CISA – the Cybersecurity Information Sharing Act – has officially passed the Senate. While Congress is busy merging CISA with two other so-called cybersecurity bills that passed the House of Representatives, in this episode, by taking an in-depth look at the contents of all three bills, we discover that these bills are not what you’re being lead to believe.

Please support Congressional Dish:

• Click here to contribute with PayPal or Bitcoin; click the PayPal “Make it Monthly” checkbox to create a monthly subscription
• Click here to support Congressional Dish for each episode via Patreon
• Mail Contributions to:
  5753 Hwy 85 North #4576
  Crestview, FL 32536

Thank you for supporting truly independent media!

S. 754: Cybersecurity Information Sharing Act of 2015

• Passed the Senate 74-21 on October 27, 2015.
• Sponsored by Sen. Richard Burr of North Carolina
• 118 pages

Outline of the Bill

Definitions:

• “Agency” = “Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include —
  • The Government Accountability Office
  • Federal Election Commission
  • The governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions
  • Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities
• “Cybersecurity threat” = An action “not protected by the First Amendment to the Constitution” that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”
  • A “cybersecurity threat” does not include “any action that soley involves a violation of a consumer term of service or a consumer licensing agreement.
• “Cyber threat indicator” = Information that is needed to identify –
  • Spying, including strange patterns of communications that appear to be collecting technical information
  • Security breaches
  • Security vulnerabilities
  • A legitimate user being used to defeat a security system
  • Malicious cyber command and control
  • The harm caused by a cybersecurity incident, including the information taken as a result
  • “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”
• “Entity” = “Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)
  • Does not include “a “foreign power”, which means a foreign government or a foreign based political organization.

Sharing of Information by the Federal Government

Executive branch officials will write procedures for sharing classified and unclassified “cyber threat indicators” and Federal government information that would help the “entities” to prevent cybersecurity threats.

• The officials writing the rules will be the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General.
• The rules they write have to:
  • Ensure “cyber threat indicators” can be shared in real time
  • Include notification procedures for false alarms
  • Include requirements for the Federal government agencies to protect against unauthorized access to the information
  • Requires a Federal entity sharing information to remove personal information
  • Include notification procedures for people whose personal information is shared by the government.
• Their procedures will be due 60 days after CISA becomes law.

Monitoring Authorizations

• Private companies can monitor their own information systems, other private information systems or Federal information systems with permission, and monitor “information that is stored on, processed by, or transiting these information systems”
• Entities can share with and receive information from any other entity or the Federal government.
  • Before sharing information, it must be reviewed and information known to be personal information “at the time of the sharing” must be removed.
• With the written consent of the sharing entity, information shared with a State, tribal, or local government may be used for “preventing, investigating, or prosecuting”…*
  • An “imminent threat of death, serious bodily harm, or serious economic harm”
  • Identity theft, transfers of stolen identification, possession of false identification,
  • Unauthorized use of any card, plate, code, account number, or any equipment that can be used to transfer funds (fraud),
  • Use of a “telecommunication instrument” that’s been altered to obtain unauthorized use of telecommunications services”,
  • Hacking and releasing government or banking information,
  • Extortion
  • Harboring a criminal,
  • Collection and/or communication of information about United States defense activities and infrastructure, or failure to report a defense data breach
  • Disclosure of classified information
  • Violations, or attempted violations, of NASA regulations
  • Unauthorized use of trade secrets
• The information shared with the government as a “cyber threat indicator” will be except from public disclosure under any State, tribal or local law.
• Companies will not be punished under antitrust laws for sharing information with each other “for cybersecurity purposes”

Sharing of Information by “Entities” with the Federal Government

The Attorney General and Secretary of Homeland Security will write the policies and procedures governing receipt of information from private entities and local governments. The policies must include…

• An automated system for sharing information with “all of the appropriate Federal entities” as quickly as possible
• Rules governing “the retention, use, and dissemination” of the information received by the Federal Government.
• Audit capabilities
• “Sanctions” for Federal employees who break the law
• The Attorney General and Secretary of Homeland will publicly publish guidelines explaining what qualifies as a cyber threat indicator
• The Attorney General, with help from “private entities”, will have 180 days to create guidelines for privacy and civil liberties that will govern how the Federal Government uses the information it receives
  • The privacy guidelines will be reviewed every two years
  • The Attorney General will determine how long the information will be kept by the government

The Department of Homeland Security will receive and distribute all of the cyber threat indicators shared with the government.

• Information shared will be withheld from the public under the Freedom of Information Act and all State, tribal, and local laws.
• In addition to the items of the list of allowed uses of information by State, tribal, and local governments (see Monitoring Authorizations section), the Federal Government can also use the information to…
  • “Prevent or mitigate a serious threat to a minor, including sexual exploitation and threats to their physical safety”

Protection from Liability

No private entity can be successfully sued in court for sharing information with the government under CISA regulations.

• The only way a private entity can be sued is in the cast of “gross negligence or willful misconduct”

Oversight of Government Activities

Federal Inspectors General will complete a report every two years.

• The report may include recommendations for improvement

Other Rules

This bill does not permit price-fixing, attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

Intrusion Assessment Plan

The Secretary of Homeland Security will create a plan to identify and remove intruders on agency information systems.

