what actions they've taken to catch "cyber criminals" with arrest
warrant issued by US judges or Interpol.
Section 404: Enhancement of Emergency Services
- Orders the National Cybersecurity and Communications
Integration Center to create a process for information sharing with
Statewide Interoperability Coordinators
Section 405: Improving Cybersecurity in the Health Care
- Requires a report that will
include a plan so that "the Federal Government and health care
industry stakeholders may in real time, share actionable cyber
threat indicators and defensive measures"
Meet the Lobbyists and Big Money Interests Pushing to End the Oil
Exports Ban by Steve Horn, DeSmogBlog, December 16, 2015.
9 Heinous Items Sneaked Into the Budget Bill Congress Doesn't Want
You to See by Tom Cahill, U.S. Uncut, December 19, 2015.
Hospitality and Gambling Interests Delay Closing of Billion-Dollar
Tax Loophole by Eric Lipton and Liz Moyer, New York Times,
December 20, 2015.
The CISA Secret to Cybersecurity that No One Seems to Get by
Mike Gault, Wired, December 20, 2015.
Music Presented in This Episode
Design by Only