Cybersecurity or surveillance? What does the language attached at the last minute to the 2,009 page omnibus government funding bill actually authorize? In this episode, we take a close look at what just became law.
Please support Congressional Dish:
- Click here to contribute with PayPal or Bitcoin; click the PayPal “Make it Monthly” checkbox to create a monthly subscription
- Click here to support Congressional Dish for each episode via Patreon
- Mail Contributions to:
5753 Hwy 85 North #4576
Crestview, FL 32536
Thank you for supporting truly independent media!
Cybersecurity Act of 2015
The Cybersecurity Act of 2015 was attached at the last minute to the “omnibus” government funding bill, which was 2,009 pages long and available to read for less than three days before it became law. This is an outline of what became law:
TITLE I: Cybersecurity Information Sharing Act of 2015
- “Agency“: “Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of Government”
- Does NOT include the Government Accountability Office, Federal Election Commission, or Government-owned contractor-operated facilities
- “Cybersecurity threat“: An action that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.
- “Cyber threat indicator“: “Information that is necessary to describe or identify”…
- Spying, including strange patterns of communications that appear to be collecting technical information
- Security breaches
- Security vulnerabilities
- A legitimate user being used to defeat a security system
- Malicious cyber command and control
- “The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat”
- “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”
- “Non-Federal entity“: “Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)”
- Does not include a foreign power, as defined in the FISA law
Section 103: Sharing of Information by the Federal Government
- Procedures for sharing information both within and outside the Federal government will be created by:
- Director of National Intelligence
- Secretary of Homeland Security
- Secretary of Defense
- Attorney General
- The procedures developed must…
- Allow real time sharing of information
- Include requirements for the government to protect the information from unauthorized access
- Require Federal entities to review cyber threat indicators for information not directly related to the threat that contains information that identifies a specific individual and remove the information
- Include procedures for notifying “any United States person” whose information has been shared by the Federal government
- “A non-Federal entity may… share with, or receive from, any other non-Federal entity or the Federal Government a cyber threat indicator or defensive measure”
- Non-Federal entities sharing information mush “review” the information for “personal information of a specific individual” and “remove such information” OR have a technical way of removing the information it “knows at the time of sharing” to be personal information.
Use of Cyber Threat Indicators by Government
- State, tribal, or local governments and the Federal Government can use the information they receive for…
- Cybersecurity
- Preventing a specific threat of death, serious bodily harm, or specific threat of serious economic harm
- Investigating, prosecuting, and preventing serious threats to minors, including sexual exploitation and threats to physical safety
- Preventing, investigating, disrupting, or prosecuting…
- Identity theft, transfers of stolen identification, possession of false identification,
- Unauthorized use of any card, plate, code, account number, or any equipment that can be used to transfer funds (fraud),
- Use of a “telecommunication instrument” that’s been altered to obtain unauthorized use of telecommunications services”,
- Hacking and releasing government or banking information,
- Extortion
- Harboring a criminal,
- Collection and/or communication of information about United States defense activities and infrastructure, or failure to report a defense data breach
- Disclosure of classified information
- Violations, or attempted violations, of NASA regulations
- Unauthorized use of trade secrets
- Information shared will be “exempt from disclosure under any provision of State, tribal, or local freedom of Information law, open government law, sunshine law, or similar law requiring disclosure of information or records”
- Information shared between private entities can not be considered violations of “any provision of antitrust laws“
Section 105: Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government”
- Policies will be written by…
- Attorney General
- Secretary of Homeland Security
- Policies must create a way to share information “in an automated manner with all of the appropriate Federal entities”
- “Appropriate Federal entities”
- Dept. of Commerce
- Dept. of Defense
- Dept. of Energy
- Dept. of Homeland Security
- Dept. of Justice
- Dept. of Treasury
- Office of the Director of National Intelligence
- Information may be provided to other Federal agencies
- Privacy and civil liberties guidelines will be written by…
- Attorney General
- Secretary of Homeland Security
- In consultation with the Privacy and Civil Liberties oversight board
- “Private entities with industry expertise as the Attorney General and the Secretary consider relevant”
- Guidelines will be reviewed at least every two years
- “Appropriate Federal entities”
- Information shared with the Federal Government will go to the Department of Homeland Security
- Information shared with the Federal government can not be used to regulate the lawful activities of any non-Federal entity
Section 106: Protection from Liability
- The courts must dismiss any lawsuits against “any private entity” for monitoring information systems or sharing/receiving “cyber threat indicators”
Section 107: Oversight of Government Activities
- Heads of “appropriate Federal entities” will submit a report
- Inspectors General of the “appropriate Federal entities” will submit reports every two years
- The Comptroller General of the United States will submit a report on actions taken by the Federal Government to remove personal information. Report will be due in three years.