• The plan will not apply to the Department of Defense, a national security system or an element of the intelligence community.
• The deployment and operation of the new monitoring system can be privatized
  • The private contractor would not be allowed to disclose any of the information they access without permission from the government
  • The private contractor will have immunity from prosecution
    • Internet service providers can not use their immunity to break a user agreement with a customer without their customer’s consent
• The activities carried out in this new monitoring plan need to be “reasonably necessary” to protect agency information systems from cybersecurity risks

Federal Cybersecurity Requirements

Agencies will have to encrypt or render indecipherable information that is stored or transmitted by their information systems, create a single sign-in method for individuals accessing their websites, and implement identity management systems for remote access for each user account.

• This will not apply to the Department of Defense, a national security system, or elements of the intelligence community.

Emergencies

The Secretary of Homeland Security can authorize “intrusion detection and prevention capabilities” on another agency’s information systems in the case of an “imminent threat”

Study on Mobile Device Security

The Secretary of Homeland Security will study threats caused by the shift of technology from desktops to mobile in the Federal Government

Health Care Industry Sharing

Creates a task force to create a plan for sharing with private health care entities specifically

Strategy for Protecting Critical Infrastructure

The Secretary of Homeland Security will have 180 days to develop a strategy ensuring that cyber security incidents would probably not be catastrophic for public health or safety, economic security, or national security. The strategy must include…

• An assessment of whether each entity should be required to report cyber security incidents
• A description of security gaps
• Additional power needed
• Some of this report can be classified.

Sunset

The provisions of this bill would expire 10 years after enactment

H.R. 1731: National Cybersecurity Protection Advancement Act of 2015

For reference, here’s the text as of March 2015 of the Homeland Security Act, which is amended by this bill.

This bill:

• Adds “private entities” to the list of groups that will be part of the National Cybersecurity and Communications Integration Center, which coordinates information sharing between the Federal government and other entities.
• Adds new groups to the list of who will be included in the National Cybersecurity and Communications Integration Center who will coordinate with all sizes of businesses.
• Expands the type of information that the National Cybersecurity and Communications Integration Center will share between the Federal government, local governments, and private sector.
• Authorizes the National Cybersecurity and Communications Integration Center to share information internationally.
• Requires the government and businesses to use existing technology to “rapidly advance” implementation of “automated mechanisms” for sharing between the National Cybersecurity and Communications Integration Center and Federal agencies.
• Participation by non-Federal entities will be voluntary.
• Agreements that exist before this bill is signed into law will be deemed compliant with this law.
• All participating entities need to take “reasonable efforts to remove information that can be used to identity specific persons”. There’s no listed punishments if they don’t.
• The Under Secretary for Cybersecurity and Infrastructure Protection will create policies for governing the use of information shared with the National Cybersecurity and Communications Integration Center 180 days AFTER the bill becomes law. He/she will also be responsible for creating “sanctions” for government employees who disregard his/her privacy policies.
• Private entities that share information will have immunity from lawsuits, if they share information according to this law.
• If the Federal government breaks this law, it will have to pay the person actual damages or $1,000, whichever is higher, plus attorneys fees. There is a two year statute of limitations.
• This law will trump state laws that limit information sharing.
• The law would sunset 7 years after enactment.
• Passed 355-63 in the House
• Sponsored by Rep. Michael McCaul of Texas
• 60 pages

H.R. 1560: Protecting Cyber Networks Act

• Contains the text of H.R. 1731: National Cybersecurity Protection Advancement Act
• Within 90 days of enactment, the Director of National Intelligence must develop procedures for sharing classified “cyber threat indicators” with “non-Federal entities”
• Allows cybersecurity monitoring of government systems to be privatized
• Allows “non-Federal entities” to share information to with anyone other than the Defense Department.
• The entity sharing information must “take reasonable efforts” to remove personally identifiable information on people “not directly related” to the cybersecurity threat.
• The President will develop polices governing what happens to information received by the Federal Government, within 90 days of the bill becoming law.
• The Attorney General will create policies relating to privacy and civil liberties, within 90 days of the bill becoming law.
• A new branch, with 50 or less employees, will be created within the Office of the Director of National Intelligence called the Cyber Threat Intelligence Integration Center, which will “serve as the primary organization within the Federal Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to cyber threats.”
• Information shared with the government is exempt from public disclosure.
• Information given to the government “shall not be subject to a rule of any Federal department or agency or any judicial doctrine regarding ex parte communications with a decision-making official.”
• The government can keep and use information given to it to investigate, prosecute, prevent or mitigate a threat of “death or serious bodily harm or an offense arising out of such a threat” and to investigate, prosecute, prevent or mitigate a threat to a minor. The information can also be used to prevent, investigation, disrupt, or prosecute fraud, unauthorized access to computers and transmission of information taken from it, “serious violent felonies” including murder, manslaughter, assault, sexual abuse, kidnapping, robbery, carjacking, extortion, firearms use, firearms possession, or attempt to commit any of these crimes, espionage including photographing or sketching defense installations, and theft of trade secrets.
• Passed 307-116 in the House
• Sponsored by Rep. Devin Nunes of California
• 121 pages

Audio Sources

Senate Floor Proceeding CISA debate, October 27, 2015 (Transcript)

House Rules Committee: Hearing about HR 1731 and HR 1560, the House cybersecurity bills, April 21, 2015

Additional Information

Article: The fight over CISA is far from over by Eric Geller, The Daily Dot, October 28, 2015.

Webpage: About the National Cybersecurity and Communications Integration Center, Department of Homeland Security.

Music Presented in This Episode

• Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)