Union Calendar No. 44
114th CONGRESS
1st Session
H. R. 1560
[Report No. 114-63]
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 24, 2015
Mr. Nunes (for himself, Mr. Schiff, Mr. Westmoreland, and Mr. Himes)
introduced the following bill; which was referred to the Select
Committee on Intelligence (Permanent Select)
April 13, 2015
Additional sponsors: Mr. King of New York, Mr. LoBiondo, Ms. Sewell of
Alabama, Mr. Quigley, and Mr. Murphy of Florida
April 13, 2015
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on March
24, 2015]
_______________________________________________________________________
A BILL
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Protecting Cyber
Networks Act''.
(b) Table of Contents.--The table of contents of this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Sharing of cyber threat indicators and defensive measures by
the Federal Government with non-Federal
entities.
Sec. 3. Authorizations for preventing, detecting, analyzing, and
mitigating cybersecurity threats.
Sec. 4. Sharing of cyber threat indicators and defensive measures with
appropriate Federal entities other than the
Department of Defense or the National
Security Agency.
Sec. 5. Federal Government liability for violations of privacy or civil
liberties.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Report on cybersecurity threats.
Sec. 9. Construction and preemption.
Sec. 10. Conforming amendments.
Sec. 11. Definitions.
SEC. 2. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY
THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.
(a) In General.--Title I of the National Security Act of 1947 (50
U.S.C. 3021 et seq.) is amended by inserting after section 110 (50
U.S.C. 3045) the following new section:
``SEC. 111. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES
BY THE FEDERAL GOVERNMENT WITH NON-FEDERAL ENTITIES.
``(a) Sharing by the Federal Government.--
``(1) In general.--Consistent with the protection of
classified information, intelligence sources and methods, and
privacy and civil liberties, the Director of National
Intelligence, in consultation with the heads of the other
appropriate Federal entities, shall develop and promulgate
procedures to facilitate and promote--
``(A) the timely sharing of classified cyber threat
indicators in the possession of the Federal Government
with representatives of relevant non-Federal entities
with appropriate security clearances;
``(B) the timely sharing with relevant non-Federal
entities of cyber threat indicators in the possession
of the Federal Government that may be declassified and
shared at an unclassified level; and
``(C) the sharing with non-Federal entities, if
appropriate, of information in the possession of the
Federal Government about imminent or ongoing
cybersecurity threats to such entities to prevent or
mitigate adverse impacts from such cybersecurity
threats.
``(2) Development of procedures.--The procedures developed
and promulgated under paragraph (1) shall--
``(A) ensure the Federal Government has and
maintains the capability to share cyber threat
indicators in real time consistent with the protection
of classified information;
``(B) incorporate, to the greatest extent
practicable, existing processes and existing roles and
responsibilities of Federal and non-Federal entities
for information sharing by the Federal Government,
including sector-specific information sharing and
analysis centers;
``(C) include procedures for notifying non-Federal
entities that have received a cyber threat indicator
from a Federal entity in accordance with this Act that
is known or determined to be in error or in
contravention of the requirements of this section, the
Protecting Cyber Networks Act, or the amendments made
by such Act or another provision of Federal law or
policy of such error or contravention;
``(D) include requirements for Federal entities
receiving a cyber threat indicator or defensive measure
to implement appropriate security controls to protect
against unauthorized access to, or acquisition of, such
cyber threat indicator or defensive measure;
``(E) include procedures that require Federal
entities, prior to the sharing of a cyber threat
indicator, to--
``(i) review such cyber threat indicator to
assess whether such cyber threat indicator, in
contravention of the requirement under section
3(d)(2) of the Protecting Cyber Networks Act,
contains any information that such Federal
entity knows at the time of sharing to be
personal information of or information
identifying a specific person not directly
related to a cybersecurity threat and remove
such information; or
``(ii) implement a technical capability
configured to remove or exclude any personal
information of or information identifying a
specific person not directly related to a
cybersecurity threat; and
``(F) include procedures to promote the efficient
granting of security clearances to appropriate
representatives of non-Federal entities.
``(b) Definitions.--In this section, the terms `appropriate Federal
entities', `cyber threat indicator', `defensive measure', `Federal
entity', and `non-Federal entity' have the meaning given such terms in
section 11 of the Protecting Cyber Networks Act.''.
(b) Submittal to Congress.--Not later than 90 days after the date
of the enactment of this Act, the Director of National Intelligence, in
consultation with the heads of the other appropriate Federal entities,
shall submit to Congress the procedures required by section 111(a) of
the National Security Act of 1947, as inserted by subsection (a) of
this section.
(c) Table of Contents Amendment.--The table of contents in the
first section of the National Security Act of 1947 is amended by
inserting after the item relating to section 110 the following new
item:
``Sec. 111. Sharing of cyber threat indicators and defensive measures
by the Federal Government with non-Federal
entities.''.
SEC. 3. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND
MITIGATING CYBERSECURITY THREATS.
(a) Authorization for Private-sector Defensive Monitoring.--
(1) In general.--Notwithstanding any other provision of
law, a private entity may, for a cybersecurity purpose,
monitor--
(A) an information system of such private entity;
(B) an information system of a non-Federal entity
or a Federal entity, upon the written authorization of
such non-Federal entity or such Federal entity; and
(C) information that is stored on, processed by, or
transiting an information system monitored by the
private entity under this paragraph.
