113th Congress Report
HOUSE OF REPRESENTATIVES
1st Session 113-39
======================================================================
CYBER INTELLIGENCE SHARING AND PROTECTION ACT
_______
April 15, 2013.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Rogers of Michigan, from the Permanent Select Committee on
Intelligence, submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 624]
[Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom was
referred the bill (H.R. 624) to provide for the sharing of
certain cyber threat intelligence and cyber threat information
between the intelligence community and cybersecurity entities,
and for other purposes, having considered the same, report
favorably thereon with an amendment and recommend that the bill
as amended do pass.
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Intelligence Sharing and
Protection Act''.
SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.
(a) In General.--Title XI of the National Security Act of 1947 (50
U.S.C. 442 et seq.) is amended by adding at the end the following new
section:
``cyber threat intelligence and information sharing
``Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat
Intelligence With Private Sector and Utilities.--
``(1) In general.--The Director of National Intelligence
shall establish procedures to allow elements of the
intelligence community to share cyber threat intelligence with
private-sector entities and utilities and to encourage the
sharing of such intelligence.
``(2) Sharing and use of classified intelligence.--The
procedures established under paragraph (1) shall provide that
classified cyber threat intelligence may only be--
``(A) shared by an element of the intelligence
community with--
``(i) a certified entity; or
``(ii) a person with an appropriate security
clearance to receive such cyber threat
intelligence;
``(B) shared consistent with the need to protect the
national security of the United States; and
``(C) used by a certified entity in a manner which
protects such cyber threat intelligence from
unauthorized disclosure.
``(3) Security clearance approvals.--The Director of National
Intelligence shall issue guidelines providing that the head of
an element of the intelligence community may, as the head of
such element considers necessary to carry out this subsection--
``(A) grant a security clearance on a temporary or
permanent basis to an employee or officer of a
certified entity;
``(B) grant a security clearance on a temporary or
permanent basis to a certified entity and approval to
use appropriate facilities; and
``(C) expedite the security clearance process for a
person or entity as the head of such element considers
necessary, consistent with the need to protect the
national security of the United States.
``(4) No right or benefit.--The provision of information to a
private-sector entity or a utility under this subsection shall
not create a right or benefit to similar information by such
entity or such utility or any other private-sector entity or
utility.
``(5) Restriction on disclosure of cyber threat
intelligence.--Notwithstanding any other provision of law, a
certified entity receiving cyber threat intelligence pursuant
to this subsection shall not further disclose such cyber threat
intelligence to another entity, other than to a certified
entity or other appropriate agency or department of the Federal
Government authorized to receive such cyber threat
intelligence.
``(b) Use of Cybersecurity Systems and Sharing of Cyber Threat
Information.--
``(1) In general.--
``(A) Cybersecurity providers.--Notwithstanding any
other provision of law, a cybersecurity provider, with
the express consent of a protected entity for which
such cybersecurity provider is providing goods or
services for cybersecurity purposes, may, for
cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such protected
entity; and
``(ii) share such cyber threat information
with any other entity designated by such
protected entity, including, if specifically
designated, the Federal Government.
``(B) Self-protected entities.--Notwithstanding any
other provision of law, a self-protected entity may,
for cybersecurity purposes--
``(i) use cybersecurity systems to identify
and obtain cyber threat information to protect
the rights and property of such self-protected
entity; and
``(ii) share such cyber threat information
with any other entity, including the Federal
Government.
``(2) Sharing with the federal government.--
``(A) Information shared with the national
cybersecurity and communications integration center of
the department of homeland security.--Subject to the
use and protection of information requirements under
paragraph (3), the head of a department or agency of
the Federal Government receiving cyber threat
information in accordance with paragraph (1) shall
provide such cyber threat information in as close to
real time as possible to the National Cybersecurity and
Communications Integration Center of the Department of
Homeland Security.
``(B) Request to share with another department or
agency of the federal government.--An entity sharing
cyber threat information that is provided to the
National Cybersecurity and Communications Integration
Center of the Department of Homeland Security under
subparagraph (A) or paragraph (1) may request the head
of such Center to, and the head of such Center may,
provide such information in as close to real time as
possible to another department or agency of the Federal
Government.
``(3) Use and protection of information.--Cyber threat
information shared in accordance with paragraph (1)--
``(A) shall only be shared in accordance with any
restrictions placed on the sharing of such information
by the protected entity or self-protected entity
authorizing such sharing, including appropriate
anonymization or minimization of such information and
excluding limiting a department or agency of the
Federal Government from sharing such information with
another department or agency of the Federal Government
in accordance with this section;
``(B) may not be used by an entity to gain an unfair
competitive advantage to the detriment of the protected
entity or the self-protected entity authorizing the
sharing of information;
``(C) may only be used by a non-Federal recipient of
such information for a cybersecurity purpose;
``(D) if shared with the Federal Government--
``(i) shall be exempt from disclosure under
section 552 of title 5, United States Code
(commonly known as the `Freedom of Information
Act');
``(ii) shall be considered proprietary
information and shall not be disclosed to an
entity outside of the Federal Government except
as authorized by the entity sharing such
information;
``(iii) shall not be used by the Federal
Government for regulatory purposes;
``(iv) shall not be provided by the
department or agency of the Federal Government
receiving such cyber threat information to
another department or agency of the Federal
Government under paragraph (2)(A) if--
``(I) the entity providing such
information determines that the
provision of such information will
undermine the purpose for which such
information is shared; or
``(II) unless otherwise directed by
the President, the head of the
department or agency of the Federal
Government receiving such cyber threat
information determines that the
provision of such information will
undermine the purpose for which such
information is shared; and
``(v) shall be handled by the Federal
Government consistent with the need to protect
sources and methods and the national security
of the United States; and
``(E) shall be exempt from disclosure under a State,
local, or tribal law or regulation that requires public
disclosure of information by a public or quasi-public
entity.
``(4) Exemption from liability.--
``(A) Exemption.--No civil or criminal cause of
action shall lie or be maintained in Federal or State
court against a protected entity, self-protected
entity, cybersecurity provider, or an officer,
employee, or agent of a protected entity, self-
protected entity, or cybersecurity provider, acting in
good faith--
``(i) for using cybersecurity systems to
identify or obtain cyber threat information or
for sharing such information in accordance with
this section; or
``(ii) for decisions made for cybersecurity
purposes and based on cyber threat information
identified, obtained, or shared under this
section.
``(B) Lack of good faith.--For purposes of the
exemption from liability under subparagraph (A), a lack
of good faith includes, but is not limited to, any act
or omission taken with intent to injure, defraud, or
otherwise endanger any individual, government entity,
private entity, or utility.
``(5) Relationship to other laws requiring the disclosure of
information.--The submission of information under this
subsection to the Federal Government shall not satisfy or
affect--
``(A) any requirement under any other provision of
law for a person or entity to provide information to
the Federal Government; or
``(B) the applicability of other provisions of law,
including section 552 of title 5, United States Code
(commonly known as the `Freedom of Information Act'),
with respect to information required to be provided to
the Federal Government under such other provision of
law.
``(6) Rule of construction.--Nothing in this subsection shall
be construed to provide new authority to--
``(A) a cybersecurity provider to use a cybersecurity
system to identify or obtain cyber threat information
from a system or network other than a system or network
owned or operated by a protected entity for which such
cybersecurity provider is providing goods or services
for cybersecurity purposes; or
``(B) a self-protected entity to use a cybersecurity
system to identify or obtain cyber threat information
from a system or network other than a system or network
owned or operated by such self-protected entity.
``(c) Federal Government Use of Information.--
``(1) Limitation.--The Federal Government may use cyber
threat information shared with the Federal Government in
accordance with subsection (b)--
``(A) for cybersecurity purposes;
``(B) for the investigation and prosecution of
cybersecurity crimes;
``(C) for the protection of individuals from the
danger of death or serious bodily harm and the
investigation and prosecution of crimes involving such
danger of death or serious bodily harm; or
``(D) for the protection of minors from child
pornography, any risk of sexual exploitation, and
serious threats to the physical safety of minors,
including kidnapping and trafficking and the
investigation and prosecution of crimes involving child
pornography, any risk of sexual exploitation, and
serious threats to the physical safety of minors,
including kidnapping and trafficking, and any crime
referred to in section 2258A(a)(2) of title 18, United
States Code.
``(2) Affirmative search restriction.--The Federal Government
may not affirmatively search cyber threat information shared
with the Federal Government under subsection (b) for a purpose
other than a purpose referred to in paragraph (1).
``(3) Anti-tasking restriction.--Nothing in this section
shall be construed to permit the Federal Government to--
``(A) require a private-sector entity or utility to
share information with the Federal Government; or
``(B) condition the sharing of cyber threat
intelligence with a private-sector entity or utility on
the provision of cyber threat information to the
Federal Government.
``(4) Protection of sensitive personal documents.--The
Federal Government may not use the following information,
containing information that identifies a person, shared with
the Federal Government in accordance with subsection (b) unless
such information is used in accordance with the policies and
procedures established under paragraph (7):
``(A) Library circulation records.
``(B) Library patron lists.
``(C) Book sales records.
``(D) Book customer lists.
``(E) Firearms sales records.
``(F) Tax return records.
``(G) Educational records.
``(H) Medical records.
``(5) Notification of non-cyber threat information.--If a
department or agency of the Federal Government receiving
information pursuant to subsection (b)(1) determines that such
information is not cyber threat information, such department or
agency shall notify the entity or provider sharing such
information pursuant to subsection (b)(1).
``(6) Retention and use of cyber threat information.--No
department or agency of the Federal Government shall retain or
use information shared pursuant to subsection (b)(1) for any
use other than a use permitted under subsection (c)(1).
``(7) Privacy and civil liberties.--
``(A) Policies and procedures.--The Director of
National Intelligence, in consultation with the
Secretary of Homeland Security and the Attorney
General, shall establish and periodically review
policies and procedures governing the receipt,
retention, use, and disclosure of non-publicly
available cyber threat information shared with the
Federal Government in accordance with subsection
(b)(1). Such policies and procedures shall, consistent
with the need to protect systems and networks from
cyber threats and mitigate cyber threats in a timely
manner--
``(i) minimize the impact on privacy and
civil liberties;
``(ii) reasonably limit the receipt,
retention, use, and disclosure of cyber threat
information associated with specific persons
that is not necessary to protect systems or
networks from cyber threats or mitigate cyber
threats in a timely manner;
``(iii) include requirements to safeguard
non-publicly available cyber threat information
that may be used to identify specific persons
from unauthorized access or acquisition;
``(iv) protect the confidentiality of cyber
threat information associated with specific
persons to the greatest extent practicable; and
``(v) not delay or impede the flow of cyber
threat information necessary to defend against
or mitigate a cyber threat.
``(B) Submission to congress.--The Director of
National Intelligence shall, consistent with the need
to protect sources and methods, submit to Congress the
policies and procedures required under subparagraph (A)
and any updates to such policies and procedures.
``(C) Implementation.--The head of each department or
agency of the Federal Government receiving cyber threat
information shared with the Federal Government under
subsection (b)(1) shall--
``(i) implement the policies and procedures
established under subparagraph (A); and
``(ii) promptly notify the Director of
National Intelligence, the Attorney General,
and the congressional intelligence committees
of any significant violations of such policies
and procedures.
``(D) Oversight.--The Director of National
Intelligence, in consultation with the Attorney
General, the Secretary of Homeland Security, and the
Secretary of Defense, shall establish a program to
monitor and oversee compliance with the policies and
procedures established under subparagraph (A).
``(d) Federal Government Liability for Violations of Restrictions on
the Disclosure, Use, and Protection of Voluntarily Shared
Information.--
``(1) In general.--If a department or agency of the Federal
Government intentionally or willfully violates subsection
(b)(3)(D) or subsection (c) with respect to the disclosure,
use, or protection of voluntarily shared cyber threat
information shared under this section, the United States shall
be liable to a person adversely affected by such violation in
an amount equal to the sum of--
``(A) the actual damages sustained by the person as a
result of the violation or $1,000, whichever is
greater; and
``(B) the costs of the action together with
reasonable attorney fees as determined by the court.
``(2) Venue.--An action to enforce liability created under
this subsection may be brought in the district court of the
United States in--
``(A) the district in which the complainant resides;
``(B) the district in which the principal place of
business of the complainant is located;
``(C) the district in which the department or agency
of the Federal Government that disclosed the
information is located; or
``(D) the District of Columbia.
``(3) Statute of limitations.--No action shall lie under this
subsection unless such action is commenced not later than two
years after the date of the violation of subsection (b)(3)(D)
or subsection (c) that is the basis for the action.
``(4) Exclusive cause of action.--A cause of action under
this subsection shall be the exclusive means available to a
complainant seeking a remedy for a violation of subsection
(b)(3)(D) or subsection (c).
``(e) Reports on Information Sharing.--
``(1) Inspector general report.--The Inspector General of the
Intelligence Community, in consultation with the Inspector
General of the Department of Justice, the Inspector General of
the Department of Defense, and the Privacy and Civil Liberties
Oversight Board, shall annually submit to the congressional
intelligence committees a report containing a review of the use
of information shared with the Federal Government under this
section, including--
``(A) a review of the use by the Federal Government
of such information for a purpose other than a
cybersecurity purpose;
``(B) a review of the type of information shared with
the Federal Government under this section;
``(C) a review of the actions taken by the Federal
Government based on such information;
``(D) appropriate metrics to determine the impact of
the sharing of such information with the Federal
Government on privacy and civil liberties, if any;
``(E) a list of the departments or agencies receiving
such information;
``(F) a review of the sharing of such information
within the Federal Government to identify inappropriate
stovepiping of shared information; and
``(G) any recommendations of the Inspector General
for improvements or modifications to the authorities
under this section.
``(2) Privacy and civil liberties officers report.--The Civil
Liberties Protection Officer of the Office of the Director of
National Intelligence and the Chief Privacy and Civil Liberties
Officer of the Department of Justice, in consultation with the
Privacy and Civil Liberties Oversight Board, the Inspector
General of the Intelligence Community, and the senior privacy
and civil liberties officer of each department or agency of the
Federal Government that receives cyber threat information
shared with the Federal Government under this section, shall
annually and jointly submit to Congress a report assessing the
privacy and civil liberties impact of the activities conducted
by the Federal Government under this section. Such report shall
include any recommendations the Civil Liberties Protection
Officer and Chief Privacy and Civil Liberties Officer consider
appropriate to minimize or mitigate the privacy and civil
liberties impact of the sharing of cyber threat information
under this section.
``(3) Form.--Each report required under paragraph (1) or (2)
shall be submitted in unclassified form, but may include a
classified annex.
``(f) Federal Preemption.--This section supersedes any statute of a
State or political subdivision of a State that restricts or otherwise
expressly regulates an activity authorized under subsection (b).
``(g) Savings Clauses.--
``(1) Existing authorities.--Nothing in this section shall be
construed to limit any other authority to use a cybersecurity
system or to identify, obtain, or share cyber threat
intelligence or cyber threat information.
``(2) Limitation on military and intelligence community
involvement in private and public sector cybersecurity
efforts.--Nothing in this section shall be construed to provide
additional authority to, or modify an existing authority of,
the Department of Defense or the National Security Agency or
any other element of the intelligence community to control,
modify, require, or otherwise direct the cybersecurity efforts
of a private-sector entity or a component of the Federal
Government or a State, local, or tribal government.
``(3) Information sharing relationships.--Nothing in this
section shall be construed to--
``(A) limit or modify an existing information sharing
relationship;
``(B) prohibit a new information sharing
relationship;
``(C) require a new information sharing relationship
between the Federal Government and a private-sector
entity or utility;
``(D) modify the authority of a department or agency
of the Federal Government to protect sources and
methods and the national security of the United States;
or
``(E) preclude the Federal Government from requiring
an entity to report significant cyber incidents if
authorized or required to do so under another provision
of law.