- Unclassified portions of the reports will be available to the public.
Section 108: Construction and Preemption
- Lists what this bill is not intended to do
Section 109: Report on Cybersecurity Threats
- Report will be submitted by the Director of National Intelligence
- Specifically allows the Secretary of Defense to share information
- These provisions expire on September 30, 2025.
TITLE II: National Cybersecurity Protection Advancement Act of 2015
Section 203: Information Sharing Structure and Processes
- The National Cybersecurity and Communications Integration Center will implement the procedures for sharing information that are created by Title I (view this mark-up of the Homeland Security Act of 2002 to see changes made by this provision)
- Adds functions to the National Cybersecurity and Communications Integration Center including…
- “Engaging with international partners… to collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents”
- “Sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities… and with State and major urban area fusion centers”
- Participating in national exercises run by DHS
- Evaluating cyber threats to public safety communication systems
- Adds tribal governments and private entities to the list of entities that will have representatives in the National Cybersecurity and Communications Integration Center
- Adds protection from information “disclosure” to list of the Center’s principles
- Orders the Center to work with the “Privacy Officer” to make sure the Center follows the policies and procedures created by the Attorney General and Secretary of Homeland Security.
- The Center will be in charge of creating the automated system for information sharing.
- The Center may partner directly with any “consenting non-Federal entity” for the purpose of sharing “cyber threat indicators”
- Orders the Center to publicly publish information on how to share information with the Center within 60 days of enactment
Sections 206-209: Reports that will expire after 7 years
Subtitle B: Federal Cybersecurity Enhancement Act of 2015
Section 223: Improved Federal Network Security
- Requires the Secretary of Homeland Security and the Director of the Office of Management and Budget to develop a plan to proactively detect, identify, and remove intruders in agency information systems.
- The plan will not apply to the Department of Defense, a “national security system” or an element of the intelligence community
- In implementing the plan, the Secretary of Homeland Security can get access to the information transiting or traveling to or from an agency information system
- The operation of the technology needed to implement the plan can be privatized
- The actions taken need to be “reasonably necessary”
- It is illegal for the private entity operating the system to use the information for anything other than protecting the system but the private entity can not be sued in court for their role in assisting the DHS
Section 225: Federal Cybersecurity Requirements
- The Secretary of Homeland Security will issue binding operational directives for agencies to secure their networks within a year. Agencies will have to…
- Identify sensitive and mission critical data stored by the agency
- Assess the need to store that data and determine which individuals need access to it
- Encrypt the data
- Implement a single sign-on platform for people using the agency website that requires user authentication
- Require multi-factor authentication for remote access
- Agencies will not have to comply if they say it’s “overly burdensome to implement” or that it’s not necessary.
- These binding operational directives will not apply to the Defense Department, a “national security system”, or the intelligence community.
- The directives and reports on them will expire in 7 years, December 2022.
Section 229: Direction to Agencies
- The Secretary of Homeland Security can order the head of other agencies to take “lawful actions” in response to security threats.
TITLE III: Federal Cybersecurity Workforce Assessment Act
Section 303: National Cybersecurity Workforce Measurement Initiative
- Requires an assessment of all Federal positions that have cyber-related functions
TITLE IV- Other Cyber Matters
Section 401: Study on Mobile Device Security
- Orders a study on the security of mobile devices of the Federal Government
Section 402: Department of State International Cyberspace Policy Strategy
- Orders a State Department report on threats from foreign sources and cooperation strategies within 90 days.
Section 403: Apprehension and Prosecution of International Cyber Criminals
- The Secretary of State must consult with government officials in countries where we don’t have an extradition treaty to determine what actions they’ve taken to catch “cyber criminals” with arrest warrant issued by US judges or Interpol.
Section 404: Enhancement of Emergency Services
- Orders the National Cybersecurity and Communications Integration Center to create a process for information sharing with Statewide Interoperability Coordinators
Section 405: Improving Cybersecurity in the Health Care Industry
- Requires a report that will include a plan so that “the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures”
Additional Reading
- Article: Meet the Lobbyists and Big Money Interests Pushing to End the Oil Exports Ban by Steve Horn, DeSmogBlog, December 16, 2015.
- Article: 9 Heinous Items Sneaked Into the Budget Bill Congress Doesn’t Want You to See by Tom Cahill, U.S. Uncut, December 19, 2015.
- Article: Hospitality and Gambling Interests Delay Closing of Billion-Dollar Tax Loophole by Eric Lipton and Liz Moyer, New York Times, December 20, 2015.
- Article: The CISA Secret to Cybersecurity that No One Seems to Get by Mike Gault, Wired, December 20, 2015.
Music Presented in This Episode
- Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)
Cover Art
Design by Only Child Imaginations