(2) Construction.--Nothing in this subsection shall be
construed to--
(A) authorize the monitoring of an information
system, or the use of any information obtained through
such monitoring, other than as provided in this Act;
(B) authorize the Federal Government to conduct
surveillance of any person; or
(C) limit otherwise lawful activity.
(b) Authorization for Operation of Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, a private entity
may, for a cybersecurity purpose, operate a defensive measure
that is operated on and is limited to--
(A) an information system of such private entity to
protect the rights or property of the private entity;
and
(B) an information system of a non-Federal entity
or a Federal entity upon written authorization of such
non-Federal entity or such Federal entity for operation
of such defensive measure to protect the rights or
property of such private entity, such non-Federal
entity, or such Federal entity.
(2) Limitation.--The authority provided in paragraph (1)
does not include the intentional or reckless operation of any
defensive measure that destroys, renders unusable or
inaccessible (in whole or in part), substantially harms, or
initiates a new action, process, or procedure on an information
system or information stored on, processed by, or transiting
such information system not owned by--
(A) the private entity operating such defensive
measure; or
(B) a non-Federal entity or a Federal entity that
has provided written authorization to that private
entity for operation of such defensive measure on the
information system or information of the entity in
accordance with this subsection.
(3) Construction.--Nothing in this subsection shall be
construed--
(A) to authorize the use of a defensive measure
other than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization for Sharing or Receiving Cyber Threat Indicators
or Defensive Measures.--
(1) In general.--Except as provided in paragraph (2) and
notwithstanding any other provision of law, a non-Federal
entity may, for a cybersecurity purpose and consistent with the
requirement under subsection (d)(2) to remove personal
information of or information identifying a specific person not
directly related to a cybersecurity threat and the protection
of classified information--
(A) share a lawfully obtained cyber threat
indicator or defensive measure with any other non-
Federal entity or an appropriate Federal entity (other
than the Department of Defense or any component of the
Department, including the National Security Agency);
and
(B) receive a cyber threat indicator or defensive
measure from any other non-Federal entity or an
appropriate Federal entity.
(2) Lawful restriction.--A non-Federal entity receiving a
cyber threat indicator or defensive measure from another non-
Federal entity or a Federal entity shall comply with otherwise
lawful restrictions placed on the sharing or use of such cyber
threat indicator or defensive measure by the sharing non-
Federal entity or Federal entity.
(3) Construction.--Nothing in this subsection shall be
construed to--
(A) authorize the sharing or receiving of a cyber
threat indicator or defensive measure other than as
provided in this subsection;
(B) authorize the sharing or receiving of
classified information by or with any person not
authorized to access such classified information;
(C) prohibit any Federal entity from engaging in
formal or informal technical discussion regarding cyber
threat indicators or defensive measures with a non-
Federal entity or from providing technical assistance
to address vulnerabilities or mitigate threats at the
request of such an entity;
(D) limit otherwise lawful activity;
(E) prohibit a non-Federal entity, if authorized by
applicable law or regulation other than this Act, from
sharing a cyber threat indicator or defensive measure
with the Department of Defense or any component of the
Department, including the National Security Agency; or
(F) authorize the Federal Government to conduct
surveillance of any person.
(d) Protection and Use of Information.--
(1) Security of information.--A non-Federal entity
monitoring an information system, operating a defensive
measure, or providing or receiving a cyber threat indicator or
defensive measure under this section shall implement an
appropriate security control to protect against unauthorized
access to, or acquisition of, such cyber threat indicator or
defensive measure.
(2) Removal of certain personal information.--A non-Federal
entity sharing a cyber threat indicator pursuant to this Act
shall, prior to such sharing, take reasonable efforts to--
(A) review such cyber threat indicator to assess
whether such cyber threat indicator contains any
information that the non-Federal entity reasonably
believes at the time of sharing to be personal
information of or information identifying a specific
person not directly related to a cybersecurity threat
and remove such information; or
(B) implement a technical capability configured to
remove any information contained within such indicator
that the non-Federal entity reasonably believes at the
time of sharing to be personal information of or
information identifying a specific person not directly
related to a cybersecurity threat.
(3) Use of cyber threat indicators and defensive measures
by non-federal entities.--A non-Federal entity may, for a
cybersecurity purpose--
(A) use a cyber threat indicator or defensive
measure shared or received under this section to
monitor or operate a defensive measure on--
(i) an information system of such non-
Federal entity; or
(ii) an information system of another non-
Federal entity or a Federal entity upon the
written authorization of that other non-Federal
entity or that Federal entity; and
(B) otherwise use, retain, and further share such
cyber threat indicator or defensive measure subject
to--
(i) an otherwise lawful restriction placed
by the sharing non-Federal entity or Federal
entity on such cyber threat indicator or
defensive measure; or
(ii) an otherwise applicable provision of
law.
(4) Use of cyber threat indicators by state, tribal, or
local government.--
(A) Law enforcement use.--A State, tribal, or local
government may use a cyber threat indicator shared with
such State, tribal, or local government for the
purposes described in clauses (i), (ii), and (iii) of
section 4(d)(5)(A).
(B) Exemption from disclosure.--A cyber threat
indicator shared with a State, tribal, or local
government under this section shall be--
(i) deemed voluntarily shared information;
and
(ii) exempt from disclosure under any
State, tribal, or local law requiring
disclosure of information or records, except as
otherwise required by applicable State, tribal,
or local law requiring disclosure in any
criminal prosecution.