``(4) Limitation on federal government use of cybersecurity
systems.--Nothing in this section shall be construed to provide
additional authority to, or modify an existing authority of,
any entity to use a cybersecurity system owned or controlled by
the Federal Government on a private-sector system or network to
protect such private-sector system or network.
``(5) No liability for non-participation.--Nothing in this
section shall be construed to subject a protected entity, self-
protected entity, cyber security provider, or an officer,
employee, or agent of a protected entity, self-protected
entity, or cybersecurity provider, to liability for choosing
not to engage in the voluntary activities authorized under this
section.
``(6) Use and retention of information.--Nothing in this
section shall be construed to authorize, or to modify any
existing authority of, a department or agency of the Federal
Government to retain or use information shared pursuant to
subsection (b)(1) for any use other than a use permitted under
subsection (c)(1).
``(h) Definitions.--In this section:
``(1) Availability.--The term `availability' means ensuring
timely and reliable access to and use of information.
``(2) Certified entity.--The term `certified entity' means a
protected entity, self-protected entity, or cybersecurity
provider that--
``(A) possesses or is eligible to obtain a security
clearance, as determined by the Director of National
Intelligence; and
``(B) is able to demonstrate to the Director of
National Intelligence that such provider or such entity
can appropriately protect classified cyber threat
intelligence.
``(3) Confidentiality.--The term `confidentiality' means
preserving authorized restrictions on access and disclosure,
including means for protecting personal privacy and proprietary
information.
``(4) Cyber threat information.--
``(A) In general.--The term `cyber threat
information' means information directly pertaining to--
``(i) a vulnerability of a system or network
of a government or private entity or utility;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network of a government or private entity or
utility or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or degrade,
disrupt, or destroy a system or network of a
government or private entity or utility; or
``(iv) efforts to gain unauthorized access to
a system or network of a government or private
entity or utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network of a
government or private entity or utility.
``(B) Exclusion.--Such term does not include
information pertaining to efforts to gain unauthorized
access to a system or network of a government or
private entity or utility that solely involve
violations of consumer terms of service or consumer
licensing agreements and do not otherwise constitute
unauthorized access.
``(5) Cyber threat intelligence.--
``(A) In general.--The term `cyber threat
intelligence' means intelligence in the possession of
an element of the intelligence community directly
pertaining to--
``(i) a vulnerability of a system or network
of a government or private entity or utility;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network of a government or private entity or
utility or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or degrade,
disrupt, or destroy a system or network of a
government or private entity or utility; or
``(iv) efforts to gain unauthorized access to
a system or network of a government or private
entity or utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network of a
government or private entity or utility.
``(B) Exclusion.--Such term does not include
intelligence pertaining to efforts to gain unauthorized
access to a system or network of a government or
private entity or utility that solely involve
violations of consumer terms of service or consumer
licensing agreements and do not otherwise constitute
unauthorized access.
``(6) Cybersecurity crime.--The term `cybersecurity crime'
means--
``(A) a crime under a Federal or State law that
involves--
``(i) efforts to deny access to or degrade,
disrupt, or destroy a system or network;
``(ii) efforts to gain unauthorized access to
a system or network; or
``(iii) efforts to exfiltrate information
from a system or network without authorization;
or
``(B) the violation of a provision of Federal law
relating to computer crimes, including a violation of
any provision of title 18, United States Code, created
or amended by the Computer Fraud and Abuse Act of 1986
(Public Law 99-474).
``(7) Cybersecurity provider.--The term `cybersecurity
provider' means a non-Federal entity that provides goods or
services intended to be used for cybersecurity purposes.
``(8) Cybersecurity purpose.--
``(A) In general.--The term `cybersecurity purpose'
means the purpose of ensuring the integrity,
confidentiality, or availability of, or safeguarding, a
system or network, including protecting a system or
network from--
``(i) a vulnerability of a system or network;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or degrade,
disrupt, or destroy a system or network; or
``(iv) efforts to gain unauthorized access to
a system or network, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network.
``(B) Exclusion.--Such term does not include the
purpose of protecting a system or network from efforts
to gain unauthorized access to such system or network
that solely involve violations of consumer terms of
service or consumer licensing agreements and do not
otherwise constitute unauthorized access.
``(9) Cybersecurity system.--
``(A) In general.--The term `cybersecurity system'
means a system designed or employed to ensure the
integrity, confidentiality, or availability of, or
safeguard, a system or network, including protecting a
system or network from--
``(i) a vulnerability of a system or network;
``(ii) a threat to the integrity,
confidentiality, or availability of a system or
network or any information stored on, processed
on, or transiting such a system or network;
``(iii) efforts to deny access to or degrade,
disrupt, or destroy a system or network; or
``(iv) efforts to gain unauthorized access to
a system or network, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on, processed
on, or transiting a system or network.
``(B) Exclusion.--Such term does not include a system
designed or employed to protect a system or network
from efforts to gain unauthorized access to such system
or network that solely involve violations of consumer
terms of service or consumer licensing agreements and
do not otherwise constitute unauthorized access.
``(10) Integrity.--The term `integrity' means guarding
against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity.
``(11) Protected entity.--The term `protected entity' means
an entity, other than an individual, that contracts with a
cybersecurity provider for goods or services to be used for
cybersecurity purposes.
``(12) Self-protected entity.--The term `self-protected
entity' means an entity, other than an individual, that
provides goods or services for cybersecurity purposes to
itself.
``(13) Utility.--The term `utility' means an entity providing
essential services (other than law enforcement or regulatory
services), including electricity, natural gas, propane,
telecommunications, transportation, water, or wastewater
services.''.
(b) Procedures and Guidelines.--The Director of National Intelligence
shall--
(1) not later than 60 days after the date of the enactment of
this Act, establish procedures under paragraph (1) of section
1104(a) of the National Security Act of 1947, as added by
subsection (a) of this section, and issue guidelines under
paragraph (3) of such section 1104(a);
(2) in establishing such procedures and issuing such
guidelines, consult with the Secretary of Homeland Security to
ensure that such procedures and such guidelines permit the
owners and operators of critical infrastructure to receive all
appropriate cyber threat intelligence (as defined in section
1104(h)(5) of such Act, as added by subsection (a)) in the
possession of the Federal Government; and
(3) following the establishment of such procedures and the
issuance of such guidelines, expeditiously distribute such
procedures and such guidelines to appropriate departments and
agencies of the Federal Government, private-sector entities,
and utilities (as defined in section 1104(h)(13) of such Act,
as added by subsection (a)).
(c) Privacy and Civil Liberties Policies and Procedures.--Not later
than 60 days after the date of the enactment of this Act, the Director
of National Intelligence, in consultation with the Secretary of
Homeland Security and the Attorney General, shall establish the
policies and procedures required under section 1104(c)(7)(A) of the
National Security Act of 1947, as added by subsection (a) of this
section.
(d) Initial Reports.--The first reports required to be submitted
under paragraphs (1) and (2) of subsection (e) of section 1104 of the
National Security Act of 1947, as added by subsection (a) of this
section, shall be submitted not later than 1 year after the date of the
enactment of this Act.
(e) Table of Contents Amendment.--The table of contents in the first
section of the National Security Act of 1947 is amended by adding at
the end the following new item:
``Sec. 1104. Cyber threat intelligence and information sharing.''.
SEC. 3. SUNSET.
Effective on the date that is 5 years after the date of the enactment
of this Act--
(1) section 1104 of the National Security Act of 1947, as
added by section 2(a) of this Act, is repealed; and
(2) the table of contents in the first section of the
National Security Act of 1947, as amended by section 2(e) of
this Act, is amended by striking the item relating to section
1104, as added by such section 2(e).
Purpose
The purpose of H.R. 624 is to provide for the sharing of
certain cyber threat intelligence and cyber threat information
between the Intelligence Community and cybersecurity entities,
and other purposes.
Background and Need for Legislation
112th Congress
At the beginning of the 112th Congress, the Committee,
under the direction of Chairman Rogers and Ranking Member
Ruppersberger, began a bipartisan effort to examine the issue
of cybersecurity.\1\ The goal of this effort was to better
understand the threats facing the nation in cyberspace--with
respect to both the government and in the private sector--and
to determine what the Intelligence Community could do to help
better protect the nation. The results of this review were
stunning: a number of advanced nation-state actors are actively
engaged in a series of wide-ranging, aggressive efforts to
penetrate American computer systems and networks; these efforts
extend well beyond government networks, and reach deep into
nearly every sector of the American economy, including
companies serving critical infrastructure needs.
---------------------------------------------------------------------------
\1\This effort involved a series of briefings and hearings,
including one open hearing, to inform Committee members and, where
possible, the public, about the serious national security threat posed
by nation-state actors and other adversaries in the cyber realm. These
meetings, briefings, and hearings were in turn supported by numerous
meetings and briefings conducted by Committee staff with agencies and
individuals from the Executive Branch including, among others, the
White House, the Department of Homeland Security (DHS), the Department
of Justice (DOJ), including the Federal Bureau of Investigation (FBI),
the Department of Defense (DOD), including the National Security Agency
(NSA), and with experts from the academic and think-tank communities.
The Committee staff also held numerous meetings with private sector
companies and trade groups in industries including technology,
telecommunications, financial services, utilities, aerospace, and
defense. And the Committee staff met with representatives of privacy
and civil liberties organizations including the Center for Democracy
and Technology, the American Civil Liberties Union, the Electronic
Frontier Foundation, and the CATO Institute, among others. In total,
the Committee members and staff met with dozens of organizations in
conducting its review over a seven-month period.
---------------------------------------------------------------------------
Perhaps most troubling, these efforts are targeted not only
at sensitive national security and infrastructure information
but are also often aimed at stealing corporate research and
development information that forms the very lifeblood of the
American economy. China, in particular, is engaged in an
extensive, day-in, day-out effort to pillage American
intellectual property. There can be no question that in today's
modern world, economic security is national security and the
government must help the private sector to protect itself.
The Committee's review also revealed that while the
government is already doing much to provide support and
assistance to the private sector to address this threat, in
particular through DHS and the FBI, more can and should be done
in the immediate future. In particular, the Committee
determined that the Intelligence Community is currently in
possession of tremendously valuable intelligence and strategic
insights derived from its extensive overseas intelligence
collection efforts that can and should be provided--in both
classified and unclassified form (when possible)--to the
private sector to help the owners and operators of the vast
majority of America's information infrastructure better protect
themselves. The Committee believes that the Defense Industrial
Base Opt-in Pilot project (``DIB Pilot''), which has now
transitioned to the DIB Enhanced Cybersecurity Services (DECS)
program, is a good model for demonstrating how sensitive
government threat intelligence can be shared with the private
sector in an operationally usable manner. Under the DECS, the
government provides classified threat intelligence to key
Internet Service Providers, who use the information to protect
a limited number of companies in the defense industrial base,
all on a voluntary basis. This program is being expanded to
non-DIB American companies under DECS program, although the
effort's progress has been slow. The Committee believes that
the clear legal authorities in this bill could have eliminated
much of that delay.
The Committee's review also determined that while much
cybersecurity monitoring and threat information sharing takes
place today within the private sector, real and perceived legal
barriers to such efforts substantially hamper the efforts of
even those in the private sector with the best of intentions.
The Committee determined that these issues are best resolved by
providing clear, positive authority to permit the monitoring--
by the private sector--of privately-owned and operated networks
and systems for the purpose of detecting and mitigating
cybersecurity threats and to permit the voluntary sharing of
information about those threats and vulnerabilities with
others, including entities within the private sector and with
the federal government.
While some have suggested that the private sector needs
more regulation or that the government should directly help
defend certain portions of the private sector, the Committee's
view is that the protection of the private sector is best left
in private hands and before reaching for a regulatory
``stick'', the government should provide as much intelligence
as possible, in usable form, to better enable voluntary private
sector efforts. In the view of the Committee, such an
approach--voluntary, private sector defense of private sector
systems and networks informed by government intelligence
information--best protects individual privacy and takes
advantage of the natural incentives built into our economic
system, including harnessing private sector drive and
innovation.
The Committee's review revealed that America's cyber
infrastructure is distressingly vulnerable to espionage and
attacks by nation-states and others with advanced capabilities.
113th Congress
The Committee has continued its oversight of the advanced
cyber threats facing the nation, as well as the ongoing efforts
to protect our nation and our economy from these dangerous
threats. The Committee focused in particular on the state of
cyber threat information sharing between the U.S. government
and private sector, as well as cyber information sharing within
the private sector. The threat from advanced nation state cyber
actors, like China and Iran, has only grown since the Committee
first began its review in the 112th Congress. As the Committee
continued its work in the 113th Congress a series of high
profile press revelations concerning Chinese government cyber
economic espionage directed against American companies and
institutions, including major newspapers, added impetus to our
work. Further emphasis was added by press revelations of state-
sponsored cyber distributed denial of service (DDoS) attacks
against major American financial institutions.
The Committee believes that immediate and serious action is
necessary to staunch the bleeding of American intellectual
capital and to better protect our national security. In
particular, the Committee believes that the Intelligence
Community must take immediate and decisive action to provide
intelligence to the private sector to help it better protect
itself. In turn, the private sector must act aggressively to
better monitor its own systems and to share information--both
within the private sector and with the federal government. The
Committee recognizes that because it focused on the issues
within its jurisdiction, this legislation does not address many
of the other issues facing the nation with respect to
cybersecurity. At the same time, however, the Committee firmly
believes that this legislation is an important first step in
the effort to better protect the nation from advanced cyber
threat actors.
Evolution of Legislation
Following Committee consideration of H.R. 3523 in the 112th
Congress, several improvements and changes were made to the
legislation. Many of those changes were an attempt to address
perceived privacy and civil liberties deficiencies and are
detailed below. The bill passed the House of Representatives in
April, 2012 by a wide bipartisan vote of 248-168. However,
neither it nor a companion bill moved in the Senate before the
112th Congress ended. Since that time, the Committee has
maintained an open dialogue with the Administration, Members of
Congress and private sector entities, and has actively sought
to discuss constructive changes to the language in H.R. 624
that would help allay privacy fears without comprising the
purpose of the bill.
On February 13, 2013, Chairman Rogers and Ranking Member
Ruppersberger introduced H.R. 624 in the same form H.R. 3523
passed the House during the 112th Congress. That bill included
the various changes to the language that were adopted in an
attempt to address privacy and civil liberties concerns and
served as a starting point for additional modifications and
improvements in the 113th Congress.
Following introduction, the Committee held an open hearing
on February 14, 2013 to examine advanced cyber threats facing
our nation. The witnesses for the hearing were Governor John
Engler, the former three-term governor of Michigan and
currently the President of the Business Roundtable; Mr. Ken
DeFontes, the President and CEO of Baltimore Gas & Electric;
Mr. Paul Smocer, the President of BITS, the technology policy
division of the Financial Services Roundtable; and Mr. Kevin
Mandia, the CEO of MANDIANT Corporation. The hearing largely
focused on the state of cyber threat information sharing
between the U.S. government and private sector, as well as
cyber information sharing within the private sector.
The Committee considered and favorably reported H.R. 624 on
April 10, 2013 with amendments by a bipartisan vote of 18-2.
Many of the amendments were based on further dialogue with the
private sector, the Administration, and privacy and civil
liberties advocates. As discussed below, the most notable
amendments to the bill during Committee consideration were
designed to further clarify the authorities in response to
privacy and civil liberties concerns.
Privacy and Civil Liberties
The Committee has made changes to this legislation at every
step in the process starting prior to introduction in the 112th
Congress through the Committee markup in the 113th Congress to
address privacy and civil liberties concerns. The following
illustrates extensive changes made to address privacy and civil
liberties concerns the bill has undergone since the Committee
last favorably reported the bill.
