H.R. 624: “Cyber Intelligence Sharing and Protection Act”, which protects companies from liability for giving your information to the government and allows the government to sift through your that information without a warrant, has almost no chance of becoming law as President Obama has promised a veto.
CISPA passed the House on Thursday, April 17th, 2013.
Section 2: Federal Government Coordination with Respect to Cyber-security
(b)(1) The President will designate a part of the Department of Homeland Security to receive cyber threat information shared by a private sector company or utility or a cyber security company.
(b)(2) The President will designate a part of the Justice Department to receive cyber threat information related to cyber-security crimes.
(b)(4)(A) Procedures that will be created in the next section of the bill need to make sure the departments of the government that receive the cyber-threat information share it with other parts of the government with a national security mission in real time.
(b)(4)(C) The procedures need to facilitate information sharing among Federal government, State, local, tribal, territorial governments, cyber-security companies, and companies with in-house cyber-security.
(b)(5)(A) Government officials need to “periodically review” the policies and procedures governing the receipt, retention, use, and disclosure of cyber-threat information shared with the government. The policies must:
- “Minimize the impact on privacy and civil liberties.”
- “Reasonably limit” the receipt and use of information associated with specific people that is not necessary to protect systems and networks from cyber threats.
- Require the safeguarding and confidentiality of personally identifiable information.
- “Not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.”
(b)(5)(D) Government officials will establish a program to monitor and oversee compliance with the policies above (see (b)(5)(A)).
(c)(1) The Inspector General of the Department of Homeland Security will do a report once per year reviewing:
- How the government used the information for purposes other than cyber-security.
- The type of information shared with the government.
- Government actions taken because of the information it received.
- The impact of the sharing of information on privacy and civil liberties.
- A list of government departments who received information.
- Recommendations for improvement.
(c)(2) The privacy and civil liberties officers of each department that receives information needs to submit an annual report on the effect of government actions taken using the shared information on privacy and civil liberties and their recommendations.
(c)(3) The reports have to be unclassified, but can have a classified annex.
Section 3: Cyber Threat Intelligence and Information Sharing
(a) Adds the following to the National Security Act of 1947:
(a)(1) The Director of National Intelligence needs to create procedures to allow the government to give cyber threat information to private companies and utilities.
(a)(3) The Director of National Intelligence can issue temporary or permanent security clearance to an employee, independent contractor, or officer of a “certified entity”.
(b)(1)(A) A company providing cyber-security is allowed to share cyber threat information with the Department of Homeland Security and/or the Justice Department if the company/person who hired them tells them to.
(b)(2)(A) A company providing cyber-threat information is allowed to place restrictions on who in the government the information in shared with.
(b)(2)(B) The cyber-threat information may not be used to hurt the business who provided the information.
(b)(2)(D) Cyber-threat information shared with the government will be exempt from disclosure under the Freedom of Information Act and cannot be given to anyone outside of the government unless the person/company who shared the information gives permission.
(b)(2)(E) Cyber-threat information shared with the government will be exempt from disclosure required by any state, local, or tribal law.
(b)(3)(A) A company that shares cyber-threat information will be exempt from civil or criminal liability as long as they acted “in good faith” when sharing the information.
(b)(4)(B) A company can be liable when they intend “to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.”
(c)(1) The government can use the information they get:
- For cyber-security purposes.
- For investigating and prosecuting cyber-security crimes.
- To protect people from death or serious bodily injury.
- To prevent, investigate, and prosecute child pornography, kidnapping, and trafficking crimes.
(c)(2) The government can’t search through cyber-security information except for the reasons listed above (see (c)(1)).
(c)(3) The government can’t force a private-sector company or utility to share information with the government.
(c)(4) The government can’t use the following types of information:
- Library attendance and reading records
- Book sale records
- Firearms sales records
- Tax return records
- Educational records
- Medical records
(c)(5) If the government receives information that is not actually cyber-threat information, the government needs to tell the information provider.
(c)(6) The government can’t keep or use cyber-threat information except for the reasons listed in (c)(1).
(d)(1) If the government “intentionally and willfully” violates the rules on how they are allowed to use the information they are given, the United States will give the affected person the actual damages plus attorney’s fees or $1,000, whichever is greater.
(d)(3) Statute of limitations: Two years after the date of the violation.
(e) Federal Preemption- “This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates” the sharing of information with the government as described in (b).
(f)(2) The military and intelligence community is not allowed to control, modify, require, or otherwise direct the cyber-security efforts of a private company or a component of the government.
(f)(4) Government cyber-security systems can not be used to protect private networks.
(f)(5) You can’t get in trouble for choosing not to share cyber-threat information with the government.
(f)(6) This bill does not give extra authority to the government to keep or use cyber-threat information for any use other than for the reasons listed above under (c)(1).
(f)(7) Nothing in this bill authorizes the Department of Defense or National Security Agency or any other part of the intelligence community to target a United States person for surveillance.
(g)(4)(A) ‘Cyber-threat information’ is information directly relating to:
- “A vulnerability of a system or network”
- A threat to the integrity, confidentiality, or availability or any information stored on, processed on, or transiting a system or network.
- Efforts to deny access or to disrupt or destroy a system or network.
- Efforts to gain unauthorized access to a system or network to get information stored on, processed on, or transiting a system or network.
(g)(4)(B) Efforts to gain unauthorized access to a system or network that merely violates the consumer terms of service is NOT ‘cyber-threat information’.
(b) The procedures for cyber-threat information sharing ordered in this bill need to be submitted by the Director of National Intelligence 60 days after this bill is signed.
Section 4: Sunset
The bill expires five years after the bill is signed.
Section 6: Consumer Data
This bill does not alter existing law governing the sale of personal customer information from one company to another for marketing purposes.
Section 7: Obligation to Report
This bill does not require a cyber-security company to share information with the government about incidents that do not pose a threat to the Federal government’s information.