(e) No Right or Benefit.--The sharing of a cyber threat indicator
with a non-Federal entity under this Act shall not create a right or
benefit to similar information by such non-Federal entity or any other
non-Federal entity.
SEC. 4. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH
APPROPRIATE FEDERAL ENTITIES OTHER THAN THE DEPARTMENT OF
DEFENSE OR THE NATIONAL SECURITY AGENCY.
(a) Requirement for Policies and Procedures.--
(1) In general.--Section 111 of the National Security Act
of 1947, as inserted by section 2 of this Act, is amended--
(A) by redesignating subsection (b) as subsection
(c); and
(B) by inserting after subsection (a) the following
new subsection:
``(b) Policies and Procedures for Sharing With the Appropriate
Federal Entities Other Than the Department of Defense or the National
Security Agency.--
``(1) Establishment.--The President shall develop and
submit to Congress policies and procedures relating to the
receipt of cyber threat indicators and defensive measures by
the Federal Government.
``(2) Requirements concerning policies and procedures.--The
policies and procedures required under paragraph (1) shall--
``(A) be developed in accordance with the privacy
and civil liberties guidelines required under section
4(b) of the Protecting Cyber Networks Act;
``(B) ensure that--
``(i) a cyber threat indicator shared by a
non-Federal entity with an appropriate Federal
entity (other than the Department of Defense or
any component of the Department, including the
National Security Agency) pursuant to section 3
of such Act is shared in real-time with all of
the appropriate Federal entities (including all
relevant components thereof);
``(ii) the sharing of such cyber threat
indicator with appropriate Federal entities is
not subject to any delay, modification, or any
other action without good cause that could
impede receipt by all of the appropriate
Federal entities; and
``(iii) such cyber threat indicator is
provided to each other Federal entity to which
such cyber threat indicator is relevant; and
``(C) ensure there--
``(i) is an audit capability; and
``(ii) are appropriate sanctions in place
for officers, employees, or agents of a Federal
entity who knowingly and willfully use a cyber
threat indicator or defense measure shared with
the Federal Government by a non-Federal entity
under the Protecting Cyber Networks Act other
than in accordance with this section and such
Act.''.
(2) Submission.--The President shall submit to Congress--
(A) not later than 90 days after the date of the
enactment of this Act, interim policies and procedures
required under section 111(b)(1) of the National
Security Act of 1947, as inserted by paragraph (1) of
this section; and
(B) not later than 180 days after such date, final
policies and procedures required under such section
111(b)(1).
(b) Privacy and Civil Liberties.--
(1) Guidelines of attorney general.--The Attorney General,
in consultation with the heads of the other appropriate Federal
agencies and with officers designated under section 1062 of the
Intelligence Reform and Terrorism Prevention Act of 2004 (42
U.S.C. 2000ee-1), shall develop and periodically review
guidelines relating to privacy and civil liberties that govern
the receipt, retention, use, and dissemination of cyber threat
indicators by a Federal entity obtained in accordance with this
Act and the amendments made by this Act.
(2) Content.--The guidelines developed and reviewed under
paragraph (1) shall, consistent with the need to protect
information systems from cybersecurity threats and mitigate
cybersecurity threats--
(A) limit the impact on privacy and civil liberties
of activities by the Federal Government under this Act,
including guidelines to ensure that personal
information of or information identifying specific
persons is properly removed from information received,
retained, used, or disseminated by a Federal entity in
accordance with this Act or the amendments made by this
Act;
(B) limit the receipt, retention, use, and
dissemination of cyber threat indicators containing
personal information of or information identifying
specific persons, including by establishing--
(i) a process for the prompt destruction of
such information that is known not to be
directly related to a use for a cybersecurity
purpose;
(ii) specific limitations on the length of
any period in which a cyber threat indicator
may be retained; and
(iii) a process to inform recipients that
such indicators may only be used for a
cybersecurity purpose;
(C) include requirements to safeguard cyber threat
indicators containing personal information of or
identifying specific persons from unauthorized access
or acquisition, including appropriate sanctions for
activities by officers, employees, or agents of the
Federal Government in contravention of such guidelines;
(D) include procedures for notifying non-Federal
entities and Federal entities if information received
pursuant to this section is known or determined by a
Federal entity receiving such information not to
constitute a cyber threat indicator;
(E) be consistent with any other applicable
provisions of law and the fair information practice
principles set forth in appendix A of the document
entitled ``National Strategy for Trusted Identities in
Cyberspace'' and published by the President in April,
2011; and
(F) include steps that may be needed so that
dissemination of cyber threat indicators is consistent
with the protection of classified information and other
sensitive national security information.
(3) Submission.--The Attorney General shall submit to
Congress--
(A) not later than 90 days after the date of the
enactment of this Act, interim guidelines required
under paragraph (1); and
(B) not later than 180 days after such date, final
guidelines required under such paragraph.
(c) National Cyber Threat Intelligence Integration Center.--
(1) Establishment.--Title I of the National Security Act of
1947 (50 U.S.C. 3021 et seq.), as amended by section 2 of this
Act, is further amended--
(A) by redesignating section 119B as section 119C;
and
(B) by inserting after section 119A the following
new section:
``SEC. 119B. CYBER THREAT INTELLIGENCE INTEGRATION CENTER.
``(a) Establishment.--There is within the Office of the Director of
National Intelligence a Cyber Threat Intelligence Integration Center.