112th Congress
1. Changes to the definitions.--The definitions for several
key provisions in the bill were modified and more narrowly
crafted to ensure that the legislation works to permit the
sharing of the types of information necessary to detect protect
against the cyber threat and to remain adaptable to new
technology and new intrusion methods over time.
2. Limits on Government Use.--Throughout the process, the
Government's use of information share by the private sector has
been an issue of concern for some and it is an area that has
been repeatedly clarified in a way to not impede the
Government's use of cyber threat information to address the
cyber threat.
3. IG Provision.--A provision was added that requires the
Intelligence Community Inspector General to conduct a review of
activities authorized under the bill and provide a report to
Congress.
4. Federal Government Liability.--A private right of action
against the Federal Government was added to the bill to provide
federal liability for intentional or willful violations of the
use or information protection provisions, including damages and
costs.
5. Government minimization procedures.--The bill was
originally silent on government minimization, but a floor
amendment during the 112th Congress provided the authority for
the Federal Government to adopt minimization procedures, but
did not require such.
113th Congress
During Committee consideration of H.R. 624 several
provisions were added to further clarify the existing language
and add adopted language in response to privacy and civil
liberties concerns raised with the Committee.
1. Government Minimization.--Mr. Himes offered and the
Committee adopted an amendment that would require the
government to establish procedures that minimize the impact on
privacy and civil liberties, reasonably limit the receipt,
retention, use and disclosure of cyber threat information that
is associated with specific persons that is not necessary to
protect systems or networks from cyber threats in a timely
manner. The procedures include requirements to safeguard from
unauthorized access and protect the confidentiality of such
information non-publicly available cyber threat information
that could be used to identify specific persons. Importantly,
however, the procedures must be designed in a way so as not to
delay or impede the flow of cyber threat information necessary
to defend against a cyber threat. It is critical that the
correct balance be struck between creating procedures that
protect any personally identifying information and ensuring
that cyber threat information critical to securing our networks
from cyber intrusion can move in as close to real time as
possible to and between federal agencies. The amendment also
included provisions designed to oversee and report compliance
with the procedures.
2. National Security Purpose.--Ms. Sewell offered and the
Committee adopted an amendment that would strike the ``national
security purpose'' use from the list of five permissible uses
of shared cyberthreat information by the Federal Government.
When CISPA was considered on the House Floor during the 112th
Congress, language was adopted that limited the Federal
Government's use of cyberthreat information shared by the
private sector under the bill to five areas: (1) cybersecurity
purposes; (2) investigation and prosecution of cybersecurity
crimes; (3) the protection of individuals from bodily harm; (4)
the protection of minors from child pornography and
exploitation; and (5) to protect the national security of the
United States. The ``national security use'' restriction was
created to give the government flexibility moving forward and
ensure the bill remained technology neutral. However, many
opponents of the bill interpreted this as an avenue for the
Federal Government to do anything it wanted with information
received under the guise of national security. The Committee
strongly disagrees with both this interpretation of the bill
and the insinuation that the Federal Government would use
``national security'' as a catch-all for otherwise
impermissible uses of information.
Given the concerns, however, the Committee voted to remove
the ``national security purpose'' use in the interest of moving
the core, critical authorities provided in the legislation
forward. We recognize that this may mean that the authorities
have to be revisited sooner than they might have before, but in
the interest of moving forward adopted the amendment.
3. Limitation on Private Sector Use.--Mr. Heck and Mr.
Himes offered and the Committee adopted an amendment that would
limit the use of cyberthreat information shared with and in the
private sector by the recipients of such information to
``cybersecurity purposes.'' It is and has been the intent of
the Committee that the information shared under these
authorities could be used by the private sector to better
secure their networks. However, in response to concerns about
the private sector selling consumer information for marketing
purposes and other non cybersecurity purposes, this amendment
was adopted to clarify this point in the text of the
legislation.
4. Oversight and Reporting.--Mr. Thompson offered and the
Committee adopted an amendment that would enhance the
Intelligence Community Inspector General review and reporting
requirement already contained in the bill by adding a
requirement to consult with the DOD and DOJ Inspectors General,
as well as the Privacy and Civil Liberties Oversight Board
(PCLOB). It would also add a new report by senior privacy and
civil liberties officers. Mr. Thompson's amendment will provide
even more oversight and accountability within the federal
government, for the activities authorized under this bill. The
Committee is mindful of the reporting burden on the
Intelligence Community, but also recognizes the concern with
ensuring the government is appropriately handling and using
cyberthreat information obtained under this legislation.
Committee Consideration and Rollcall Votes
On April 10, 2013, the Committee met in open and closed
session and ordered the bill H.R. 624 favorably reported, as
amended.
OPEN SESSION
In open session, the Committee considered the text of the
bill H.R. 624.
Chairman Rogers offered an amendment. The amendment
clarified limitations that could be placed on information
shared with the Federal Government, requires sharing within the
Federal Government in as close to real time as possible,
clarifies that this legislation does not affect other
requirements in law to report cyber incidents, and made various
technical changes. The amendment also provided clarification to
the legislation's liability protection provision. Mr. Schiff
offered a modification to the amendment, which was agreed to by
unanimous consent. The amendment, as modified, was agreed to by
voice vote.
Mr. Thompson offered an amendment, which amended a
provision requiring an annual report by the Inspector General
of the Intelligence Community (ICIG) reviewing the use of cyber
threat information provided to the government pursuant to the
bill. It required the ICIG to consult with the Inspectors
General of the Justice and Defense Departments, as well as the
Privacy and Civil Liberties Oversight Board. Additionally, the
amendment creates a new review and report by senior privacy and
civil liberties officers. The amendment was agreed to by voice
vote.
Mr. Langevin offered an amendment that would make clear
that none of the authorities in the bill could be construed to
permit a cybersecurity provider or self protected entity to
``hack back'' into others' systems under the authority to
identify and obtain cyberthreats on its own systems or the
systems its operating on with consent. The amendment was agreed
to by voice vote.
Mr. Heck offered an amendment on behalf of himself and Mr.
Himes. The amendment would limit the private sector's use of
cyber threat information received under the authorities in the
bill to cybersecurity purposes. The amendment was agreed to by
voice vote.
Mr. Himes offered an amendment that would require the
government to establish procedures governing the receipt,
retention, use and disclosure of non-publicly available cyber
threat information shared with the Federal Government. It would
also require the Director of National Intelligence to establish
a program to monitor and report compliance with the procedures.
The amendment was agreed to by voice vote.
Ms. Sewell offered an amendment that would strike
``national security purpose'' from the enumerated list of
permissible government uses under (c)(1). There was a motion to
conduct a portion of debate in closed session, which was agreed
to by recorded vote of 21 ayes to 0 noes.
Voting Aye: Mr. Rogers (Chairman), Mr. Thornberry, Mr.
Miller, Mr. Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes,
Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck,
Mr. Pompeo, Mr. Ruppersberger, Mr. Thompson, Ms.
Schakowsky, Mr. Langevin, Mr. Schiff, Mr. Gutierrez,
Mr. Pastor, Mr. Himes, Ms. Sewell.
Voting No: None.
The Committee returned to open session. The amendment was
agreed to by voice vote.
Ms. Schakowsky offered an amendment that would remove the
Department of Defense, the National Security Agency, the Army,
the Navy, the Air Force, the Marine Corps and the Coast Guard
from the term ``Federal Government'' as set forth in
(b)(1)(B)(ii). The amendment was not agreed to by a voted of 14
noes to 5 ayes.
Voting Aye: Ms. Schakowsky, Mr. Schiff, Mr. Pastor, Mr.
Himes, Ms. Sewell.
Voting No: Mr. Rogers (Chairman), Mr. Miller, Mr.
Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes, Mr.
Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck, Mr.
Pompeo, Mr. Ruppersberger, Mr. Thompson, Mr. Langevin.
Ms. Schakowsky offered an amendment that would require the
President to designate an officer who shall establish policies
and procedures governing the retention, use, and disclosure of
communications, records, system traffic, or other information
associated with specific persons by officers, employees and
agents of the Federal Government in accordance with this
section, and would establish annual reviews of such. The
amendment was not agreed to by a voted of 16 noes to 3 ayes.
Voting Aye: Ms. Schakowsky, Mr. Schiff, Mr. Pastor.
Voting No: Mr. Rogers (Chairman), Mr. Miller, Mr.
Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes, Mr.
Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck, Mr.
Pompeo, Mr. Ruppersberger, Mr. Thompson, Mr. Langevin,
Mr. Himes, Ms Sewell.
Ms. Schakowsky offered an amendment that would amend the
Exemption from Liability provision in (b)(4). The amendment was
not agreed to by a voted of 16 noes to 4 ayes.
Voting Aye: Ms. Schakowsky, Mr. Schiff, Mr. Pastor, Mr.
Himes.
Voting No: Mr. Rogers (Chairman), Mr. Thornberry, Mr.
Miller, Mr. Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes,
Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck,
Mr. Pompeo, Mr. Ruppersberger, Mr. Thompson, Mr.
Langevin, Ms. Sewell.
Mr. Schiff offered an amendment that would require the
private sector to take reasonable efforts to remove any
information that could identify a specific person from cyber
threat information shared. The amendment was not agreed to by a
vote of 16 noes to 4 ayes.
Voting Aye: Ms. Schakowsky, Mr. Schiff, Mr. Pastor, Mr.
Himes.
Voting No: Mr. Rogers (Chairman), Mr. Thornberry, Mr.
Miller, Mr. Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes,
Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck,
Mr. Pompeo, Mr. Ruppersberger, Mr. Thompson, Mr.
Langevin, Ms. Sewell.
The Committee then adopted a motion by the Chairman to
favorably report the bill H.R. 624 to the House, as amended.
The motion was agreed to by a record vote of 18 ayes to 2 noes:
Voting Aye: Mr. Rogers (Chairman), Mr. Thornberry, Mr.
Miller, Mr. Conaway, Mr. King, Mr. LoBiondo, Mr. Nunes,
Mr. Westmoreland, Mrs. Bachmann, Mr. Rooney, Mr. Heck,
Mr. Pompeo, Mr. Ruppersberger, Mr. Thompson, Mr.
Langevin, Mr. Pastor, Mr. Himes, Ms. Sewell.
Voting No: Ms. Schakowsky and Mr. Schiff.
Section-by-Section Analysis and Explanation
SECTION 1. SHORT TITLE
The short title of the Act is the Cyber Intelligence
Sharing and Protection Act.
SECTION 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
Section 2(a): In General
This subsection of the Act amends Title XI of the National
Security Act of 1947 by adding a new section, Section 1104.
Section 1104(a) of Title 50: Intelligence Community Sharing of Cyber
Threat Intelligence with Private Sector
Subsection (a) of new Section 1104 provides for the sharing
of cyber threat intelligence--both classified and
unclassified--by elements of the Intelligence Community with
entities in the private sector. It is the view of the Committee
that the routine and fulsome sharing of such intelligence
information with appropriate cleared entities and individuals
within the private sector is critically important to protecting
the nation from advanced cyber threats. It is critical that as
much information as possible be shared at machine-speed, in
real-time, and in a manner that the information--whether
classified or not--is operationally usable by entities within
the private sector.
This subsection seeks to set forth a general framework and
requires the establishment of specific procedures and
guidelines to make such sharing happen in the immediate future
and to make it continue so long as the nation faces this
significant threat to our national security. The Committee
intends to engage in vigorous oversight of the Intelligence
Community use of the authorities under this section and, in
particular, the Office of the Director of National Intelligence
(ODNI), which is charged with promulgating appropriate
procedures and guidelines under this subsection. The Committee
expects to be consulted by ODNI in the formulation of these
guidelines to ensure that the Committee's intent in achieved by
them.
While the term ``private sector'' is not defined in the
legislation, the Committee intends that term to be given the
broadest possible meaning and specifically intends the term to
include utilities, whether organized as public, private, or
quasi-public entities, to ensure at the entities that provide
Americans with access to power, water, gas, and other critical
services are also provided with access to critical federal
government intelligence regarding cyber threats.
In addition, the Committee expects that private sector
entities receiving classified intelligence pursuant to this
subsection will use this information not only to protect their
own systems and networks, but also, where they find appropriate
as a business matter, to sell cybersecurity goods and services
appropriately incorporating this information to protect other
corporate customers.
Paragraph 1: In General
Paragraph (1) of subsection (a) requires the Director of
National Intelligence to establish procedures to allow
Intelligence Community elements to share cyber threat
intelligence with the private sector and to encourage the
sharing of such intelligence. The Committee intends the DNI's
procedures to create a sea change in the current intelligence
sharing practices of the Intelligence Community with respect to
the private sector.
First, the DNI's procedures should ensure that as much
cyber threat intelligence as possible is downgraded to the
lowest classification level possible, including
declassification where appropriate, and made available to as
broad an audience in the private sector as possible, consistent
with the need to protect the national security.
Second, the DNI's procedures should ensure that cyber
threat intelligence, including classified information, is
routinely and consistently provided out to entities and
individuals in the private sector with the appropriate
clearances.
Paragraph 2: Sharing and Use of Classified Intelligence
Paragraph (2) of subsection (a) requires that the DNI's
procedures with respect to classified cyber threat intelligence
require that classified information only be shared with
certified entities, as defined by the legislation, or with
individuals who possess appropriate security clearances.
Certified entities are cybersecurity providers, protected
entities, or self-protected entities that possess or are
eligible to obtain a security clearance and can demonstrate to
the Director of National Intelligence that they are able to
appropriately protect such classified cyber threat
intelligence.
Paragraph (2) also requires that the DNI's procedures
provide that the sharing of classified cyber threat
intelligence be consistent with the need to protect national
security, which as noted above, includes the protection of the
nation's economic security. As such, the legislation makes
clear that the Intelligence Community can and should provide
classified information to the private sector to enable American
industry to protect itself from the theft of the intellectual
property that is at the heart of our economic system.
Finally, paragraph (2) requires that the DNI's procedures
provide that classified cyber threat intelligence only be used
by certified entities in a manner that protects the classified
information from unauthorized disclosure. This provision
ensures that when certified entities employ classified
intelligence to protect unclassified systems or networks, they
do so in a way that does not reveal classified information
directly or indirectly.
The Committee expects that the DNI's procedures will be
flexible in nature and will take account of private sector
innovation and incorporate current and future information
sharing and security best practices. As a result, the Committee
expects the DNI to work closely with the private sector to
establish these procedures, to work with the private sector to
meet the requirements of the procedures, and to ensure that
these procedures result in the routine and consistent sharing
of operationally-usable cyber threat intelligence. The
Committee also expects the DNI to review and revise these
procedures on a regular basis, at least annually, and to
conduct such review in cooperation with the private sector, as
well as to account for new technologies and cyber defense
techniques developed by the private sector in each set of
revised procedures. The DNI should also strongly consider the
establishment of a private-sector advisory committee composed
of senior executives at key private companies to advise on
these procedures on a regular basis.
Paragraph 3: Security Clearance Approvals
Paragraph (3) requires the DNI to issue guidelines allowing
the head of Intelligence Community elements to grant temporary
or permanent security clearances to certified entities and
their employees and officers (including non-employee officers
such as board members) in order to allow the government to
share classified cyber security threat intelligence with those
certified entities. The Committee's intent is that the
Intelligence Community grant security clearances to entities
that are involved in protecting their own and their corporate
customers' networks from cyber threats and that the
Intelligence Community share cyber threat intelligence to
protect the nation from advanced cyber threat actors. In
particular, the Committee wishes to ensure that the private
sector be able to received highly classified cyber threat
intelligence, including at the Top Secret/Sensitive
Compartmented Information level, as appropriate to protect
national security, and is concerned that certain industries and
entities may currently lack sufficient clearances at the
appropriate level.