``(b) Director.--There is a Director of the Cyber Threat
Intelligence Integration Center, who shall be the head of the Cyber
Threat Intelligence Integration Center, and who shall be appointed by
the Director of National Intelligence.
``(c) Primary Missions.--The Cyber Threat Intelligence Integration
Center shall--
``(1) serve as the primary organization within the Federal
Government for analyzing and integrating all intelligence
possessed or acquired by the United States pertaining to cyber
threats;
``(2) ensure that appropriate departments and agencies have
full access to and receive all-source intelligence support
needed to execute the cyber threat intelligence activities of
such agencies and to perform independent, alternative analyses;
``(3) disseminate cyber threat analysis to the President,
the appropriate departments and agencies of the Federal
Government, and the appropriate committees of Congress;
``(4) coordinate cyber threat intelligence activities of
the departments and agencies of the Federal Government; and
``(5) conduct strategic cyber threat intelligence planning
for the Federal Government.
``(d) Limitations.--The Cyber Threat Intelligence Integration
Center shall--
``(1) have not more than 50 permanent positions;
``(2) in carrying out the primary missions of the Center
described in subsection (c), may not augment staffing through
detailees, assignees, or core contractor personnel or enter
into any personal services contracts to exceed the limitation
under paragraph (1); and
``(3) be located in a building owned or operated by an
element of the intelligence community as of the date of the
enactment of this section.''.
(2) Table of contents amendments.--The table of contents in
the first section of the National Security Act of 1947, as
amended by section 2 of this Act, is further amended by
striking the item relating to section 119B and inserting the
following new items:
``Sec. 119B. Cyber Threat Intelligence Integration Center.
``Sec. 119C. National intelligence centers.''.
(d) Information Shared With or Provided to the Federal
Government.--
(1) No waiver of privilege or protection.--The provision of
a cyber threat indicator or defensive measure to the Federal
Government under this Act shall not constitute a waiver of any
applicable privilege or protection provided by law, including
trade secret protection.
(2) Proprietary information.--Consistent with section
3(c)(2), a cyber threat indicator or defensive measure provided
by a non-Federal entity to the Federal Government under this
Act shall be considered the commercial, financial, and
proprietary information of the non-Federal entity that is the
originator of such cyber threat indicator or defensive measure
when so designated by such non-Federal entity or a non-Federal
entity acting in accordance with the written authorization of
the non-Federal entity that is the originator of such cyber
threat indicator or defensive measure.
(3) Exemption from disclosure.--A cyber threat indicator or
defensive measure provided to the Federal Government under this
Act shall be--
(A) deemed voluntarily shared information and
exempt from disclosure under section 552 of title 5,
United States Code, and any State, tribal, or local law
requiring disclosure of information or records; and
(B) withheld, without discretion, from the public
under section 552(b)(3)(B) of title 5, United States
Code, and any State, tribal, or local provision of law
requiring disclosure of information or records, except
as otherwise required by applicable Federal, State,
tribal, or local law requiring disclosure in any
criminal prosecution.
(4) Ex parte communications.--The provision of a cyber
threat indicator or defensive measure to the Federal Government
under this Act shall not be subject to a rule of any Federal
department or agency or any judicial doctrine regarding ex
parte communications with a decision-making official.
(5) Disclosure, retention, and use.--
(A) Authorized activities.--A cyber threat
indicator or defensive measure provided to the Federal
Government under this Act may be disclosed to, retained
by, and used by, consistent with otherwise applicable
provisions of Federal law, any department, agency,
component, officer, employee, or agent of the Federal
Government solely for--
(i) a cybersecurity purpose;
(ii) the purpose of responding to,
prosecuting, or otherwise preventing or
mitigating a threat of death or serious bodily
harm or an offense arising out of such a
threat;
(iii) the purpose of responding to, or
otherwise preventing or mitigating, a serious
threat to a minor, including sexual
exploitation and threats to physical safety; or
(iv) the purpose of preventing,
investigating, disrupting, or prosecuting any
of the offenses listed in sections 1028, 1029,
1030, and 3559(c)(2)(F) and chapters 37 and 90
of title 18, United States Code.
(B) Prohibited activities.--A cyber threat
indicator or defensive measure provided to the Federal
Government under this Act shall not be disclosed to,
retained by, or used by any Federal department or
agency for any use not permitted under subparagraph
(A).
(C) Privacy and civil liberties.--A cyber threat
indicator or defensive measure provided to the Federal
Government under this Act shall be retained, used, and
disseminated by the Federal Government in accordance
with--
(i) the policies and procedures relating to
the receipt of cyber threat indicators and
defensive measures by the Federal Government
required by subsection (b) of section 111 of
the National Security Act of 1947, as added by
subsection (a) of this section; and
(ii) the privacy and civil liberties
guidelines required by subsection (b).
SEC. 5. FEDERAL GOVERNMENT LIABILITY FOR VIOLATIONS OF PRIVACY OR CIVIL
LIBERTIES.
(a) In General.--If a department or agency of the Federal
Government intentionally or willfully violates the privacy and civil
liberties guidelines issued by the Attorney General under section 4(b),
the United States shall be liable to a person injured by such violation
in an amount equal to the sum of--
(1) the actual damages sustained by the person as a result
of the violation or $1,000, whichever is greater; and
(2) reasonable attorney fees as determined by the court and
other litigation costs reasonably incurred in any case under
this subsection in which the complainant has substantially
prevailed.
(b) Venue.--An action to enforce liability created under this
section may be brought in the district court of the United States in--
(1) the district in which the complainant resides;
(2) the district in which the principal place of business
of the complainant is located;
(3) the district in which the department or agency of the
Federal Government that violated such privacy and civil
liberties guidelines is located; or
(4) the District of Columbia.
(c) Statute of Limitations.--No action shall lie under this
subsection unless such action is commenced not later than two years
after the date of the violation of the privacy and civil liberties
guidelines issued by the Attorney General under section 4(b) that is
the basis for the action.
(d) Exclusive Cause of Action.--A cause of action under this
subsection shall be the exclusive means available to a complainant
seeking a remedy for a violation by a department or agency of the
Federal Government under this Act.
SEC. 6. PROTECTION FROM LIABILITY.
(a) Monitoring of Information Systems.--No cause of action shall
lie or be maintained in any court against any private entity, and such
action shall be promptly dismissed, for the monitoring of an
information system and information under section 3(a) that is conducted
in good faith in accordance with this Act and the amendments made by
this Act.
(b) Sharing or Receipt of Cyber Threat Indicators.--No cause of
action shall lie or be maintained in any court against any non-Federal
entity, and such action shall be promptly dismissed, for the sharing or
receipt of a cyber threat indicator or defensive measure under section
3(c), or a good faith failure to act based on such sharing or receipt,
if such sharing or receipt is conducted in good faith in accordance
with this Act and the amendments made by this Act.
(c) Willful Misconduct.--
(1) Rule of construction.--Nothing in this section shall be
construed--
(A) to require dismissal of a cause of action
against a non-Federal entity (including a private
entity) that has engaged in willful misconduct in the
course of conducting activities authorized by this Act
or the amendments made by this Act; or
(B) to undermine or limit the availability of
otherwise applicable common law or statutory defenses.
(2) Proof of willful misconduct.--In any action claiming
that subsection (a) or (b) does not apply due to willful
misconduct described in paragraph (1), the plaintiff shall have
the burden of proving by clear and convincing evidence the
willful misconduct by each non-Federal entity subject to such
claim and that such willful misconduct proximately caused
injury to the plaintiff.
(3) Willful misconduct defined.--In this subsection, the
term ``willful misconduct'' means an act or omission that is
taken--
(A) intentionally to achieve a wrongful purpose;
(B) knowingly without legal or factual
justification; and
(C) in disregard of a known or obvious risk that is
so great as to make it highly probable that the harm
will outweigh the benefit.
SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report on Implementation.--
(1) In general.--Section 111 of the National Security Act
of 1947, as added by section 2(a) and amended by section 4(a)
of this Act, is further amended--
(A) by redesignating subsection (c) (as
redesignated by such section 4(a)) as subsection (d);
and
(B) by inserting after subsection (b) (as inserted
by such section 4(a)) the following new subsection:
``(c) Biennial Report on Implementation.--
``(1) In general.--Not less frequently than once every two
years, the Director of National Intelligence, in consultation
with the heads of the other appropriate Federal entities, shall
submit to Congress a report concerning the implementation of
this section and the Protecting Cyber Networks Act.
``(2) Contents.--Each report submitted under paragraph (1)
shall include the following:
``(A) An assessment of the sufficiency of the
policies, procedures, and guidelines required by this
section and section 4 of the Protecting Cyber Networks
Act in ensuring that cyber threat indicators are shared
effectively and responsibly within the Federal
Government.
``(B) An assessment of whether the procedures
developed under section 3 of such Act comply with the
goals described in subparagraphs (A), (B), and (C) of
subsection (a)(1).
``(C) An assessment of whether cyber threat
indicators have been properly classified and an
accounting of the number of security clearances
authorized by the Federal Government for the purposes
of this section and such Act.
``(D) A review of the type of cyber threat
indicators shared with the Federal Government under
this section and such Act, including the following:
``(i) The degree to which such information
may impact the privacy and civil liberties of
specific persons.
``(ii) A quantitative and qualitative
assessment of the impact of the sharing of such
cyber threat indicators with the Federal
Government on privacy and civil liberties of
specific persons.
``(iii) The adequacy of any steps taken by
the Federal Government to reduce such impact.
``(E) A review of actions taken by the Federal
Government based on cyber threat indicators shared with
the Federal Government under this section or such Act,
including the appropriateness of any subsequent use or
dissemination of such cyber threat indicators by a
Federal entity under this section or section 4 of such
Act.
``(F) A description of any significant violations
of the requirements of this section or such Act by the
Federal Government--
``(i) an assessment of all reports of
officers, employees, and agents of the Federal
Government misusing information provided to the
Federal Government under the Protecting Cyber
Networks Act or this section, without regard to
whether the misuse was knowing or wilful; and
``(ii) an assessment of all disciplinary
actions taken against such officers, employees,
and agents.
``(G) A summary of the number and type of non-
Federal entities that received classified cyber threat
indicators from the Federal Government under this
section or such Act and an evaluation of the risks and
benefits of sharing such cyber threat indicators.
``(H) An assessment of any personal information of
or information identifying a specific person not
directly related to a cybersecurity threat that--
``(i) was shared by a non-Federal entity
with the Federal Government under this Act in
contravention of section 3(d)(2); or
``(ii) was shared within the Federal
Government under this Act in contravention of
the guidelines required by section 4(b).