Paragraph (3) also requires the DNI's guidelines to allow
Intelligence Community elements to grant approval for the use
of appropriate facilities and to expedite security clearances
as necessary, consistent with the need to protect national
security. The Committee's intent is that the approval process
for the granting of security clearances and the use of
facilities for the handling of classified information be
expedited and broadened by these provisions.
Because additional security clearances or facility
approvals may be necessary to effectuate the goals of this
legislation, it is further the Committee's intent that the cost
for these security clearances and facility approvals, as well
as the underlying investigations and adjudications necessary to
obtain and maintain them, be fully borne by the private sector.
As noted above, it is the Committee's intent that private
sector entities that become certified entities will be able to
better protect themselves, as well as to sell cybersecurity
goods and services appropriately incorporating this information
to protect other corporate customers in the private sector. It
is therefore the Committee's view that these entities should
bear the full cost of obtaining access to the valuable cyber
threat intelligence the government will provide under the
legislation to certified entities. The Committee therefore
expects that the DNI's guidelines authorized by the legislation
will provide for full payment of such costs by the private
sector entity obtaining the security clearances or facility
approvals.
Paragraph 4: No Right or Benefit
Paragraph (4) makes clear that while the Committee expects
the Intelligence Community to work with private sector entities
to help them meet the requirements to serve as a certified
entity, no private sector entity is entitled to receive cyber
threat intelligence from the government and that no right or
benefit to cyber threat intelligence is created by the
provision of such intelligence to a particular private sector
entity or group of entities.
Paragraph (5) places a restriction on further disclosure of
cyber threat intelligence received from the Federal Government
by a certified entity other than by another certified entity or
other appropriate agency or department of the Federal
Government authorized to receive such cyber threat
intelligence.
Section 1104(b) of Title 50: Private Sector Use of Cybersecurity
Systems and Sharing of Cyber Threat Information
Subsection (b) of new Section 1104 provides clear, positive
authority, notwithstanding any other provision of law, to
private sector entities to monitor their own systems and
networks or those of their corporate customers through the use
of cybersecurity systems to identify and obtain cyber threat
information, and to mitigate threats or vulnerabilities to
their own systems or networks or those of their corporate
customers. The Committee intends the notwithstanding clauses
contained in subsection (b), as applied to this authority, to
have the effect of removing any prohibition, real or perceived,
to the monitoring, for cybersecurity purposes, of private
sector systems and networks by the private sector entities that
own the systems or networks or by security services contracted
by the system or network owner to protect those networks and
systems. Potential barriers to such cybersecurity monitoring
include federal laws governing electronic surveillance, such as
the Foreign Intelligence Surveillance Act of 1978 and various
provisions of the federal criminal code, among others.
Subsection (b) also provides clear, positive authority,
notwithstanding any other provision of law, for the private
sector to share cyber threat information identified and
obtained through such cybersecurity monitoring with other
entities within the private sector, as well as with the Federal
Government on a purely voluntary basis, at the discretion of
the private sector entities whose systems or networks are being
protected. The Committee intends the notwithstanding clauses
contained in subsection (b), as applied to this authority, to
have the effect of removing any prohibition, real or perceived,
to the sharing of cyber threat information within the private
sector, as well as with the Federal Government. Potential
barriers to such sharing absent such positive authority
include, but are not limited to, provisions of federal
antitrust law, which some believe may limit sharing of cyber
threat information between competitors in the private sector,
as well as provisions of the surveillance laws mentioned above,
as well as certain provisions of federal telecommunications and
privacy laws. The provision is not intended to authorize the
unlawful fixing of prices or other prohibited activities, but
is intended to permit robust sharing of information amongst
private sector entities.
The Committee notes that the protections related to the
authorities provided in this section are fairly robust, even
standing alone. First, as noted below, only cyber threat
information--that is information about a threat to, or
vulnerability of government or private systems or networks--may
be identified, obtained, or shared. And any such monitoring or
sharing may only take place for cybersecurity purposes. And
finally, the liability protection provided in this subsection
only applies when an entity is acting in good faith. These
provisions, taken together and building on top of one another,
in the Committee's view, are a strong step towards protecting
the privacy and civil liberties of Americans.
Paragraph 1: In General
Paragraph (1) of subsection (b) provides the twin
authorities discussed above to cybersecurity providers, who
provide goods and services to their corporate customers for
cybersecurity purposes and to self-protected entities, who
provide such cybersecurity goods and services for themselves.
In providing these authorities, the legislation makes clear
that the monitoring and sharing of information either by a
cybersecurity provider or a self-protected entity may only take
place for cybersecurity purposes, a defined term that, as
discussed below, limits the identification, obtaining, and
sharing of cyber threat information to the protection of
private or government systems or networks from threats to, or
vulnerabilities, of those systems or networks. Similarly, the
identification and obtaining of cyber threat information by a
provider or a self-protected entity may only take place as part
of an effort to protect the rights and properties of the
provider's corporate customer or the self-protected entity
itself, as the case may be. In this context, it is the
Committee's intent that the protection of the rights and
property of a corporate entity includes, but is not limited to,
the protection of the systems and networks that make up its own
corporate internal and external information systems but also
the systems and networks over which it provides services to its
customers. For example, the Committee expects that an internet
service provider or telecommunications company may seek to
protect not only its own corporate networks but also the
backbone communications systems and networks over which it
provides services to its customers. Similarly, for example, the
Committee expects that a utility may seek not only to protect
its corporate network but may seek to protect the systems and
networks over which it provides electricity, water, or gas
services to its customers. The Committee specifically intends
the authorities provided in subsection (b) to permit private
sector entities to protect such systems and networks broadly.
Paragraph (1) also requires that a cybersecurity provider
obtain the express consent, whether in writing, electronically,
orally, or otherwise, of its corporate customer before
conducting any cybersecurity monitoring or sharing under these
authorities. It is the Committee's intent that express consent
may be provided on a going-forward basis by a corporate
customer to a provider for a specified period of time, to be
determined by the corporate customer.
In addition, paragraph (1) makes clear that the sharing of
information either by a cybersecurity provider or a self-
protected entity is to be purely voluntary and at the
discretion of the entity whose systems or networks are being
protected. Moreover, the legislation requires that where a
provider is doing the sharing on behalf of a corporate
customer, the customer must designate the entities or group of
entities it wishes to share information with, and that it must
specifically designate the Federal Government if it wishes to
share information with the government.
It is the Committee's expectation that many entities will
be able to take advantage of the authorities provided in
paragraph (1) when acting both as a cybersecurity provider and
as a self-protected entity. For example, an entity such as an
internet service provider may act as a cybersecurity provider
when providing managed security services to a corporate
customer and may simultaneously be acting as a self-protected
entity when protecting its own corporate systems and networks
as well as the systems and networks over which it provides
services to is customers. The Committee's intent is that
private sector entities will be able to simultaneously take
advantage of multiple authorities provided within the
legislation.
Paragraph 2: Sharing with the Federal Government
Paragraph (2)(A) requires the head of a department or
agency of the Federal Government receiving cyber threat
information under paragraph (1) to share that information with
the National Cybersecurity and Communications Integration
Center (NCCIC) of the Department of Homeland Security in as
close to real time as possible. Paragraph 2 further authorizes
an entity who is sharing information with NCCIC to request that
information be provided to another federal agency or department
and permits the head of NCCIC to do so in as close to real time
as possible.
It is the Committee's expectation that the requirement to
share cyber threat information in as close to real time as
possible will mean in practice that agencies will automate the
transfer of information between agencies to the greatest extent
possible and that information will be provided in a form that
is usable by the consumers of the information. To the extent
that automation is not possible or practical, the agencies will
adopt and maintain a rules based system that minimizes the
number of interventions or decisions necessary before
information is shared.
Paragraph 3: Use and Protection of Information
Paragraph (3) of subsection (b) provides protections to
promote the robust sharing of cyber threat information both
within the private sector as well as from the private sector to
the government.
Paragraph (3) provides that cyber threat information shared
pursuant to paragraph (1) may only be shared in accordance with
restrictions placed upon such sharing by the protected entity
or the self-protected entity whose systems and networks are
being protected and who therefore authorized the sharing.
Paragraph (3) further provides that these restrictions may
include the appropriate anonymization or minimization as
determined by the protected entity or self-protected entity
authorizing the sharing, but may not limit which federal agency
receives the information once shared with the Federal
Government. The Committee's intent is that through paragraphs
(1), (2) and (3), a private sector entity choosing to share
cyber threat information under these provisions has may decide
which government agency it provides the information to, and
whether the information it shares is anonymized or minimized.
Paragraph (3) also provides that information shared
pursuant to paragraph (1) may not be used by a receiving entity
to gain an unfair competitive advantage to the detriment of the
entity sharing the information. The Committee understands that
cybersecurity is enhanced by robust threat information sharing
within the private sector, both amongst partners and
competitors, without fear that a competitor will use the cyber
threat or vulnerability information to unfairly obtain a
competitive advantage--such as greater market share--rather
than simply to protect itself. The situation the Committee
intends this provision to address is best demonstrated by an
example: Company A shares information about a cyber
vulnerability in one of its products with Company B, a
competitor in the same marketplace; Company B the next day puts
out an advertisement saying, ``Don't buy Company A's product
because it has the following vulnerability . . . instead, buy
our product which doesn't have the same vulnerabilities.'' This
provision is not intended to prevent any company from obtaining
a fair competitive advantage by, for example, using the shared
information to build a better, more secure product that can be
marketed without reference to the vulnerability shared by the
particular entity. In addition, the Committee wishes to note
that the provision is not accompanied by any private or public
cause of action and thus may only be enforced by a private
party choosing to limit or completely curtail sharing of cyber
threat information with a bad actor (as well as encouraging
others to do so also).
Paragraph (3) further provides that cyber threat
information voluntarily shared with the Federal Government
pursuant to paragraph (1) shall be exempt from disclosure under
the Freedom of Information Act, shall be considered proprietary
information, shall not be disclosed by the Federal Government
to an entity outside the Federal Government except as
authorized by the entity sharing the information, and shall not
be used by the Federal Government for regulatory purposes. The
Committee intends this provision to address the key concerns
expressed by the private sector regarding the sharing of their
sensitive information with the federal government: first, that
the government might expose its most sensitive threat and
vulnerability information to a wide audience by releasing the
information, thereby providing a roadmap for attacks by cyber
threat actors; second, that the government might take the
information provided by the private sector and use it to
regulate or impose sanctions upon them.
The Committee determined that the best way to address these
concerns and incentivize the sharing of cyber threat
information with the government was to explicitly and clearly
protect the information from being disclosed, to require the
government to carefully protect the information, and finally,
to prohibit the government from using information provided in
this cybersecurity channel from being used for regulatory
purposes. The Committee was cognizant of the fact that cyber
threat information provided to the government under these
authorities might also be required to be provided by certain
private sector entities to their regulators and therefore
provided elsewhere in the legislation that the mere
classification of the information as cyber threat information
or its provision to the government under this mechanism does
not satisfy those regulatory requirements nor override any
appropriate regulation that may take place based on the
provision of such information to the government through other
channels. Rather, the limitation on regulatory action was
designed by the Committee to provide a safe harbor where
private sector entities could provide real-time cyber threat
information to the government without fear that that particular
information would be used to regulate them directly.
Paragraph 3 also provides that such information shall not
be provided by the receiving agency of the Federal Government
to another if the head of the receiving agency or the entity
providing the information determines it will undermine the
purpose of the sharing. It also provides shall be handled by
the government consistent with the need to protect sources and
methods and the national security.
Paragraph 4: Exemption from Liability
Paragraph (4) provides a bar to civil or criminal causes of
action being brought or maintained in federal or state court
against an entity or its officers, employees, or agents acting
in good faith to use cybersecurity systems for monitoring to
identify and obtain cyber threat information in accordance with
the provisions of the legislation. The Committee's intent is to
provide strong liability protection for private sector entities
when they act to take advantage of the authorities provided
under paragraph (1) of subsection (b) to do what the statute
seeks to encourage them to do: robustly monitor their own
systems and networks and those of their corporate customers and
share information about threats and vulnerabilities to better
protect their systems. Specifically, the Committee intends that
civil or criminal actions based on the use of cybersecurity
systems to monitor systems or networks to identify and obtain
cyber threat information using the authorities of this statute
shall be dismissed immediately by the courts and prior to
significant discovery and extensive motion practice.
Paragraph (4) also provides an identical bar to actions
against such entities acting in good faith for decisions made
for cybersecurity purposes based on cyber threat information
identified, obtained or shared under this section. The
Committee believes that if information sharing does become
truly robust, the amount of cyber threat information and the
speed with which such information will be shared will make it
nearly impossible to always protect against every threat in
real-time and, as such, private sector entities ought not be
held liable for such actions. Similarly, the Committee
recognizes that particular entities may engage in a cost-
benefit analysis with respect to implementing protections
against particular threats and the Committee intends this
provision to help ensure that a private sector entity making
such a judgment not be held liable for making such reasonable
determinations.
At the same time, the Committee was fully cognizant of the
concern that it not create a moral hazard by providing too
broad a liability protection provision and that it not
incentivize bad acts. As a result, Paragraph (4) requires that
the entity be acting in good faith to obtain the benefits of
this liability protection. Therefore, the Committee included an
amendment during markup which is intended to construe the scope
of the liability provision. It makes clear that certain acts or
omissions taken with intent to injure, defraud, or otherwise
endanger an individual, government or private entity or utility
would not receive protection from liability. That is, where an
entity acts in bad faith, it does not receive the benefit of
the strong liability protection provided by the legislation. Of
course, where an entity is seeking to take advantage of
specific statutory authority provided by Congress and where
Congress is seeking to incentivize cybersecurity activities, as
with government action taken pursuant to statutory authority
and the presumption of regularity that attaches to such
actions, the Committee expects that good faith will be presumed
in the absence of substantial evidence to the contrary.
Paragraph 5: Relationship to Other Laws Requiring the
Disclosure of Information
Paragraph (5)(A) provides that the provision of cyber
threat information to the government under the voluntary system
established by this statute does not satisfy or affect any
requirement under other provisions of law to provide
information to the Federal Government. As noted briefly
earlier, the Committee intends this provision to ensure that
while information provided to the government under this
legislation is protected from use by the government for
regulatory purposes, that information otherwise required to be
provided to the government must still be provided and that such
information--required by other law to be provided to the
government--may still be used for all lawful purposes,
including, as required by law, for regulatory purposes.
Paragraph (5)(B) provides that provision of cyber threat
information to the government under these authorities would
also not satisfy or affect the applicability of other
provisions of law including FOIA, with respect to information
required to be provided to the Federal Government.
Section 1104(c) of Title 50: Federal Government Use of Information
Subsection (c) of new Section 1104 provides certain
limitations on the government's use of cyber threat information
provided by the private sector and ensures that the private
sector's provision of information to the government is purely
voluntary. The Committee intends these provisions, along with
others in the legislation, to help protect the privacy and
civil liberties of Americans.
Paragraph (1): Limitation
Paragraph (1) of subsection (c) limits the Federal
Government's use of information shared with the government by
the private sector to four specific areas: 1) for cybersecurity
purposes; 2) to investigate and prosecute cybersecurity crimes;
3) to protect individuals from the danger of death or serious
bodily harm and the investigation and prosecution of such; and
4) to protect minors from child pornography, sexual
exploitation, and serious threats to the physical safety of
such minors and to investigate and prosecute such crimes.