``(3) Recommendations.--Each report submitted under
paragraph (1) may include such recommendations as the heads of
the appropriate Federal entities may have for improvements or
modifications to the authorities and processes under this
section or such Act.
``(4) Form of report.--Each report required by paragraph
(1) shall be submitted in unclassified form, but may include a
classified annex.
``(5) Public availability of reports.--The Director of
National Intelligence shall make publicly available the
unclassified portion of each report required by paragraph
(1).''.
(2) Initial report.--The first report required under
subsection (c) of section 111 of the National Security Act of
1947, as inserted by paragraph (1) of this subsection, shall be
submitted not later than one year after the date of the
enactment of this Act.
(b) Reports on Privacy and Civil Liberties.--
(1) Biennial report from privacy and civil liberties
oversight board.--
(A) In general.--Section 1061(e) of the
Intelligence Reform and Terrorism Prevention Act of
2004 (42 U.S.C. 2000ee(e)) is amended by adding at the
end the following new paragraph:
``(3) Biennial report on certain cyber activities.--
``(A) Report required.--The Privacy and Civil
Liberties Oversight Board shall biennially submit to
Congress and the President a report containing--
``(i) an assessment of the privacy and
civil liberties impact of the activities
carried out under the Protecting Cyber Networks
Act and the amendments made by such Act; and
``(ii) an assessment of the sufficiency of
the policies, procedures, and guidelines
established pursuant to section 4 of the
Protecting Cyber Networks Act and the
amendments made by such section 4 in addressing
privacy and civil liberties concerns.
``(B) Recommendations.--Each report submitted under
this paragraph may include such recommendations as the
Privacy and Civil Liberties Oversight Board may have
for improvements or modifications to the authorities
under the Protecting Cyber Networks Act or the
amendments made by such Act.
``(C) Form.--Each report required under this
paragraph shall be submitted in unclassified form, but
may include a classified annex.
``(D) Public availability of reports.--The Privacy
and Civil Liberties Oversight Board shall make publicly
available the unclassified portion of each report
required by subparagraph (A).''.
(B) Initial report.--The first report required
under paragraph (3) of section 1061(e) of the
Intelligence Reform and Terrorism Prevention Act of
2004 (42 U.S.C. 2000ee(e)), as added by subparagraph
(A) of this paragraph, shall be submitted not later
than 2 years after the date of the enactment of this
Act.
(2) Biennial report of inspectors general.--
(A) In general.--Not later than 2 years after the
date of the enactment of this Act and not less
frequently than once every 2 years thereafter, the
Inspector General of the Department of Homeland
Security, the Inspector General of the Intelligence
Community, the Inspector General of the Department of
Justice, and the Inspector General of the Department of
Defense, in consultation with the Council of Inspectors
General on Financial Oversight, shall jointly submit to
Congress a report on the receipt, use, and
dissemination of cyber threat indicators and defensive
measures that have been shared with Federal entities
under this Act and the amendments made by this Act.
(B) Contents.--Each report submitted under
subparagraph (A) shall include the following:
(i) A review of the types of cyber threat
indicators shared with Federal entities.
(ii) A review of the actions taken by
Federal entities as a result of the receipt of
such cyber threat indicators.
(iii) A list of Federal entities receiving
such cyber threat indicators.
(iv) A review of the sharing of such cyber
threat indicators among Federal entities to
identify inappropriate barriers to sharing
information.
(C) Recommendations.--Each report submitted under
this paragraph may include such recommendations as the
Inspectors General referred to in subparagraph (A) may
have for improvements or modifications to the
authorities under this Act or the amendments made by
this Act.
(D) Form.--Each report required under this
paragraph shall be submitted in unclassified form, but
may include a classified annex.
(E) Public availability of reports.--The Inspector
General of the Department of Homeland Security, the
Inspector General of the Intelligence Community, the
Inspector General of the Department of Justice, and the
Inspector General of the Department of Defense shall
make publicly available the unclassified portion of
each report required under subparagraph (A).
SEC. 8. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.--Not later than 180 days after the date of the
enactment of this Act, the Director of National Intelligence, in
consultation with the heads of other appropriate elements of the
intelligence community, shall submit to the Select Committee on
Intelligence of the Senate and the Permanent Select Committee on
Intelligence of the House of Representatives a report on cybersecurity
threats, including cyber attacks, theft, and data breaches.
(b) Contents.--The report required by subsection (a) shall include
the following:
(1) An assessment of--
(A) the current intelligence sharing and
cooperation relationships of the United States with
other countries regarding cybersecurity threats
(including cyber attacks, theft, and data breaches)
directed against the United States that threaten the
United States national security interests, economy, and
intellectual property; and
(B) the relative utility of such relationships,
which elements of the intelligence community
participate in such relationships, and whether and how
such relationships could be improved.
(2) A list and an assessment of the countries and non-state
actors that are the primary threats of carrying out a
cybersecurity threat (including a cyber attack, theft, or data
breach) against the United States and that threaten the United
States national security, economy, and intellectual property.
(3) A description of the extent to which the capabilities
of the United States Government to respond to or prevent
cybersecurity threats (including cyber attacks, theft, or data
breaches) directed against the United States private sector are
degraded by a delay in the prompt notification by private
entities of such threats or cyber attacks, theft, and breaches.