Paragraph 2: Affirmative Search Restriction
Paragraph (2) limits the Federal Government's affirmative
searching of data provided exclusively under this legislation
to the government by the private sector to only the permissible
uses enumerated in paragraph (1). The Committee intends this
provision to ensure that information provided under this
authority not be affirmatively searched by the government for
other purposes. At the same time, however, the Committee does
not intend this provision to limit in any way the government's
ability to act on information that is discovered in the process
of searching or analyzing the information provided for the
specified purposes.
Paragraph 3: Anti-Tasking Restrictions
Paragraph (3) makes clear that nothing in this legislation
permits the government to require a private sector entity to
share with the Federal Government nor to condition the sharing
of cyber threat intelligence under subsection (a) on the
provision of cyber threat information back to the Federal
Government under subsection (b). The Committee intends this
provision to ensure that cyber threat information sharing by
the private sector with the Federal Government remains purely
voluntary and that the government not attempt to compel such
sharing by withholding valuable cyber threat intelligence. The
Committee believes that this provision also prevents the
government from ``tasking'' the collection of information as
the government might do under appropriate criminal or foreign
intelligence surveillance authority because it ensures that the
private sector cannot be required to provide information back
to the government.
Paragraph 4: Protection of Sensitive Personal Documents
Paragraph (4) limits the Federal Government's use of
library circulation records, library patron lists, book sales
records, book customer lists, firearms sales records, tax
return records, educational records and medical records.
Paragraph (5) requires the Federal Government to notify the
provider of information shared under (b)(1) if it determines
the information is not cyber threat information.
Paragraph (6) prohibits the Federal Government from
retaining or using information shared under (b)(1) for any use
other than a permissible use under (c)(1).
Paragraph (7) requires the DNI to establish procedures
governing the receipt, retention, use and disclosure of non-
publicly available cyber threat information shared with the
Federal Government under (b)(1). The policies and procedures
must minimize the impact on privacy and civil liberties,
reasonably limit the receipt, retention, use and disclosure of
cyber threat information not necessary to protect systems from
cyber threats, and to protect the confidentiality of cyber
threat information associated with specific persons as well as
to guard such information from unauthorized access. The
procedures must also not delay or impede the flow of cyber
threat information necessary to defend against or mitigate a
cyber threat. The procedures must be implemented by agencies
receiving cyber threat information under (b)(1) and must be
submitted to Congress. Additionally, the DNI must establish a
program to monitor and oversee compliance with the procedures,
and agencies receiving cyber threat information under (b)(1)
must report compliance incidents to the DNI, AG and the
intelligence committees.
Section 1104(d) of Title 50: Federal Government Liability for
Violations of Restrictions on the Disclosure, Use, and
Protection of Voluntarily Shared Information
Subsection (d) creates a cause of action for persons
adversely affected by a willful or intentional violation of
(b)(3)(D) or (c) of the section. The liability avenue also
provides for damages and costs and attorney fees.
Section 1104(e) of Title 50: Report on Information Sharing
Subsection (e) of new Section 1104 requires the Inspector
General of the Intelligence Community, in consultation with the
Inspectors General of the Justice and Defense Departments, and
the Privacy and Civil Liberties Oversight Board to report
annually to the Congressional intelligence committees, in
unclassified form accompanied by a classified annex as needed,
on the use of the information shared with the Federal
Government under this legislation. The report on the use of
information shared with the Federal Government will include:
(1) a review of the use of such information for purposes other
than cybersecurity; (2) a review of the type of information
shared with the Federal Government; (3) a review of the actions
taken by the Federal Government based on the information
shared; (4) appropriate metrics to determine the impact of such
sharing on privacy and civil liberties, if any such impact
exists; and (5) any recommendations of the Inspector General
for improvements or modifications to the authorities provided
under this legislation. It is the Committee's intent that this
report provide the Committee with the information it needs to
ensure that the privacy and civil liberties of Americans are
being appropriately protected.
Section 1104(f) of Title 50: Federal Preemption
Subsection (f) of new Section 1104 provides that the
legislation supersedes any provision of state or local law that
may prohibit the activities authorized by this legislation. The
Committee's intent is to ensure, as with the federal provisions
discussed above, that state and local law on wiretapping,
antitrust, and public disclosure, to name but a few, do not
stand as a bar to the kind of robust cyber threat intelligence
and information sharing that the Committee hopes to engender
through the process of legislation.
Section 1104(g) of Title 50: Savings Clauses
Subsection (g)(1) of new Section 1104 makes clear that
nothing in this legislation trumps existing laws or authorities
permitting the use of cybersecurity systems or efforts to
identify, obtain, or share cyber threat information. Many
private sector entities today take advantage of certain
provisions of federal law to conduct the limited monitoring for
cybersecurity purposes. While this legislation provides much
more robust authorities, the Committee believed it important to
ensure that existing authorities remained in place and that
those authorities could continue to be used by the appropriate
government agencies and entities.
Paragraph (2) makes clear that nothing in the legislation
may be construed as providing additional authority to or
modifying existing authority of the Department of Defense
including the National Security Agency or any other element of
the Intelligence Community to control or direct the
cybersecurity efforts of a private sector entity or component
of the Federal Government or state, local or tribal government.
Paragraph (3) makes clear that nothing in the legislation
can be construed to limit or modify an existing information
sharing relationship, or prohibit or require a new information
sharing relationship. It also makes clear that nothing in this
legislation modifies the authority of a department or agency of
the Federal Government to protect sources and methods and the
national security of the United States, and nothing shall be
construed to preclude the Federal Government from requiring
reporting on significant cyber incidents already authorized or
required under law.
Paragraph (4) makes clear that the legislation cannot be
construed to provide additional authority to or modify existing
authority of any entity to use a cybersecurity system owned or
controlled by the federal Government on a private sector system
or network to protect such.
Paragraph (5) makes clear that nothing in the legislation
can be construed to subject anyone to liability for choosing
not to engage in the voluntary activities authorized under the
legislation.
Paragraph (6) makes clear that the legislation cannot be
construed to authorize the Federal Government to retain or use
information shared under (b)(1) of the legislation for any use
other than those authorized under (c)(1).
Section 1104(g) of Title 50: Definitions
Subsection (g) of the new Section 1104 provides important
definitions for the purpose of this legislation. The Committee
notes that much of the work on limiting the scope and breadth
of this legislation is done by the definitions and commends
those interested in this legislation to carefully review these
definitions in the context of the legislation.
Paragraph 1: Availability
Defines the term ``availability'' to mean ensuring timely
and reliable access to and use of information.
Paragraph 2: Certified Entity
As noted briefly above, a certified entity is defined as a
cybersecurity provider, a protected entity, or a self-protected
entity that also possesses or is eligible to obtain a security
clearance at the level appropriate to receive classified cyber
threat intelligence, as determined by the DNI, and can
demonstrate to the Director of National Intelligence that it
can appropriately protect that classified information.
Paragraph 3: Confidentiality
The term confidentiality is defined as preserving
authorized restrictions on access and disclosure, including
means for protecting personal privacy and proprietary
information.
Paragraph 4: Cyber Threat Information
Cyber threat information is defined to mean information
that directly pertains to a vulnerability of, or threat to the
integrity, confidentiality or availability of, a system or
network of a government or private entity. Such information
includes, but is not limited to, information pertaining to the
protection of a system or network from efforts to deny access
to, degrade, disrupt or destroy the network, as well as efforts
to gain unauthorized access to such system for the purpose of
exfiltrating information from the system or network. The
Committee specifically excluded from the definition of
cyberthreat information pertaining to efforts to gain
unauthorized access to such system or network that solely
involve violations of consumer terms of service or consumer
licensing agreements and do not otherwise constitute
unauthorized access.
Paragraph 5: Cyber Threat Intelligence
The definition of cyber threat intelligence is consistent
with the definition of cyber threat information except that
cyber threat intelligence is information that is originally in
the possession of an element of the Intelligence Community. The
Committee used different terms in this legislation with similar
definitions in order to distinguish the origin of information.
Paragraph 6: Cybersecurity Crime
Cybersecurity crime is defined as a crime a crime under
federal or state law that involves efforts to deny access,
degrade, disrupt, destroy, gain unauthorized access to a system
or network or to exfiltrate information from a system or
network without authorization. The definition also means a
violation of federal law relating to computer crimes including
a violation of any provision of Title 18 of the United States
code that was created or amended by the Computer Fraud and
Abuse Act of 1986.
Paragraph 7: Cybersecurity Provider
A cybersecurity provider is defined to be a non federal
entity that provides goods or services intended to be used for
cybersecurity purposes. The Committee intentionally excluded
federal entities from this construct to avoid any concern that
federal government agencies might serve as cybersecurity
providers to private sector entities.
Paragraph 8: Cybersecurity Purpose
A cybersecurity purpose is defined as the purpose of
ensuring the integrity, confidentiality, and availability of,
or safeguarding, a system or network. This includes, but is not
limited to, the protection of a system or network from a
vulnerability of a system or network, a threat to the
integrity, confidentiality, or availability of a network,
efforts to deny access to, degrade, disrupt or destroy a
network, as well as the protection of a system or network from
efforts to gain unauthorized access for the purpose of
exfiltrating information.
Paragraph 9: Cybersecurity System
A cybersecurity system is defined as a system designed or
employed to ensure the integrity, confidentiality, and
availability of, or safeguard, a system or network. This
includes, but is not limited to, a system designed or employed
to protect a system or network from a vulnerability of a system
or network, a threat to the integrity, confidentiality, or
availability of a network, efforts to deny access to, degrade,
disrupt or destroy a network, as well as the protection of a
system or network from efforts to gain unauthorized access for
the purpose of exfiltrating information. It does not include,
however, a system designed or employed to protect a system or
network from efforts to gain unauthorized access to such that
solely involves violations of consumer terms of service or
consumer licensing agreements and do not otherwise constitute
unauthorized access.
Paragraph 10: Integrity
The term integrity as used in this legislation means
guarding against improper information modification or
destruction, including ensuring information nonrepudiation and
authenticity.
Paragraph 11: Protected Entity
A protected entity is defined as an entity, other than an
individual, that contracts with a cybersecurity provider for
goods or services to be used for cybersecurity purposes. The
Committee intentionally excluded individuals from this
definition so as to limit the direct scope of the legislation
to the protection of corporate entities.
Paragraph 12: Self-Protected Entity
A self-protected entity is defined as an entity, other than
an individual, that provides goods or services for
cybersecurity purposes to itself. As with the definition of a
protected entity, the Committee intentionally excluded
individuals from this definition so as to limit the direct
scope of the legislation to the protection of corporate
entities.
Paragraph 13: Utility
The term utility means an entity providing essential
services (other than law enforcement or regulatory services),
including electricity, natural gas, propane,
telecommunications, transportation, water or wastewater
services.
Section 2(b): Procedures and Guidelines
This subsection of the Act requires the DNI to establish
the procedures for sharing of cyber threat intelligence and to
issue the guidelines for granting security clearances within 60
days of the date of enactment of the Act. This subsection of
the Act also requires the DNI to expeditiously distribute the
procedures and guidelines to appropriate federal government and
private sector entities. The Committee intends to require the
DNI to meet these deadlines and to broadly distribute the
procedures and guidelines. As previously noted, the Committee
expects the DNI to work closely with the private sector in
developing these procedures and guidelines.
Section 2(c): Privacy and Civil Liberties Policies and Procedures
This subsection requires the DNI to establish the
procedures for minimizing privacy and civil liberties within 60
days of the date of enactment of the Act.
Section 2(d): Initial Reports
This subsection of the Act requires the first reports to be
provided to the Congressional intelligence committees by the
Inspector General of the Intelligence Community under
paragraphs (1) and (2) of subsection (e) of section 1104 to be
provided no later than one year after the date of the enactment
of this Act.
Section 2(e): Table of Contents Amendment
This subsection of the Act provides for amendments to the
table of contents of the National Security Act of 1947.
Section 3: Sunset
Section (3) sets a five year sunset on the legislation from
the date of enactment.
Oversight Findings and Recommendations
With respect to clause 3(c)(1) of rule XIII of the Rules of
the House of Representatives, the Committee held one open
hearing, and numerous informal information meetings or
briefings during the 113th Congress. The Committee also held
hearings, briefings and informational meetings during the 112th
Congress, detailed in footnote 1, above. The Committee's
extensive oversight of the cyber threat resulted in the subject
matter bill which would authorize cyber threat information
sharing between and amongst the private sector and government
for the purposes of better securing systems and networks
against the cyber threat.
Statement of General Performance Goals and Objectives
The goals and objectives of H.R. 624 are to provide clear
legal authority for sharing cyber threat information between
and among private sector entities and the Federal Government,
and to enhance the security of networks from the growing cyber
intrusion threat.
Unfunded Mandate Statement
Section 423 of the Congressional Budget and Impoundment
Control Act (as amended by section 101(a)(2) of the Unfunded
Mandates Reform Act, P.L. 104-4) requires a statement of
whether the provisions of the reported bill include unfunded
mandates. In compliance with this requirement, the Committee
has received a letter from the Congressional Budget Office
included herein.
Statement on Congressional Earmarks
Pursuant to clause 9 of rule XXI of the Rules of the House
of Representatives, the Committee states that the bill as
reported contains no congressional earmarks, limited tax
benefits, or limited tariff benefits.
Budget Authority and Congressional Budget Office Cost Estimate
With respect to clause 3(c)(2) of rule XIII of the Rules of
the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has received
the following cost estimate for H.R. 624 from the Director of
the Congressional Budget Office.
April 12, 2013.
Hon. Mike Rogers,
Chairman, Permanent Select Committee on Intelligence,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 624, the Cyber
Intelligence Sharing and Protection Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contacts are Jason
Wheelock and Ray Hall.
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 624--Cyber Intelligence Sharing and Protection Act
H.R. 624 would amend the National Security Act of 1947 to
require the Director of National Intelligence (DNI) to
establish procedures to promote the sharing of information
about cyber threats between intelligence agencies and the
private sector. The DNI also would be directed to establish
guidelines for granting security clearances to employees of the
private-sector entities with which the government shares such
information. CBO estimates that implementing the bill would
have a discretionary cost of $20 million over the 2014-2018
period, assuming appropriation of the necessary amounts.
Enacting H.R. 624 could affect direct spending or revenues;
therefore, pay-as-you-go procedures apply. However, CBO
estimates that those effects would be insignificant for each
year.
CBO anticipates additional personnel would be needed to
administer the program and to manage the exchange of
information between intelligence agencies and the private
sector. Based on information from the DNI and the Office of
Personnel Management, CBO estimates that those activities would
cost approximately $4 million annually over the 2014-2018
period, assuming appropriation of the necessary amounts.
H.R. 624 would allow for a person to collect damages and
attorney's fees if the federal government intentionally or
willfully violated the conditions in the bill regarding the
handling and use of information shared with the government and
that person was harmed by such actions. Because any costs borne
by the government for those cases would probably be paid from
the Treasury's Judgment Fund (a permanent, indefinite
appropriation for claims and judgments against the United
States), the bill could affect direct spending. However, CBO
anticipates that any such cases would be rare and that the
impact on direct spending would be insignificant in every year.
The bill would impose intergovernmental and private-sector
mandates, as defined in the Unfunded Mandates Reform Act
(UMRA), by extending civil and criminal liability protection to
entities and cybersecurity providers that share or use cyber
threat information. The bill also would impose additional
intergovernmental mandates on state governments by preempting
state disclosure and liability laws. Because of uncertainty
about the number of cases that would be limited and any forgone
compensation that would result from compensatory damages, CBO
cannot determine whether the costs of the mandate would exceed
the annual threshold established in UMRA for private-sector
mandates ($150 million in 2013, adjusted annually for
inflation). However, CBO estimates that the aggregate costs of
the mandates on public entities would fall below the threshold
for intergovernmental mandates ($75 million in 2013, adjusted
annually for inflation).