(4) An assessment of additional technologies or
capabilities that would enhance the ability of the United
States to prevent and to respond to cybersecurity threats
(including cyber attacks, theft, and data breaches).
(5) An assessment of any technologies or practices utilized
by the private sector that could be rapidly fielded to assist
the intelligence community in preventing and responding to
cybersecurity threats.
(c) Form of Report.--The report required by subsection (a) shall be
submitted in unclassified form, but may include a classified annex.
(d) Public Availability of Report.--The Director of National
Intelligence shall make publicly available the unclassified portion of
the report required by subsection (a).
(e) Intelligence Community Defined.--In this section, the term
``intelligence community'' has the meaning given that term in section 3
of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 9. CONSTRUCTION AND PREEMPTION.
(a) Prohibition of Surveillance.--Nothing in this Act or the
amendments made by this Act shall be construed to authorize the
Department of Defense or the National Security Agency or any other
element of the intelligence community to target a person for
surveillance.
(b) Otherwise Lawful Disclosures.--Nothing in this Act or the
amendments made by this Act shall be construed to limit or prohibit--
(1) otherwise lawful disclosures of communications,
records, or other information, including reporting of known or
suspected criminal activity, by a non-Federal entity to any
other non-Federal entity or the Federal Government; or
(2) any otherwise lawful use of such disclosures by any
entity of the Federal government, without regard to whether
such otherwise lawful disclosures duplicate or replicate
disclosures made under this Act.
(c) Whistle Blower Protections.--Nothing in this Act or the
amendments made by this Act shall be construed to prohibit or limit the
disclosure of information protected under section 2302(b)(8) of title
5, United States Code (governing disclosures of illegality, waste,
fraud, abuse, or public health or safety threats), section 7211 of
title 5, United States Code (governing disclosures to Congress),
section 1034 of title 10, United States Code (governing disclosure to
Congress by members of the military), or any similar provision of
Federal or State law..
(d) Protection of Sources and Methods.--Nothing in this Act or the
amendments made by this Act shall be construed--
(1) as creating any immunity against, or otherwise
affecting, any action brought by the Federal Government, or any
department or agency thereof, to enforce any law, executive
order, or procedure governing the appropriate handling,
disclosure, or use of classified information;
(2) to affect the conduct of authorized law enforcement or
intelligence activities; or
(3) to modify the authority of the President or a
department or agency of the Federal Government to protect and
control the dissemination of classified information,
intelligence sources and methods, and the national security of
the United States.
(e) Relationship to Other Laws.--Nothing in this Act or the
amendments made by this Act shall be construed to affect any
requirement under any other provision of law for a non-Federal entity
to provide information to the Federal Government.
(f) Information Sharing Relationships.--Nothing in this Act or the
amendments made by this Act shall be construed--
(1) to limit or modify an existing information-sharing
relationship;
(2) to prohibit a new information-sharing relationship; or
(3) to require a new information-sharing relationship
between any non-Federal entity and the Federal Government.
(g) Preservation of Contractual Obligations and Rights.--Nothing in
this Act or the amendments made by this Act shall be construed--
(1) to amend, repeal, or supersede any current or future
contractual agreement, terms of service agreement, or other
contractual relationship between any non-Federal entities, or
between any non-Federal entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property
rights of any non-Federal entity or Federal entity.
(h) Anti-tasking Restriction.--Nothing in this Act or the
amendments made by this Act shall be construed to permit the Federal
Government--
(1) to require a non-Federal entity to provide information
to the Federal Government;
(2) to condition the sharing of a cyber threat indicator
with a non-Federal entity on such non-Federal entity's
provision of a cyber threat indicator to the Federal
Government; or
(3) to condition the award of any Federal grant, contract,
or purchase on the provision of a cyber threat indicator to a
Federal entity.
(i) No Liability for Non-participation.--Nothing in this Act or the
amendments made by this Act shall be construed to subject any non-
Federal entity to liability for choosing not to engage in a voluntary
activiy authorized in this Act and the amendments made by this Act.
(j) Use and Retention of Information.--Nothing in this Act or the
amendments made by this Act shall be construed to authorize, or to
modify any existing authority of, a department or agency of the Federal
Government to retain or use any information shared under this Act or
the amendments made by this Act for any use other than permitted in
this Act or the amendments made by this Act.
(k) Federal Preemption.--
(1) In general.--This Act and the amendments made by this
Act supersede any statute or other provision of law of a State
or political subdivision of a State that restricts or otherwise
expressly regulates an activity authorized under this Act or
the amendments made by this Act.
(2) State law enforcement.--Nothing in this Act or the
amendments made by this Act shall be construed to supersede any
statute or other provision of law of a State or political
subdivision of a State concerning the use of authorized law
enforcement practices and procedures.
(l) Regulatory Authority.--Nothing in this Act or the amendments
made by this Act shall be construed--
(1) to authorize the promulgation of any regulations not
specifically authorized by this Act or the amendments made by
this Act;
(2) to establish any regulatory authority not specifically
established under this Act or the amendments made by this Act;
or
(3) to authorize regulatory actions that would duplicate or
conflict with regulatory requirements, mandatory standards, or
related processes under another provision of Federal law.
SEC. 10. CONFORMING AMENDMENTS.
Section 552(b) of title 5, United States Code, is amended--
(1) in paragraph (8), by striking ``or'' at the end;
(2) in paragraph (9), by striking ``wells.'' and inserting
``wells; or''; and
(3) by inserting after paragraph (9) the following:
``(10) information shared with or provided to the Federal
Government pursuant to the Protecting Cyber Networks Act or the
amendments made by such Act.''.