The CBO staff contacts for this estimate are Jason Wheelock
and Ray Hall (for federal costs), J'nell J. Blanco (for the
intergovernmental impact), and Elizabeth Bass (for the private-
sector impact). This estimate was approved by Theresa Gullo,
Deputy Assistant Director for Budget Analysis.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
NATIONAL SECURITY ACT OF 1947
short title
That this Act may be cited as the ``National Security Act of
1947''.
TABLE OF CONTENTS
Sec. 2. Declaration of policy.
* * * * * * *
TITLE XI--OTHER PROVISIONS
* * * * * * *
Sec. 1104. Cyber threat intelligence and information sharing.
* * * * * * *
TITLE XI--ADDITIONAL MISCELLANEOUS PROVISIONS
* * * * * * *
CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat
Intelligence with Private Sector and Utilities.--
(1) In general.--The Director of National
Intelligence shall establish procedures to allow
elements of the intelligence community to share cyber
threat intelligence with private-sector entities and
utilities and to encourage the sharing of such
intelligence.
(2) Sharing and use of classified intelligence.--The
procedures established under paragraph (1) shall
provide that classified cyber threat intelligence may
only be--
(A) shared by an element of the intelligence
community with--
(i) a certified entity; or
(ii) a person with an appropriate
security clearance to receive such
cyber threat intelligence;
(B) shared consistent with the need to
protect the national security of the United
States; and
(C) used by a certified entity in a manner
which protects such cyber threat intelligence
from unauthorized disclosure.
(3) Security clearance approvals.--The Director of
National Intelligence shall issue guidelines providing
that the head of an element of the intelligence
community may, as the head of such element considers
necessary to carry out this subsection--
(A) grant a security clearance on a temporary
or permanent basis to an employee or officer of
a certified entity;
(B) grant a security clearance on a temporary
or permanent basis to a certified entity and
approval to use appropriate facilities; and
(C) expedite the security clearance process
for a person or entity as the head of such
element considers necessary, consistent with
the need to protect the national security of
the United States.
(4) No right or benefit.--The provision of
information to a private-sector entity or a utility
under this subsection shall not create a right or
benefit to similar information by such entity or such
utility or any other private-sector entity or utility.
(5) Restriction on disclosure of cyber threat
intelligence.--Notwithstanding any other provision of
law, a certified entity receiving cyber threat
intelligence pursuant to this subsection shall not
further disclose such cyber threat intelligence to
another entity, other than to a certified entity or
other appropriate agency or department of the Federal
Government authorized to receive such cyber threat
intelligence.
(b) Use of Cybersecurity Systems and Sharing of Cyber Threat
Information.--
(1) In general.--
(A) Cybersecurity providers.--Notwithstanding
any other provision of law, a cybersecurity
provider, with the express consent of a
protected entity for which such cybersecurity
provider is providing goods or services for
cybersecurity purposes, may, for cybersecurity
purposes--
(i) use cybersecurity systems to
identify and obtain cyber threat
information to protect the rights and
property of such protected entity; and
(ii) share such cyber threat
information with any other entity
designated by such protected entity,
including, if specifically designated,
the Federal Government.
(B) Self-protected entities.--Notwithstanding
any other provision of law, a self-protected
entity may, for cybersecurity purposes--
(i) use cybersecurity systems to
identify and obtain cyber threat
information to protect the rights and
property of such self-protected entity;
and
(ii) share such cyber threat
information with any other entity,
including the Federal Government.
(2) Sharing with the Federal Government.--
(A) Information shared with the national
cybersecurity and communications integration
center of the department of homeland
security.--Subject to the use and protection of
information requirements under paragraph (3),
the head of a department or agency of the
Federal Government receiving cyber threat
information in accordance with paragraph (1)
shall provide such cyber threat information in
as close to real time as possible to the
National Cybersecurity and Communications
Integration Center of the Department of
Homeland Security.
(B) Request to share with another department
or agency of the federal government.--An entity
sharing cyber threat information that is
provided to the National Cybersecurity and
Communications Integration Center of the
Department of Homeland Security under
subparagraph (A) or paragraph (1) may request
the head of such Center to, and the head of
such Center may, provide such information in as
close to real time as possible to another
department or agency of the Federal Government.
(3) Use and protection of information.--Cyber threat
information shared in accordance with paragraph (1)--
(A) shall only be shared in accordance with
any restrictions placed on the sharing of such
information by the protected entity or self-
protected entity authorizing such sharing,
including appropriate anonymization or
minimization of such information and excluding
limiting a department or agency of the Federal
Government from sharing such information with
another department or agency of the Federal
Government in accordance with this section;
(B) may not be used by an entity to gain an
unfair competitive advantage to the detriment
of the protected entity or the self-protected
entity authorizing the sharing of information;
(C) may only be used by a non-Federal
recipient of such information for a
cybersecurity purpose;
(D) if shared with the Federal Government--
(i) shall be exempt from disclosure
under section 552 of title 5, United
States Code (commonly known as the
``Freedom of Information Act'');
(ii) shall be considered proprietary
information and shall not be disclosed
to an entity outside of the Federal
Government except as authorized by the
entity sharing such information;
(iii) shall not be used by the
Federal Government for regulatory
purposes;
(iv) shall not be provided by the
department or agency of the Federal
Government receiving such cyber threat
information to another department or
agency of the Federal Government under
paragraph (2)(A) if--
(I) the entity providing such
information determines that the
provision of such information
will undermine the purpose for
which such information is
shared; or
(II) unless otherwise
directed by the President, the
head of the department or
agency of the Federal
Government receiving such cyber
threat information determines
that the provision of such
information will undermine the
purpose for which such
information is shared; and
(v) shall be handled by the Federal
Government consistent with the need to
protect sources and methods and the
national security of the United States;
and
(E) shall be exempt from disclosure under a
State, local, or tribal law or regulation that
requires public disclosure of information by a
public or quasi-public entity.
(4) Exemption from liability.--
(A) Exemption.--No civil or criminal cause of
action shall lie or be maintained in Federal or
State court against a protected entity, self-
protected entity, cybersecurity provider, or an
officer, employee, or agent of a protected
entity, self-protected entity, or cybersecurity
provider, acting in good faith--
(i) for using cybersecurity systems
to identify or obtain cyber threat
information or for sharing such
information in accordance with this
section; or
(ii) for decisions made for
cybersecurity purposes and based on
cyber threat information identified,
obtained, or shared under this section.
(B) Lack of good faith.--For purposes of the
exemption from liability under subparagraph
(A), a lack of good faith includes, but is not
limited to, any act or omission taken with
intent to injure, defraud, or otherwise
endanger any individual, government entity,
private entity, or utility.
(5) Relationship to other laws requiring the
disclosure of information.--The submission of
information under this subsection to the Federal
Government shall not satisfy or affect--
(A) any requirement under any other provision
of law for a person or entity to provide
information to the Federal Government; or
(B) the applicability of other provisions of
law, including section 552 of title 5, United
States Code (commonly known as the ``Freedom of
Information Act''), with respect to information
required to be provided to the Federal
Government under such other provision of law.
(6) Rule of construction.--Nothing in this subsection
shall be construed to provide new authority to--
(A) a cybersecurity provider to use a
cybersecurity system to identify or obtain
cyber threat information from a system or
network other than a system or network owned or
operated by a protected entity for which such
cybersecurity provider is providing goods or
services for cybersecurity purposes; or
(B) a self-protected entity to use a
cybersecurity system to identify or obtain
cyber threat information from a system or
network other than a system or network owned or
operated by such self-protected entity.
(c) Federal Government Use of Information.--
(1) Limitation.--The Federal Government may use cyber
threat information shared with the Federal Government
in accordance with subsection (b)--
(A) for cybersecurity purposes;
(B) for the investigation and prosecution of
cybersecurity crimes;
(C) for the protection of individuals from
the danger of death or serious bodily harm and
the investigation and prosecution of crimes
involving such danger of death or serious
bodily harm; or
(D) for the protection of minors from child
pornography, any risk of sexual exploitation,
and serious threats to the physical safety of
minors, including kidnapping and trafficking
and the investigation and prosecution of crimes
involving child pornography, any risk of sexual
exploitation, and serious threats to the
physical safety of minors, including kidnapping
and trafficking, and any crime referred to in
section 2258A(a)(2) of title 18, United States
Code.
(2) Affirmative search restriction.--The Federal
Government may not affirmatively search cyber threat
information shared with the Federal Government under
subsection (b) for a purpose other than a purpose
referred to in paragraph (1).
(3) Anti-tasking restriction.--Nothing in this
section shall be construed to permit the Federal
Government to--
(A) require a private-sector entity or
utility to share information with the Federal
Government; or
(B) condition the sharing of cyber threat
intelligence with a private-sector entity or
utility on the provision of cyber threat
information to the Federal Government.
(4) Protection of sensitive personal documents.--The
Federal Government may not use the following
information, containing information that identifies a
person, shared with the Federal Government in
accordance with subsection (b) unless such information
is used in accordance with the policies and procedures
established under paragraph (7):
(A) Library circulation records.
(B) Library patron lists.
(C) Book sales records.
(D) Book customer lists.
(E) Firearms sales records.
(F) Tax return records.
(G) Educational records.
(H) Medical records.
(5) Notification of non-cyber threat information.--If
a department or agency of the Federal Government
receiving information pursuant to subsection (b)(1)
determines that such information is not cyber threat
information, such department or agency shall notify the
entity or provider sharing such information pursuant to
subsection (b)(1).
(6) Retention and use of cyber threat information.--
No department or agency of the Federal Government shall
retain or use information shared pursuant to subsection
(b)(1) for any use other than a use permitted under
subsection (c)(1).
(7) Privacy and civil liberties.--
(A) Policies and procedures.--The Director of
National Intelligence, in consultation with the
Secretary of Homeland Security and the Attorney
General, shall establish and periodically
review policies and procedures governing the
receipt, retention, use, and disclosure of non-
publicly available cyber threat information
shared with the Federal Government in
accordance with subsection (b)(1). Such
policies and procedures shall, consistent with
the need to protect systems and networks from
cyber threats and mitigate cyber threats in a
timely manner--
(i) minimize the impact on privacy
and civil liberties;
(ii) reasonably limit the receipt,
retention, use, and disclosure of cyber
threat information associated with
specific persons that is not necessary
to protect systems or networks from
cyber threats or mitigate cyber threats
in a timely manner;
(iii) include requirements to
safeguard non-publicly available cyber
threat information that may be used to
identify specific persons from
unauthorized access or acquisition;
(iv) protect the confidentiality of
cyber threat information associated
with specific persons to the greatest
extent practicable; and
(v) not delay or impede the flow of
cyber threat information necessary to
defend against or mitigate a cyber
threat.
(B) Submission to Congress.--The Director of
National Intelligence shall, consistent with
the need to protect sources and methods, submit
to Congress the policies and procedures
required under subparagraph (A) and any updates
to such policies and procedures.
(C) Implementation.--The head of each
department or agency of the Federal Government
receiving cyber threat information shared with
the Federal Government under subsection (b)(1)
shall--
(i) implement the policies and
procedures established under
subparagraph (A); and
(ii) promptly notify the Director of
National Intelligence, the Attorney
General, and the congressional
intelligence committees of any
significant violations of such policies
and procedures.
(D) Oversight.--The Director of National
Intelligence, in consultation with the Attorney
General, the Secretary of Homeland Security,
and the Secretary of Defense, shall establish a
program to monitor and oversee compliance with
the policies and procedures established under
subparagraph (A).
(d) Federal Government Liability for Violations of
Restrictions on the Disclosure, Use, and Protection of
Voluntarily Shared Information.--
(1) In general.--If a department or agency of the
Federal Government intentionally or willfully violates
subsection (b)(3)(D) or subsection (c) with respect to
the disclosure, use, or protection of voluntarily
shared cyber threat information shared under this
section, the United States shall be liable to a person
adversely affected by such violation in an amount equal
to the sum of--
(A) the actual damages sustained by the
person as a result of the violation or $1,000,
whichever is greater; and
(B) the costs of the action together with
reasonable attorney fees as determined by the
court.
(2) Venue.--An action to enforce liability created
under this subsection may be brought in the district
court of the United States in--
(A) the district in which the complainant
resides;
(B) the district in which the principal place
of business of the complainant is located;
(C) the district in which the department or
agency of the Federal Government that disclosed
the information is located; or
(D) the District of Columbia.
(3) Statute of limitations.--No action shall lie
under this subsection unless such action is commenced
not later than two years after the date of the
violation of subsection (b)(3)(D) or subsection (c)
that is the basis for the action.
(4) Exclusive cause of action.--A cause of action
under this subsection shall be the exclusive means
available to a complainant seeking a remedy for a
violation of subsection (b)(3)(D) or subsection (c).
(e) Reports on Information Sharing.--
(1) Inspector general report.--The Inspector General
of the Intelligence Community, in consultation with the
Inspector General of the Department of Justice, the
Inspector General of the Department of Defense, and the
Privacy and Civil Liberties Oversight Board, shall
annually submit to the congressional intelligence
committees a report containing a review of the use of
information shared with the Federal Government under
this section, including--
(A) a review of the use by the Federal
Government of such information for a purpose
other than a cybersecurity purpose;
(B) a review of the type of information
shared with the Federal Government under this
section;
(C) a review of the actions taken by the
Federal Government based on such information;
(D) appropriate metrics to determine the
impact of the sharing of such information with
the Federal Government on privacy and civil
liberties, if any;
(E) a list of the departments or agencies
receiving such information;
(F) a review of the sharing of such
information within the Federal Government to
identify inappropriate stovepiping of shared
information; and
(G) any recommendations of the Inspector
General for improvements or modifications to
the authorities under this section.
(2) Privacy and civil liberties officers report.--The
Civil Liberties Protection Officer of the Office of the
Director of National Intelligence and the Chief Privacy
and Civil Liberties Officer of the Department of
Justice, in consultation with the Privacy and Civil
Liberties Oversight Board, the Inspector General of the
Intelligence Community, and the senior privacy and
civil liberties officer of each department or agency of
the Federal Government that receives cyber threat
information shared with the Federal Government under
this section, shall annually and jointly submit to
Congress a report assessing the privacy and civil
liberties impact of the activities conducted by the
Federal Government under this section. Such report
shall include any recommendations the Civil Liberties
Protection Officer and Chief Privacy and Civil
Liberties Officer consider appropriate to minimize or
mitigate the privacy and civil liberties impact of the
sharing of cyber threat information under this section.
(3) Form.--Each report required under paragraph (1)
or (2) shall be submitted in unclassified form, but may
include a classified annex.
(f) Federal Preemption.--This section supersedes any statute
of a State or political subdivision of a State that restricts
or otherwise expressly regulates an activity authorized under
subsection (b).
(g) Savings Clauses.--
(1) Existing authorities.--Nothing in this section
shall be construed to limit any other authority to use
a cybersecurity system or to identify, obtain, or share
cyber threat intelligence or cyber threat information.
(2) Limitation on military and intelligence community
involvement in private and public sector cybersecurity
efforts.--Nothing in this section shall be construed to
provide additional authority to, or modify an existing
authority of, the Department of Defense or the National
Security Agency or any other element of the
intelligence community to control, modify, require, or
otherwise direct the cybersecurity efforts of a
private-sector entity or a component of the Federal
Government or a State, local, or tribal government.
(3) Information sharing relationships.--Nothing in
this section shall be construed to--
(A) limit or modify an existing information
sharing relationship;
(B) prohibit a new information sharing
relationship;
(C) require a new information sharing
relationship between the Federal Government and
a private-sector entity or utility;
(D) modify the authority of a department or
agency of the Federal Government to protect
sources and methods and the national security
of the United States; or
(E) preclude the Federal Government from
requiring an entity to report significant cyber
incidents if authorized or required to do so
under another provision of law.