SEC. 11. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given the
term in section 3502 of title 44, United States Code.
(2) Appropriate federal entities.--The term ``appropriate
Federal entities'' means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National
Intelligence.
(3) Cybersecurity purpose.--The term ``cybersecurity
purpose'' means the purpose of protecting (including through
the use of a defensive measure) an information system or
information that is stored on, processed by, or transiting an
information system from a cybersecurity threat or security
vulnerability or identifying the source of a cybersecurity
threat.
(4) Cybersecurity threat.--
(A) In general.--Except as provided in subparagraph
(B), the term ``cybersecurity threat'' means an action,
not protected by the first amendment to the
Constitution of the United States, on or through an
information system that may result in an unauthorized
effort to adversely impact the security,
confidentiality, integrity, or availability of an
information system or information that is stored on,
processed by, or transiting an information system.
(B) Exclusion.--The term ``cybersecurity threat''
does not include any action that solely involves a
violation of a consumer term of service or a consumer
licensing agreement.
(5) Cyber threat indicator.--The term ``cyber threat
indicator'' means information or a physical object that is
necessary to describe or identify--
(A) malicious reconnaissance, including anomalous
patterns of communications that appear to be
transmitted for the purpose of gathering technical
information related to a cybersecurity threat or
security vulnerability;
(B) a method of defeating a security control or
exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous
activity that appears to indicate the existence of a
security vulnerability;
(D) a method of causing a user with legitimate
access to an information system or information that is
stored on, processed by, or transiting an information
system to unwittingly enable the defeat of a security
control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an
incident, including a description of the information
exfiltrated as a result of a particular cybersecurity
threat; or
(G) any other attribute of a cybersecurity threat,
if disclosure of such attribute is not otherwise
prohibited by law.
(6) Defensive measure.--The term ``defensive measure''
means an action, device, procedure, technique, or other measure
executed on an information system or information that is stored
on, processed by, or transiting an information system that
prevents or mitigates a known or suspected cybersecurity threat
or security vulnerability.
(7) Federal entity.--The term ``Federal entity'' means a
department or agency of the United States or any component of
such department or agency.
(8) Information system.--The term ``information system''--
(A) has the meaning given the term in section 3502
of title 44, United States Code; and
(B) includes industrial control systems, such as
supervisory control and data acquisition systems,
distributed control systems, and programmable logic
controllers.
(9) Local government.--The term ``local government'' means
any borough, city, county, parish, town, township, village, or
other political subdivision of a State.
(10) Malicious cyber command and control.--The term
``malicious cyber command and control'' means a method for
unauthorized remote identification of, access to, or use of, an
information system or information that is stored on, processed
by, or transiting an information system.
(11) Malicious reconnaissance.--The term ``malicious
reconnaissance'' means a method for actively probing or
passively monitoring an information system for the purpose of
discerning security vulnerabilities of the information system,
if such method is associated with a known or suspected
cybersecurity threat.
(12) Monitor.--The term ``monitor'' means to acquire,
identify, scan, or otherwise possess information that is stored
on, processed by, or transiting an information system.
(13) Non-federal entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``non-Federal entity'' means
any private entity, non-Federal government department
or agency, or State, tribal, or local government
(including a political subdivision, department,
officer, employee, or agent thereof).
(B) Inclusions.--The term ``non-Federal entity''
includes a government department or agency (including
an officer, employee, or agent thereof) of the District
of Columbia, the Commonwealth of Puerto Rico, the
Virgin Islands, Guam, American Samoa, the Northern
Mariana Islands, and any other territory or possession
of the United States.
(C) Exclusion.--The term ``non-Federal entity''
does not include a foreign power or known agent of a
foreign power, as both terms are defined in section 101
of the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801).
(14) Private entity.--
(A) In general.--Except as otherwise provided in
this paragraph, the term ``private entity'' means any
person or private group, organization, proprietorship,
partnership, trust, cooperative, corporation, or other
commercial or nonprofit entity, including an officer,
employee, or agent thereof.
(B) Inclusion.--The term ``private entity''
includes a component of a State, tribal, or local
government performing electric utility services.
(C) Exclusion.--The term ``private entity'' does
not include a foreign power as defined in section 101
of the Foreign Intelligence Surveillance Act of 1978
(50 U.S.C. 1801).
(15) Real time; real-time.--The terms ``real time'' and
``real-time'' mean a process by which an automated, machine-to-
machine system processes cyber threat indicators such that the
time in which the occurrence of an event and the reporting or
recording of it are as simultaneous as technologically and
operationally practicable.
(16) Security control.--The term ``security control'' means
the management, operational, and technical controls used to
protect against an unauthorized effort to adversely impact the
security, confidentiality, integrity, and availability of an
information system or its information.
(17) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, software,
process, or procedure that could enable or facilitate the
defeat of a security control.
(18) Tribal.--The term ``tribal'' has the meaning given the
term ``Indian tribe'' in section 4 of the Indian Self-
Determination and Education Assistance Act (25 U.S.C. 450b).
Union Calendar No. 44
114th CONGRESS
1st Session
H. R. 1560
[Report No. 114-63]
_______________________________________________________________________
A BILL
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
_______________________________________________________________________
April 13, 2015
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