(4) Limitation on federal government use of
cybersecurity systems.--Nothing in this section shall
be construed to provide additional authority to, or
modify an existing authority of, any entity to use a
cybersecurity system owned or controlled by the Federal
Government on a private-sector system or network to
protect such private-sector system or network.
(5) No liability for non-participation.--Nothing in
this section shall be construed to subject a protected
entity, self-protected entity, cyber security provider,
or an officer, employee, or agent of a protected
entity, self-protected entity, or cybersecurity
provider, to liability for choosing not to engage in
the voluntary activities authorized under this section.
(6) Use and retention of information.--Nothing in
this section shall be construed to authorize, or to
modify any existing authority of, a department or
agency of the Federal Government to retain or use
information shared pursuant to subsection (b)(1) for
any use other than a use permitted under subsection
(c)(1).
(h) Definitions.--In this section:
(1) Availability.--The term ``availability'' means
ensuring timely and reliable access to and use of
information.
(2) Certified entity.--The term ``certified entity''
means a protected entity, self-protected entity, or
cybersecurity provider that--
(A) possesses or is eligible to obtain a
security clearance, as determined by the
Director of National Intelligence; and
(B) is able to demonstrate to the Director of
National Intelligence that such provider or
such entity can appropriately protect
classified cyber threat intelligence.
(3) Confidentiality.--The term ``confidentiality''
means preserving authorized restrictions on access and
disclosure, including means for protecting personal
privacy and proprietary information.
(4) Cyber threat information.--
(A) In General.--The term ``cyber threat
information'' means information directly
pertaining to--
(i) a vulnerability of a system or
network of a government or private
entity or utility;
(ii) a threat to the integrity,
confidentiality, or availability of a
system or network of a government or
private entity or utility or any
information stored on, processed on, or
transiting such a system or network;
(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network of a government or private
entity or utility; or
(iv) efforts to gain unauthorized
access to a system or network of a
government or private entity or
utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on,
processed on, or transiting a system or
network of a government or private
entity or utility.
(B) Exclusion.--Such term does not include
information pertaining to efforts to gain
unauthorized access to a system or network of a
government or private entity or utility that
solely involve violations of consumer terms of
service or consumer licensing agreements and do
not otherwise constitute unauthorized access.
(5) Cyber threat intelligence.--
(A) In general.--The term ``cyber threat
intelligence'' means intelligence in the
possession of an element of the intelligence
community directly pertaining to--
(i) a vulnerability of a system or
network of a government or private
entity or utility;
(ii) a threat to the integrity,
confidentiality, or availability of a
system or network of a government or
private entity or utility or any
information stored on, processed on, or
transiting such a system or network;
(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network of a government or private
entity or utility; or
(iv) efforts to gain unauthorized
access to a system or network of a
government or private entity or
utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on,
processed on, or transiting a system or
network of a government or private
entity or utility.
(B) Exclusion.--Such term does not include
intelligence pertaining to efforts to gain
unauthorized access to a system or network of a
government or private entity or utility that
solely involve violations of consumer terms of
service or consumer licensing agreements and do
not otherwise constitute unauthorized access.
(6) Cybersecurity crime.--The term ``cybersecurity
crime'' means--
(A) a crime under a Federal or State law that
involves--
(i) efforts to deny access to or
degrade, disrupt, or destroy a system
or network;
(ii) efforts to gain unauthorized
access to a system or network; or
(iii) efforts to exfiltrate
information from a system or network
without authorization; or
(B) the violation of a provision of Federal
law relating to computer crimes, including a
violation of any provision of title 18, United
States Code, created or amended by the Computer
Fraud and Abuse Act of 1986 (Public Law 99-
474).
(7) Cybersecurity provider.--The term ``cybersecurity
provider'' means a non-Federal entity that provides
goods or services intended to be used for cybersecurity
purposes.
(8) Cybersecurity purpose.--
(A) In general.--The term ``cybersecurity
purpose'' means the purpose of ensuring the
integrity, confidentiality, or availability of,
or safeguarding, a system or network, including
protecting a system or network from--
(i) a vulnerability of a system or
network;
(ii) a threat to the integrity,
confidentiality, or availability of a
system or network or any information
stored on, processed on, or transiting
such a system or network;
(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network; or
(iv) efforts to gain unauthorized
access to a system or network,
including to gain such unauthorized
access for the purpose of exfiltrating
information stored on, processed on, or
transiting a system or network.
(B) Exclusion.--Such term does not include
the purpose of protecting a system or network
from efforts to gain unauthorized access to
such system or network that solely involve
violations of consumer terms of service or
consumer licensing agreements and do not
otherwise constitute unauthorized access.
(9) Cybersecurity system.--
(A) In general.--The term ``cybersecurity
system'' means a system designed or employed to
ensure the integrity, confidentiality, or
availability of, or safeguard, a system or
network, including protecting a system or
network from--
(i) a vulnerability of a system or
network;
(ii) a threat to the integrity,
confidentiality, or availability of a
system or network or any information
stored on, processed on, or transiting
such a system or network;
(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network; or
(iv) efforts to gain unauthorized
access to a system or network,
including to gain such unauthorized
access for the purpose of exfiltrating
information stored on, processed on, or
transiting a system or network.
(B) Exclusion.--Such term does not include a
system designed or employed to protect a system
or network from efforts to gain unauthorized
access to such system or network that solely
involve violations of consumer terms of service
or consumer licensing agreements and do not
otherwise constitute unauthorized access.
(10) Integrity.--The term ``integrity'' means
guarding against improper information modification or
destruction, including ensuring information
nonrepudiation and authenticity.
(11) Protected entity.--The term ``protected entity''
means an entity, other than an individual, that
contracts with a cybersecurity provider for goods or
services to be used for cybersecurity purposes.
(12) Self-protected entity.--The term ``self-
protected entity'' means an entity, other than an
individual, that provides goods or services for
cybersecurity purposes to itself.
(13) Utility.--The term ``utility'' means an entity
providing essential services (other than law
enforcement or regulatory services), including
electricity, natural gas, propane, telecommunications,
transportation, water, or wastewater services.
[Effective 5 years after the date of enactment, section 3 of H.R. 624
(as reported) provides for a sunset provision to amendments made by
section 2 of H.R. 624 to the National Security Act of 1947. The version
below reflects the execution of the amendments made by section 2 of
H.R. 624 as if they reflect current law in order to show the repeal of
such provisions on such effective date.]
* * * * * * *
TABLE OF CONTENTS
Sec. 2. Declaration of policy.
* * * * * * *
TITLE XI--OTHER PROVISIONS
* * * * * * *
[Sec. 1104. Cyber threat intelligence and information sharing.]
* * * * * * *
TITLE XI--ADDITIONAL MISCELLANEOUS PROVISIONS
* * * * * * *
[CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
[Sec. 1104. (a) Intelligence Community Sharing of Cyber
Threat Intelligence with Private Sector and Utilities.--
[(1) In general.--The Director of National
Intelligence shall establish procedures to allow
elements of the intelligence community to share cyber
threat intelligence with private-sector entities and
utilities and to encourage the sharing of such
intelligence.
[(2) Sharing and use of classified intelligence.--The
procedures established under paragraph (1) shall
provide that classified cyber threat intelligence may
only be--
[(A) shared by an element of the intelligence
community with--
[(i) a certified entity; or
[(ii) a person with an appropriate
security clearance to receive such
cyber threat intelligence;
[(B) shared consistent with the need to
protect the national security of the United
States; and
[(C) used by a certified entity in a manner
which protects such cyber threat intelligence
from unauthorized disclosure.
[(3) Security clearance approvals.--The Director of
National Intelligence shall issue guidelines providing
that the head of an element of the intelligence
community may, as the head of such element considers
necessary to carry out this subsection--
[(A) grant a security clearance on a
temporary or permanent basis to an employee or
officer of a certified entity;
[(B) grant a security clearance on a
temporary or permanent basis to a certified
entity and approval to use appropriate
facilities; and
[(C) expedite the security clearance process
for a person or entity as the head of such
element considers necessary, consistent with
the need to protect the national security of
the United States.
[(4) No right or benefit.--The provision of
information to a private-sector entity or a utility
under this subsection shall not create a right or
benefit to similar information by such entity or such
utility or any other private-sector entity or utility.
[(5) Restriction on disclosure of cyber threat
intelligence.--Notwithstanding any other provision of
law, a certified entity receiving cyber threat
intelligence pursuant to this subsection shall not
further disclose such cyber threat intelligence to
another entity, other than to a certified entity or
other appropriate agency or department of the Federal
Government authorized to receive such cyber threat
intelligence.
[(b) Use of Cybersecurity Systems and Sharing of Cyber Threat
Information.--
[(1) In general.--
[(A) Cybersecurity providers.--
Notwithstanding any other provision of law, a
cybersecurity provider, with the express
consent of a protected entity for which such
cybersecurity provider is providing goods or
services for cybersecurity purposes, may, for
cybersecurity purposes--
[(i) use cybersecurity systems to
identify and obtain cyber threat
information to protect the rights and
property of such protected entity; and
[(ii) share such cyber threat
information with any other entity
designated by such protected entity,
including, if specifically designated,
the Federal Government.
[(B) Self-protected entities.--
Notwithstanding any other provision of law, a
self-protected entity may, for cybersecurity
purposes--
[(i) use cybersecurity systems to
identify and obtain cyber threat
information to protect the rights and
property of such self-protected entity;
and
[(ii) share such cyber threat
information with any other entity,
including the Federal Government.
[(2) Sharing with the federal government.--
[(A) Information shared with the National
Cybersecurity and Communications Integration
Center of the Department of Homeland
Security.--Subject to the use and protection of
information requirements under paragraph (3),
the head of a department or agency of the
Federal Government receiving cyber threat
information in accordance with paragraph (1)
shall provide such cyber threat information in
as close to real time as possible to the
National Cybersecurity and Communications
Integration Center of the Department of
Homeland Security.
[(B) Request to share with another department
or agency of the federal government.--An entity
sharing cyber threat information that is
provided to the National Cybersecurity and
Communications Integration Center of the
Department of Homeland Security under
subparagraph (A) or paragraph (1) may request
the head of such Center to, and the head of
such Center may, provide such information in as
close to real time as possible to another
department or agency of the Federal Government.
[(3) Use and protection of information.--Cyber threat
information shared in accordance with paragraph (1)--
[(A) shall only be shared in accordance with
any restrictions placed on the sharing of such
information by the protected entity or self-
protected entity authorizing such sharing,
including appropriate anonymization or
minimization of such information and excluding
limiting a department or agency of the Federal
Government from sharing such information with
another department or agency of the Federal
Government in accordance with this section;
[(B) may not be used by an entity to gain an
unfair competitive advantage to the detriment
of the protected entity or the self-protected
entity authorizing the sharing of information;
[(C) may only be used by a non-Federal
recipient of such information for a
cybersecurity purpose;
[(D) if shared with the Federal Government--
[(i) shall be exempt from disclosure
under section 552 of title 5, United
States Code (commonly known as the
``Freedom of Information Act'');
[(ii) shall be considered proprietary
information and shall not be disclosed
to an entity outside of the Federal
Government except as authorized by the
entity sharing such information;
[(iii) shall not be used by the
Federal Government for regulatory
purposes;
[(iv) shall not be provided by the
department or agency of the Federal
Government receiving such cyber threat
information to another department or
agency of the Federal Government under
paragraph (2)(A) if--
[(I) the entity providing
such information determines
that the provision of such
information will undermine the
purpose for which such
information is shared; or
[(II) unless otherwise
directed by the President, the
head of the department or
agency of the Federal
Government receiving such cyber
threat information determines
that the provision of such
information will undermine the
purpose for which such
information is shared; and
[(v) shall be handled by the Federal
Government consistent with the need to
protect sources and methods and the
national security of the United States;
and
[(E) shall be exempt from disclosure under a
State, local, or tribal law or regulation that
requires public disclosure of information by a
public or quasi-public entity.
[(4) Exemption from liability.--
[(A) Exemption.--No civil or criminal cause
of action shall lie or be maintained in Federal
or State court against a protected entity,
self-protected entity, cybersecurity provider,
or an officer, employee, or agent of a
protected entity, self-protected entity, or
cybersecurity provider, acting in good faith--
[(i) for using cybersecurity systems
to identify or obtain cyber threat
information or for sharing such
information in accordance with this
section; or
[(ii) for decisions made for
cybersecurity purposes and based on
cyber threat information identified,
obtained, or shared under this section.
[(B) Lack of good faith.--For purposes of the
exemption from liability under subparagraph
(A), a lack of good faith includes, but is not
limited to, any act or omission taken with
intent to injure, defraud, or otherwise
endanger any individual, government entity,
private entity, or utility.
[(5) Relationship to other laws requiring the
disclosure of information.--The submission of
information under this subsection to the Federal
Government shall not satisfy or affect--
[(A) any requirement under any other
provision of law for a person or entity to
provide information to the Federal Government;
or
[(B) the applicability of other provisions of
law, including section 552 of title 5, United
States Code (commonly known as the ``Freedom of
Information Act''), with respect to information
required to be provided to the Federal
Government under such other provision of law.
[(6) Rule of construction.--Nothing in this
subsection shall be construed to provide new authority
to--
[(A) a cybersecurity provider to use a
cybersecurity system to identify or obtain
cyber threat information from a system or
network other than a system or network owned or
operated by a protected entity for which such
cybersecurity provider is providing goods or
services for cybersecurity purposes; or
[(B) a self-protected entity to use a
cybersecurity system to identify or obtain
cyber threat information from a system or
network other than a system or network owned or
operated by such self-protected entity.
[(c) Federal Government Use of Information.--
[(1) Limitation.--The Federal Government may use
cyber threat information shared with the Federal
Government in accordance with subsection (b)--
[(A) for cybersecurity purposes;
[(B) for the investigation and prosecution of
cybersecurity crimes;
[(C) for the protection of individuals from
the danger of death or serious bodily harm and
the investigation and prosecution of crimes
involving such danger of death or serious
bodily harm; or
[(D) for the protection of minors from child
pornography, any risk of sexual exploitation,
and serious threats to the physical safety of
minors, including kidnapping and trafficking
and the investigation and prosecution of crimes
involving child pornography, any risk of sexual
exploitation, and serious threats to the
physical safety of minors, including kidnapping
and trafficking, and any crime referred to in
section 2258A(a)(2) of title 18, United States
Code.
[(2) Affirmative search restriction.--The Federal
Government may not affirmatively search cyber threat
information shared with the Federal Government under
subsection (b) for a purpose other than a purpose
referred to in paragraph (1).
[(3) Anti-tasking restriction.--Nothing in this
section shall be construed to permit the Federal
Government to--
[(A) require a private-sector entity or
utility to share information with the Federal
Government; or
[(B) condition the sharing of cyber threat
intelligence with a private-sector entity or
utility on the provision of cyber threat
information to the Federal Government.
[(4) Protection of sensitive personal documents.--The
Federal Government may not use the following
information, containing information that identifies a
person, shared with the Federal Government in
accordance with subsection (b) unless such information
is used in accordance with the policies and procedures
established under paragraph (7):
[(A) Library circulation records.
[(B) Library patron lists.
[(C) Book sales records.
[(D) Book customer lists.
[(E) Firearms sales records.
[(F) Tax return records.
[(G) Educational records.
[(H) Medical records.
[(5) Notification of non-cyber threat information.--
If a department or agency of the Federal Government
receiving information pursuant to subsection (b)(1)
determines that such information is not cyber threat
information, such department or agency shall notify the
entity or provider sharing such information pursuant to
subsection (b)(1).
[(6) Retention and use of cyber threat information.--
No department or agency of the Federal Government shall
retain or use information shared pursuant to subsection
(b)(1) for any use other than a use permitted under
subsection (c)(1).
[(7) Privacy and civil liberties.--
[(A) Policies and procedures.--The Director
of National Intelligence, in consultation with
the Secretary of Homeland Security and the
Attorney General, shall establish and
periodically review policies and procedures
governing the receipt, retention, use, and
disclosure of non-publicly available cyber
threat information shared with the Federal
Government in accordance with subsection
(b)(1). Such policies and procedures shall,
consistent with the need to protect systems and
networks from cyber threats and mitigate cyber
threats in a timely manner--
[(i) minimize the impact on privacy
and civil liberties;
[(ii) reasonably limit the receipt,
retention, use, and disclosure of cyber
threat information associated with
specific persons that is not necessary
to protect systems or networks from
cyber threats or mitigate cyber threats
in a timely manner;
[(iii) include requirements to
safeguard non-publicly available cyber
threat information that may be used to
identify specific persons from
unauthorized access or acquisition;
[(iv) protect the confidentiality of
cyber threat information associated
with specific persons to the greatest
extent practicable; and
[(v) not delay or impede the flow of
cyber threat information necessary to
defend against or mitigate a cyber
threat.
[(B) Submission to Congress.--The Director of
National Intelligence shall, consistent with
the need to protect sources and methods, submit
to Congress the policies and procedures
required under subparagraph (A) and any updates
to such policies and procedures.
[(C) Implementation.--The head of each
department or agency of the Federal Government
receiving cyber threat information shared with
the Federal Government under subsection (b)(1)
shall--
[(i) implement the policies and
procedures established under
subparagraph (A); and
[(ii) promptly notify the Director of
National Intelligence, the Attorney
General, and the congressional
intelligence committees of any
significant violations of such policies
and procedures.
[(D) Oversight.--The Director of National
Intelligence, in consultation with the Attorney
General, the Secretary of Homeland Security,
and the Secretary of Defense, shall establish a
program to monitor and oversee compliance with
the policies and procedures established under
subparagraph (A).
[(d) Federal Government Liability for Violations of
Restrictions on the Disclosure, Use, and Protection of
Voluntarily Shared Information.--
[(1) In general.--If a department or agency of the
Federal Government intentionally or willfully violates
subsection (b)(3)(D) or subsection (c) with respect to
the disclosure, use, or protection of voluntarily
shared cyber threat information shared under this
section, the United States shall be liable to a person
adversely affected by such violation in an amount equal
to the sum of--
[(A) the actual damages sustained by the
person as a result of the violation or $1,000,
whichever is greater; and
[(B) the costs of the action together with
reasonable attorney fees as determined by the
court.
[(2) Venue.--An action to enforce liability created
under this subsection may be brought in the district
court of the United States in--
[(A) the district in which the complainant
resides;
[(B) the district in which the principal
place of business of the complainant is
located;
[(C) the district in which the department or
agency of the Federal Government that disclosed
the information is located; or
[(D) the District of Columbia.
[(3) Statute of limitations.--No action shall lie
under this subsection unless such action is commenced
not later than two years after the date of the
violation of subsection (b)(3)(D) or subsection (c)
that is the basis for the action.
[(4) Exclusive cause of action.--A cause of action
under this subsection shall be the exclusive means
available to a complainant seeking a remedy for a
violation of subsection (b)(3)(D) or subsection (c).
[(e) Reports on Information Sharing.--
[(1) Inspector general report.--The Inspector General
of the Intelligence Community, in consultation with the
Inspector General of the Department of Justice, the
Inspector General of the Department of Defense, and the
Privacy and Civil Liberties Oversight Board, shall
annually submit to the congressional intelligence
committees a report containing a review of the use of
information shared with the Federal Government under
this section, including--
[(A) a review of the use by the Federal
Government of such information for a purpose
other than a cybersecurity purpose;
[(B) a review of the type of information
shared with the Federal Government under this
section;
[(C) a review of the actions taken by the
Federal Government based on such information;
[(D) appropriate metrics to determine the
impact of the sharing of such information with
the Federal Government on privacy and civil
liberties, if any;
[(E) a list of the departments or agencies
receiving such information;
[(F) a review of the sharing of such
information within the Federal Government to
identify inappropriate stovepiping of shared
information; and
[(G) any recommendations of the Inspector
General for improvements or modifications to
the authorities under this section.
[(2) Privacy and civil liberties officers report.--
The Civil Liberties Protection Officer of the Office of
the Director of National Intelligence and the Chief
Privacy and Civil Liberties Officer of the Department
of Justice, in consultation with the Privacy and Civil
Liberties Oversight Board, the Inspector General of the
Intelligence Community, and the senior privacy and
civil liberties officer of each department or agency of
the Federal Government that receives cyber threat
information shared with the Federal Government under
this section, shall annually and jointly submit to
Congress a report assessing the privacy and civil
liberties impact of the activities conducted by the
Federal Government under this section. Such report
shall include any recommendations the Civil Liberties
Protection Officer and Chief Privacy and Civil
Liberties Officer consider appropriate to minimize or
mitigate the privacy and civil liberties impact of the
sharing of cyber threat information under this section.
[(3) Form.--Each report required under paragraph (1)
or (2) shall be submitted in unclassified form, but may
include a classified annex.
[(f) Federal Preemption.--This section supersedes any statute
of a State or political subdivision of a State that restricts
or otherwise expressly regulates an activity authorized under
subsection (b).
[(g) Savings Clauses.--
[(1) Existing authorities.--Nothing in this section
shall be construed to limit any other authority to use
a cybersecurity system or to identify, obtain, or share
cyber threat intelligence or cyber threat information.
[(2) Limitation on military and intelligence
community involvement in private and public sector
cybersecurity efforts.--Nothing in this section shall
be construed to provide additional authority to, or
modify an existing authority of, the Department of
Defense or the National Security Agency or any other
element of the intelligence community to control,
modify, require, or otherwise direct the cybersecurity
efforts of a private-sector entity or a component of
the Federal Government or a State, local, or tribal
government.
[(3) Information sharing relationships.--Nothing in
this section shall be construed to--
[(A) limit or modify an existing information
sharing relationship;
[(B) prohibit a new information sharing
relationship;
[(C) require a new information sharing
relationship between the Federal Government and
a private-sector entity or utility;
[(D) modify the authority of a department or
agency of the Federal Government to protect
sources and methods and the national security
of the United States; or
[(E) preclude the Federal Government from
requiring an entity to report significant cyber
incidents if authorized or required to do so
under another provision of law.
[(4) Limitation on federal government use of
cybersecurity systems.--Nothing in this section shall
be construed to provide additional authority to, or
modify an existing authority of, any entity to use a
cybersecurity system owned or controlled by the Federal
Government on a private-sector system or network to
protect such private-sector system or network.
[(5) No liability for non-participation.--Nothing in
this section shall be construed to subject a protected
entity, self-protected entity, cyber security provider,
or an officer, employee, or agent of a protected
entity, self-protected entity, or cybersecurity
provider, to liability for choosing not to engage in
the voluntary activities authorized under this section.
[(6) Use and retention of information.--Nothing in
this section shall be construed to authorize, or to
modify any existing authority of, a department or
agency of the Federal Government to retain or use
information shared pursuant to subsection (b)(1) for
any use other than a use permitted under subsection
(c)(1).
[(h) Definitions.--In this section:
[(1) Availability.--The term ``availability'' means
ensuring timely and reliable access to and use of
information.
[(2) Certified entity.--The term ``certified entity''
means a protected entity, self-protected entity, or
cybersecurity provider that--
[(A) possesses or is eligible to obtain a
security clearance, as determined by the
Director of National Intelligence; and
[(B) is able to demonstrate to the Director
of National Intelligence that such provider or
such entity can appropriately protect
classified cyber threat intelligence.
[(3) Confidentiality.--The term ``confidentiality''
means preserving authorized restrictions on access and
disclosure, including means for protecting personal
privacy and proprietary information.
[(4) Cyber threat information.--
[(A) In General.--The term ``cyber threat
information'' means information directly
pertaining to--
[(i) a vulnerability of a system or
network of a government or private
entity or utility;
[(ii) a threat to the integrity,
confidentiality, or availability of a
system or network of a government or
private entity or utility or any
information stored on, processed on, or
transiting such a system or network;
[(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network of a government or private
entity or utility; or
[(iv) efforts to gain unauthorized
access to a system or network of a
government or private entity or
utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on,
processed on, or transiting a system or
network of a government or private
entity or utility.
[(B) Exclusion.--Such term does not include
information pertaining to efforts to gain
unauthorized access to a system or network of a
government or private entity or utility that
solely involve violations of consumer terms of
service or consumer licensing agreements and do
not otherwise constitute unauthorized access.
[(5) Cyber threat intelligence.--
[(A) In general.--The term ``cyber threat
intelligence'' means intelligence in the
possession of an element of the intelligence
community directly pertaining to--
[(i) a vulnerability of a system or
network of a government or private
entity or utility;
[(ii) a threat to the integrity,
confidentiality, or availability of a
system or network of a government or
private entity or utility or any
information stored on, processed on, or
transiting such a system or network;
[(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network of a government or private
entity or utility; or
[(iv) efforts to gain unauthorized
access to a system or network of a
government or private entity or
utility, including to gain such
unauthorized access for the purpose of
exfiltrating information stored on,
processed on, or transiting a system or
network of a government or private
entity or utility.
[(B) Exclusion.--Such term does not include
intelligence pertaining to efforts to gain
unauthorized access to a system or network of a
government or private entity or utility that
solely involve violations of consumer terms of
service or consumer licensing agreements and do
not otherwise constitute unauthorized access.
[(6) Cybersecurity crime.--The term ``cybersecurity
crime'' means--
[(A) a crime under a Federal or State law
that involves--
[(i) efforts to deny access to or
degrade, disrupt, or destroy a system
or network;
[(ii) efforts to gain unauthorized
access to a system or network; or
[(iii) efforts to exfiltrate
information from a system or network
without authorization; or
[(B) the violation of a provision of Federal
law relating to computer crimes, including a
violation of any provision of title 18, United
States Code, created or amended by the Computer
Fraud and Abuse Act of 1986 (Public Law 99-
474).
[(7) Cybersecurity provider.--The term
``cybersecurity provider'' means a non-Federal entity
that provides goods or services intended to be used for
cybersecurity purposes.
[(8) Cybersecurity purpose.--
[(A) In general.--The term ``cybersecurity
purpose'' means the purpose of ensuring the
integrity, confidentiality, or availability of,
or safeguarding, a system or network, including
protecting a system or network from--
[(i) a vulnerability of a system or
network;
[(ii) a threat to the integrity,
confidentiality, or availability of a
system or network or any information
stored on, processed on, or transiting
such a system or network;
[(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network; or
[(iv) efforts to gain unauthorized
access to a system or network,
including to gain such unauthorized
access for the purpose of exfiltrating
information stored on, processed on, or
transiting a system or network.
[(B) Exclusion.--Such term does not include
the purpose of protecting a system or network
from efforts to gain unauthorized access to
such system or network that solely involve
violations of consumer terms of service or
consumer licensing agreements and do not
otherwise constitute unauthorized access.
[(9) Cybersecurity system.--
[(A) In general.--The term ``cybersecurity
system'' means a system designed or employed to
ensure the integrity, confidentiality, or
availability of, or safeguard, a system or
network, including protecting a system or
network from--
[(i) a vulnerability of a system or
network;
[(ii) a threat to the integrity,
confidentiality, or availability of a
system or network or any information
stored on, processed on, or transiting
such a system or network;
[(iii) efforts to deny access to or
degrade, disrupt, or destroy a system
or network; or
[(iv) efforts to gain unauthorized
access to a system or network,
including to gain such unauthorized
access for the purpose of exfiltrating
information stored on, processed on, or
transiting a system or network.
[(B) Exclusion.--Such term does not include a
system designed or employed to protect a system
or network from efforts to gain unauthorized
access to such system or network that solely
involve violations of consumer terms of service
or consumer licensing agreements and do not
otherwise constitute unauthorized access.
[(10) Integrity.--The term ``integrity'' means
guarding against improper information modification or
destruction, including ensuring information
nonrepudiation and authenticity.
[(11) Protected entity.--The term ``protected
entity'' means an entity, other than an individual,
that contracts with a cybersecurity provider for goods
or services to be used for cybersecurity purposes.
[(12) Self-protected entity.--The term ``self-
protected entity'' means an entity, other than an
individual, that provides goods or services for
cybersecurity purposes to itself.
[(13) Utility.--The term ``utility'' means an entity
providing essential services (other than law
enforcement or regulatory services), including
electricity, natural gas, propane, telecommunications,
transportation, water, or wastewater services.]
Disclosure of Directed Rule Making
The Committee estimates that H.R. 624 specifically directs
no specific rule makings to be completed within the meaning of
5 U.S.C. 551.
Duplication of Federal Programs
H.R. 624 does not duplicate or reauthorize an established
Federal program that was included in any report from the
Government Accountability Office to Congress pursuant to
section 21 of Public Law 111-139, or a program related to a
program identified in the most recent Catalog of Federal
Domestic Assistance.
ADDITIONAL VIEWS
The United States faces a serious and growing threat to our
cyber security. We support the creation of mechanisms to
facilitate greater sharing of cybersecurity information between
the government and private sector. There is an urgent need to
ensure that timely, actionable information is shared between
the private sector and the government so that we can secure our
networks against attacks and intrusion by state and non-state
actors.
We support the intent of the Cyber Intelligence Sharing and
Protection Act (H.R. 624), but we are disappointed in some
aspects of it and believe that it can be improved to better
protect privacy and civil liberties, while still working
effectively to enhance cybersecurity. While the Committee did
adopt meaningful improvements that are helpful, we are
disappointed that the Committee rejected a proposed amendment
that would have required private sector entities to make
``reasonable efforts'' to remove Personally Identifiable
Information (PII) unrelated to the cybersecurity threat. This
requirement was included in proposals that enjoyed bipartisan
support in the Senate, as well as in draft legislation
submitted to Congress by the White House in 2011.
In the Committee's hearing on H.R. 624 on February 15,
2013, witnesses representing the private sector stated clearly
that removing PII prior to providing it to the government is
technically feasible and not an onerous requirement. One
witness testified that such a requirement was ``reasonable,''
while another witness stated that, ``The provider of the
information is in the best position to anonymize it.''
Moreover, witnesses made it clear that PII is rarely if ever
relevant to responding to a cybersecurity threat, with one
witness informing the Committee that, ``I have never seen a
package of threat intelligence that's actionable that also
includes [PII].''
In addition, we believe that concerns regarding privacy and
civil liberties should be addressed by requiring that civilian
agencies, including the Department of Homeland Security, serve
as the primary points of contact with the private sector,
particularly in receiving information. Elements of the
Intelligence Community within the Department of Defense have
important technical expertise that should be harnessed to
improve cybersecurity, but they should not be the initial
recipient of cyber security information. Allowing information
to go directly to military agencies significantly departs from
longstanding efforts to treat the Internet and cyberspace as
civilian spheres.
We are also concerned that the liability shield provided in
the bill is overly broad and fails to provide reasonable
protections for consumers. While important improvements were
made in markup, we remain concerned that the broad scope of the
shield may allow cybersecurity entities to claim immunity even
if injuries are the result of neglect or recklessness.
We strongly support the need to secure our public and
private systems from the constant, malicious attacks of foreign
and domestic hackers, and we believe that information sharing
is an important aspect of enhanced cybersecurity. We appreciate
the changes already made to H.R. 624, and we hope that as the
bill moves forward additional improvements can be made.
Adam B. Schiff.
James Himes.
Janice Schakowsky.
Luis V. Gutierrez.
�
