Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
So Let’s Have a Look at CISA, Shall We?
One thing that may be said in CISA’s favor is that unlike certain other major pieces of legislation I could mention, it’s short. We can read the whole thing in just a few minutes here. And we should, since this whole democracy business is about governing ourselves (lest we forget).
CISA, or the Cybersecurity Information Sharing Act, passed the Senate yesterday by a 74-21 vote. I propose we take no one else’s word about whether it’s good or bad; approach it with an entirely open and non-partisan mind, and study its plain meaning closely together. Let’s look at the complete text, line by line. My comments will be in blue.
S. 754
To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
IN THE SENATE OF THE UNITED STATES
March 17, 2015
Mr. Burr, from the Select Committee on Intelligence, reported the following original bill; which was read twice and placed on the calendar
A BILL
To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
So far, so good. I’d like improved cybersecurity in the United States, and I like the sound of “enhanced sharing of information about cybersecurity threats,” although this “for other purposes” thing sounds vague to me. But let’s give it a chance.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.—This Act may be cited as the “Cybersecurity Information Sharing Act of 2015”.
(b) Table Of Contents.—The table of contents of this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Sharing of information by the Federal Government.
Sec. 4. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats.
Sec. 5. Sharing of cyber threat indicators and defensive measures with the Federal Government.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Construction and preemption.
Sec. 9. Report on cybersecurity threats.
Sec. 10. Conforming amendments.
SEC. 2. DEFINITIONS.
In this Act:
(1) AGENCY.—The term “agency” has the meaning given the term in section 3502 of title 44, United States Code.
(2) ANTITRUST LAWS.—The term “antitrust laws”—
(A) has the meaning given the term in section 1 of the Clayton Act (15 U.S.C. 12);
(B) includes section 5 of the Federal Trade Commission Act (15 U.S.C. 45) to the extent that section 5 of that Act applies to unfair methods of competition; and
(C) includes any State law that has the same intent and effect as the laws under subparagraphs (A) and (B).
(3) APPROPRIATE FEDERAL ENTITIES.—The term “appropriate Federal entities” means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
(4) CYBERSECURITY PURPOSE.—The term “cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
(5) CYBERSECURITY THREAT.—
(A) IN GENERAL.—Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.
(B) EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.
(6) CYBER THREAT INDICATOR.—The term “cyber threat indicator” means information that is necessary to describe or identify—
(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
(H) any combination thereof.
(7) DEFENSIVE MEASURE.—
(A) IN GENERAL.—Except as provided in subparagraph (B), the term “defensive measure” means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
(B) EXCLUSION.—The term “defensive measure” does not include a measure that destroys, renders unusable, or substantially harms an information system or data on an information system not belonging to—
(i) the private entity operating the measure; or
(ii) another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.
(8) ENTITY.—
(A) IN GENERAL.—Except as otherwise provided in this paragraph, the term “entity” means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof).
(B) INCLUSIONS.—The term “entity” includes a government agency or department of the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States.
(C) EXCLUSION.—The term “entity” does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
Huh. So I guess this has nothing to do with cyber-threats from, say, China or Russia? It kind of sounded like a national-security bill, didn’t it? But I guess this is about domestic cyber-threats. Okay, good to know.
(9) FEDERAL ENTITY.—The term “Federal entity” means a department or agency of the United States or any component of such department or agency.
(10) INFORMATION SYSTEM.—The term “information system”—
(A) has the meaning given the term in section 3502 of title 44, United States Code; and
(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
(11) LOCAL GOVERNMENT.—The term “local government” means any borough, city, county, parish, town, township, village, or other political subdivision of a State.
(12) MALICIOUS CYBER COMMAND AND CONTROL.—The term “malicious cyber command and control” means a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.
(13) MALICIOUS RECONNAISSANCE.—The term “malicious reconnaissance” means a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.
(14) MONITOR.—The term “monitor” means to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.
(15) PRIVATE ENTITY.—
(A) IN GENERAL.—Except as otherwise provided in this paragraph, the term “private entity” means any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof.
(B) INCLUSION.—The term “private entity” includes a State, tribal, or local government performing electric utility services.
(C) EXCLUSION.—The term “private entity” does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).
So, definitely, this doesn’t seem to be about keeping us safe from Chinese hacking. Agree with me? Am I missing something?
(16) SECURITY CONTROL.—The term “security control” means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.
(17) SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.
(18) TRIBAL.—The term “tribal” has the meaning given the term “Indian tribe” in section 4 of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 450b).
SEC. 3. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.
(a) In General.—Consistent with the protection of classified information, intelligence sources and methods, and privacy and civil liberties, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate Federal entities, shall develop and promulgate procedures to facilitate and promote—
(1) the timely sharing of classified cyber threat indicators in the possession of the Federal Government with cleared representatives of relevant entities;
(2) the timely sharing with relevant entities of cyber threat indicators or information in the possession of the Federal Government that may be declassified and shared at an unclassified level;
(3) the sharing with relevant entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators in the possession of the Federal Government; and
(4) the sharing with entities, if appropriate, of information in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats.
OK, that sounds good. I’d like the government to share what it knows about cyber threats with relevant entities among the public. Good idea. No problem.
(b) Development Of Procedures.—
(1) IN GENERAL.—The procedures developed and promulgated under subsection (a) shall—
(A) ensure the Federal Government has and maintains the capability to share cyber threat indicators in real time consistent with the protection of classified information;
(B) incorporate, to the greatest extent practicable, existing processes and existing roles and responsibilities of Federal and non-Federal entities for information sharing by the Federal Government, including sector specific information sharing and analysis centers;
(C) include procedures for notifying entities that have received a cyber threat indicator from a Federal entity under this Act that is known or determined to be in error or in contravention of the requirements of this Act or another provision of Federal law or policy of such error or contravention;
(D) include requirements for Federal entities receiving cyber threat indicators or defensive measures to implement and utilize security controls to protect against unauthorized access to or acquisition of such cyber threat indicators or defensive measures; and
I read this as, “No more OPM hacks,” don’t you?
(E) include procedures that require a Federal entity, prior to the sharing of a cyber threat indicator—
(i) to review such cyber threat indicator to assess whether such cyber threat indicator contains any information that such Federal entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat and remove such information; or
(ii) to implement and utilize a technical capability configured to remove any personal information of or identifying a specific person not directly related to a cybersecurity threat.
Good, fair enough.
(2) COORDINATION.—In developing the procedures required under this section, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General shall coordinate with appropriate Federal entities, including the National Laboratories (as defined in section 2 of the Energy Policy Act of 2005 (42 U.S.C. 15801)), to ensure that effective protocols are implemented that will facilitate and promote the sharing of cyber threat indicators by the Federal Government in a timely manner.
(c) Submittal To Congress.—Not later than 60 days after the date of the enactment of this Act, the Director of National Intelligence, in consultation with the heads of the appropriate Federal entities, shall submit to Congress the procedures required by subsection (a).
SEC. 4. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND MITIGATING CYBERSECURITY THREATS.
(a) Authorization For Monitoring.—
(1) IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—
(A) an information system of such private entity;
(B) an information system of another entity, upon the authorization and written consent of such other entity;
(C) an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and
(D) information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
(2) CONSTRUCTION.—Nothing in this subsection shall be construed—
(A) to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this Act; or
(B) to limit otherwise lawful activity.
(b) Authorization For Operation Of Defensive Measures.—
(1) IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to—
(A) an information system of such private entity in order to protect the rights or property of the private entity;
(B) an information system of another entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and
(C) an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of the Federal Government.
(2) CONSTRUCTION.—Nothing in this subsection shall be construed—
(A) to authorize the use of a defensive measure other than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(c) Authorization For Sharing Or Receiving Cyber Threat Indicators Or Defensive Measures.—
(1) IN GENERAL.—Except as provided in paragraph (2) and notwithstanding any other provision of law, an entity may, for the purposes permitted under this Act and consistent with the protection of classified information, share with, or receive from, any other entity or the Federal Government a cyber threat indicator or defensive measure.
So I read this as, “A private entity can take defensive measures to protect itself against cyber threats, and may share information about these threats with the Feds.” Sounds reasonable to me, what about you?
(2) LAWFUL RESTRICTION.—An entity receiving a cyber threat indicator or defensive measure from another entity or Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing entity or Federal entity.
(3) CONSTRUCTION.—Nothing in this subsection shall be construed—
(A) to authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; or
(B) to limit otherwise lawful activity.
(d) Protection And Use Of Information.—
(1) SECURITY OF INFORMATION.—An entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure.
I don’t get this. What does this mean in plain English?
(2) REMOVAL OF CERTAIN PERSONAL INFORMATION.—An entity sharing a cyber threat indicator pursuant to this Act shall, prior to such sharing—
(A) review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat and remove such information; or
(B) implement and utilize a technical capability configured to remove any information contained within such indicator that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat.
(3) USE OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES BY ENTITIES.—
(A) IN GENERAL.—Consistent with this Act, a cyber threat indicator or defensive measure shared or received under this section may, for cybersecurity purposes—
(i) be used by an entity to monitor or operate a defensive measure on—
(I) an information system of the entity; or
(II) an information system of another entity or a Federal entity upon the written consent of that other entity or that Federal entity; and
(ii) be otherwise used, retained, and further shared by an entity subject to—
(I) an otherwise lawful restriction placed by the sharing entity or Federal entity on such cyber threat indicator or defensive measure; or
(II) an otherwise applicable provision of law.
(B) CONSTRUCTION.—Nothing in this paragraph shall be construed to authorize the use of a cyber threat indicator or defensive measure other than as provided in this section.
(4) USE OF CYBER THREAT INDICATORS BY STATE, TRIBAL, OR LOCAL GOVERNMENT.—
(A) LAW ENFORCEMENT USE.—
(i) PRIOR WRITTEN CONSENT.—Except as provided in clause (ii), a cyber threat indicator shared with a State, tribal, or local government under this section may, with the prior written consent of the entity sharing such indicator, be used by a State, tribal, or local government for the purpose of preventing, investigating, or prosecuting any of the offenses described in section 5(d)(5)(A)(vi).
(ii) ORAL CONSENT.—If exigent circumstances prevent obtaining written consent under clause (i), such consent may be provided orally with subsequent documentation of the consent.
(B) EXEMPTION FROM DISCLOSURE.—A cyber threat indicator shared with a State, tribal, or local government under this section shall be—
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records.
(C) STATE, TRIBAL, AND LOCAL REGULATORY AUTHORITY.—
(i) IN GENERAL.—Except as provided in clause (ii), a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this Act shall not be directly used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any entity, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.
(ii) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—A cyber threat indicator or defensive measures shared as described in clause (i) may, consistent with a State, tribal, or local government regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation relating to such information systems.
(e) Antitrust Exemption.—
(1) IN GENERAL.—Except as provided in section 8(e), it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this Act.
Sure, that sounds like common sense: Why would anyone think that could be a violation of anti-trust laws in the first place? Am I missing something?
(2) APPLICABILITY.—Paragraph (1) shall apply only to information that is exchanged or assistance provided in order to assist with—
(A) facilitating the prevention, investigation, or mitigation of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system; or
(B) communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system.
(f) No Right Or Benefit.—The sharing of a cyber threat indicator with an entity under this Act shall not create a right or benefit to similar information by such entity or any other entity.
In other words, I suppose, if you want to share this information with another entity it’s because you’re a good samaritan, or because you think it’s good for your industry to make life difficult for the people behind this threat. But it’s not an implicit contract — you don’t have the right to say, “Hey, I shared that thread with you, now you owe me the same.” Right?
SEC. 5. SHARING OF CYBER THREAT INDICATORS AND DEFENSIVE MEASURES WITH THE FEDERAL GOVERNMENT.
(a) Requirement For Policies And Procedures.—
(1) INTERIM POLICIES AND PROCEDURES.—Not later than 60 days after the date of the enactment of this Act, the Attorney General, in coordination with the heads of the appropriate Federal entities, shall develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
(2) FINAL POLICIES AND PROCEDURES.—Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with the heads of the appropriate Federal entities, promulgate final policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall—
(A) ensure that cyber threat indicators are shared with the Federal Government by any entity pursuant to section 4(c) through the real-time process described in subsection (c) of this section—
(i) are shared in an automated manner with all of the appropriate Federal entities;
(ii) are not subject to any delay, modification, or any other action that could impede real-time receipt by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities;
(B) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 4 in a manner other than the real-time process described in subsection (c) of this section—
(i) are shared as quickly as operationally practicable with all of the appropriate Federal entities;
(ii) are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and
(iii) may be provided to other Federal entities;
(C) consistent with this Act, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled “National Strategy for Trusted Identities in Cyberspace” and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this Act, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government; and
(D) ensure there is—
(i) an audit capability; and
(ii) appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this Act in an unauthorized manner.
(4) GUIDELINES FOR ENTITIES SHARING CYBER THREAT INDICATORS WITH FEDERAL GOVERNMENT.—
(A) IN GENERAL.—Not later than 60 days after the date of the enactment of this Act, the Attorney General shall develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this Act.
(B) CONTENTS.—The guidelines developed and made publicly available under subparagraph (A) shall include guidance on the following:
(i) Identification of types of information that would qualify as a cyber threat indicator under this Act that would be unlikely to include personal information of or identifying a specific person not directly related to a cyber security threat.
(ii) Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.
(iii) Such other matters as the Attorney General considers appropriate for entities sharing cyber threat indicators with Federal entities under this Act.
(b) Privacy And Civil Liberties.—
(1) GUIDELINES OF ATTORNEY GENERAL.—Not later than 60 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1), develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.
(2) FINAL GUIDELINES.—
(A) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 1062 of the National Security Intelligence Reform Act of 2004 (42 U.S.C. 2000ee–1) and such private entities with industry expertise as the Attorney General considers relevant, promulgate final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this Act.
(B) PERIODIC REVIEW.—The Attorney General shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically review the guidelines promulgated under subparagraph (A).
(3) CONTENT.—The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—
(A) limit the impact on privacy and civil liberties of activities by the Federal Government under this Act;
(B) limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of or identifying specific persons, including by establishing—
(i) a process for the timely destruction of such information that is known not to be directly related to uses authorized under this Act; and
(ii) specific limitations on the length of any period in which a cyber threat indicator may be retained;
(C) include requirements to safeguard cyber threat indicators containing personal information of or identifying specific persons from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;
(D) include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;
(E) protect the confidentiality of cyber threat indicators containing personal information of or identifying specific persons to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this Act; and
(F) include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.
(c) Capability And Process Within The Department Of Homeland Security.—
(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—
(A) shall accept from any entity in real time cyber threat indicators and defensive measures, pursuant to this section;
(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this Act that are shared by a private entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except—
(i) communications between a Federal entity and a private entity regarding a previously shared cyber threat indicator; and
(ii) communications by a regulated entity with such entity’s Federal regulatory authority regarding a cybersecurity threat;
(C) ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators shared through the real-time process within the Department of Homeland Security;
(D) is in compliance with the policies, procedures, and guidelines required by this section; and
(E) does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including—
(i) reporting of known or suspected criminal activity, by an entity to any other entity or a Federal entity;
(ii) voluntary or legally compelled participation in a Federal investigation; and
(iii) providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement.
(2) CERTIFICATION.—Not later than 10 days prior to the implementation of the capability and process required by paragraph (1), the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, certify to Congress whether such capability and process fully and effectively operates—
(A) as the process by which the Federal Government receives from any entity a cyber threat indicator or defensive measure under this Act; and
(B) in accordance with the policies, procedures, and guidelines developed under this section.
(3) PUBLIC NOTICE AND ACCESS.—The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that—
(A) any entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and
(B) all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security.
(4) OTHER FEDERAL ENTITIES.—The process developed and implemented under paragraph (1) shall ensure that other Federal entities receive in a timely manner any cyber threat indicators and defensive measures shared with the Federal Government through such process.
(5) REPORT ON DEVELOPMENT AND IMPLEMENTATION.—
(A) IN GENERAL.—Not later than 60 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to Congress a report on the development and implementation of the capability and process required by paragraph (1), including a description of such capability and process and the public notice of, and access to, such process.
(B) CLASSIFIED ANNEX.—The report required by subparagraph (A) shall be submitted in unclassified form, but may include a classified annex.
(d) Information Shared With Or Provided To The Federal Government.—
(1) NO WAIVER OF PRIVILEGE OR PROTECTION.—The provision of cyber threat indicators and defensive measures to the Federal Government under this Act shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.
(2) PROPRIETARY INFORMATION.—Consistent with section 4(c)(2), a cyber threat indicator or defensive measure provided by an entity to the Federal Government under this Act shall be considered the commercial, financial, and proprietary information of such entity when so designated by the originating entity or a third party acting in accordance with the written authorization of the originating entity.
(3) EXEMPTION FROM DISCLOSURE.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be—
(A) deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; and
Okay, so the sharing is voluntary, not mandatory; I’m fine with that, aren’t you?
(B) withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records.
(4) EX PARTE COMMUNICATIONS.—The provision of a cyber threat indicator or defensive measure to the Federal Government under this Act shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decisionmaking official.
(5) DISCLOSURE, RETENTION, AND USE.—
(A) AUTHORIZED ACTIVITIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
(i) a cybersecurity purpose;
(ii) the purpose of identifying a cybersecurity threat, including the source of such cybersecurity threat, or a security vulnerability;
(iii) the purpose of identifying a cybersecurity threat involving the use of an information system by a foreign adversary or terrorist;
(iv) the purpose of responding to, or otherwise preventing or mitigating, an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
(v) the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(vi) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iv) or any of the offenses listed in—
(I) section 3559(c)(2)(F) of title 18, United States Code (relating to serious violent felonies);
(II) sections 1028 through 1030 of such title (relating to fraud and identity theft);
(III) chapter 37 of such title (relating to espionage and censorship); and
(IV) chapter 90 of such title (relating to protection of trade secrets).
(B) PROHIBITED ACTIVITIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under subparagraph (A).
Fair enough, still seems reasonable to me. These seem like sensible limits.
(C) PRIVACY AND CIVIL LIBERTIES.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be retained, used, and disseminated by the Federal Government—
(i) in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
(ii) in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain personal information of or identifying specific persons; and
Good, that sounds right.
(iii) in a manner that protects the confidentiality of cyber threat indicators containing personal information of or identifying a specific person.
Fine. That sounds sensible.
(D) FEDERAL REGULATORY AUTHORITY.—
(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
Good, I’m cool with that.
(ii) EXCEPTIONS.—
(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.
SEC. 6. PROTECTION FROM LIABILITY.
(a) Monitoring Of Information Systems.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of information systems and information under section 4(a) that is conducted in accordance with this Act.
(b) Sharing Or Receipt Of Cyber Threat Indicators.—No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures under section 4(c) if—
(1) such sharing or receipt is conducted in accordance with this Act; and
(2) in a case in which a cyber threat indicator or defensive measure is shared with the Federal Government, the cyber threat indicator or defensive measure is shared in a manner that is consistent with section 5(c)(1)(B) and the sharing or receipt, as the case may be, occurs after the earlier of—
(A) the date on which the interim policies and procedures are submitted to Congress under section 5(a)(1); or
(B) the date that is 60 days after the date of the enactment of this Act.
(c) Construction.—Nothing in this section shall be construed—
(1) to require dismissal of a cause of action against an entity that has engaged in gross negligence or willful misconduct in the course of conducting activities authorized by this Act; or
(2) to undermine or limit the availability of otherwise applicable common law or statutory defenses.
So if I’ve understood this correctly, you cannot be held liable in a civil suit because you failed to share this information with the government, is that correct?
SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.
(a) Biennial Report On Implementation.—
(1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, and not less frequently than once every 2 years thereafter, the heads of the appropriate Federal entities shall jointly submit and the Inspector General of the Department of Homeland Security, the Inspector General of the Intelligence Community, the Inspector General of the Department of Justice, the Inspector General of the Department of Defense, and the Inspector General of the Department of Energy, in consultation with the Council of Inspectors General on Financial Oversight, shall jointly submit to Congress a detailed report concerning the implementation of this Act.
(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:
(A) An assessment of the sufficiency of the policies, procedures, and guidelines required by section 5 in ensuring that cyber threat indicators are shared effectively and responsibly within the Federal Government.
(B) An evaluation of the effectiveness of real-time information sharing through the capability and process developed under section 5(c), including any impediments to such real-time sharing.
(C) An assessment of the sufficiency of the procedures developed under section 3 in ensuring that cyber threat indicators in the possession of the Federal Government are shared in a timely and adequate manner with appropriate entities, or, if appropriate, are made publicly available.
(D) An assessment of whether cyber threat indicators have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purposes of this Act.
(E) A review of the type of cyber threat indicators shared with the Federal Government under this Act, including the following:
(i) The degree to which such information may impact the privacy and civil liberties of specific persons.
(ii) A quantitative and qualitative assessment of the impact of the sharing of such cyber threat indicators with the Federal Government on privacy and civil liberties of specific persons.
(iii) The adequacy of any steps taken by the Federal Government to reduce such impact.
(F) A review of actions taken by the Federal Government based on cyber threat indicators shared with the Federal Government under this Act, including the appropriateness of any subsequent use or dissemination of such cyber threat indicators by a Federal entity under section 5.
(G) A description of any significant violations of the requirements of this Act by the Federal Government.
(H) A summary of the number and type of entities that received classified cyber threat indicators from the Federal Government under this Act and an evaluation of the risks and benefits of sharing such cyber threat indicators.
(3) RECOMMENDATIONS.—Each report submitted under paragraph (1) may include recommendations for improvements or modifications to the authorities and processes under this Act.
(4) FORM OF REPORT.—Each report required by paragraph (1) shall be submitted in unclassified form, but may include a classified annex.
(b) Reports On Privacy And Civil Liberties.—
(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 2 years after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—
(A) an assessment of the effect on privacy and civil liberties by the type of activities carried out under this Act; and
(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing concerns relating to privacy and civil liberties.
(2) BIENNIAL REPORT OF INSPECTORS GENERAL.—
(A) IN GENERAL.—Not later than 2 years after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Inspector General of the Department of Homeland Security, the Inspector General of the Intelligence Community, the Inspector General of the Department of Justice, the Inspector General of the Department of Defense, and the Inspector General of the Department of Energy shall, in consultation with the Council of Inspectors General on Financial Oversight, jointly submit to Congress a report on the receipt, use, and dissemination of cyber threat indicators and defensive measures that have been shared with Federal entities under this Act.
(B) CONTENTS.—Each report submitted under subparagraph (A) shall include the following:
(i) A review of the types of cyber threat indicators shared with Federal entities.
(ii) A review of the actions taken by Federal entities as a result of the receipt of such cyber threat indicators.
(iii) A list of Federal entities receiving such cyber threat indicators.
(iv) A review of the sharing of such cyber threat indicators among Federal entities to identify inappropriate barriers to sharing information.
(3) RECOMMENDATIONS.—Each report submitted under this subsection may include such recommendations as the Privacy and Civil Liberties Oversight Board, with respect to a report submitted under paragraph (1), or the Inspectors General referred to in paragraph (2)(A), with respect to a report submitted under paragraph (2), may have for improvements or modifications to the authorities under this Act.
(4) FORM.—Each report required under this subsection shall be submitted in unclassified form, but may include a classified annex.
SEC. 8. CONSTRUCTION AND PREEMPTION.
(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—
(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or
(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.
(b) Whistle Blower Protections.—Nothing in this Act shall be construed to prohibit or limit the disclosure of information protected under section 2302(b)(8) of title 5, United States Code (governing disclosures of illegality, waste, fraud, abuse, or public health or safety threats), section 7211 of title 5, United States Code (governing disclosures to Congress), section 1034 of title 10, United States Code (governing disclosure to Congress by members of the military), section 1104 of the National Security Act of 1947 (50 U.S.C. 3234) (governing disclosure by employees of elements of the intelligence community), or any similar provision of Federal or State law.
(c) Protection Of Sources And Methods.—Nothing in this Act shall be construed—
(1) as creating any immunity against, or otherwise affecting, any action brought by the Federal Government, or any agency or department thereof, to enforce any law, executive order, or procedure governing the appropriate handling, disclosure, or use of classified information;
Fair enough.
(2) to affect the conduct of authorized law enforcement or intelligence activities; or
Fair enough.
(3) to modify the authority of a department or agency of the Federal Government to protect classified information and sources and methods and the national security of the United States.
Fair enough.
(d) Relationship To Other Laws.—Nothing in this Act shall be construed to affect any requirement under any other provision of law for an entity to provide information to the Federal Government.
Fair enough.
(e) Prohibited Conduct.—Nothing in this Act shall be construed to permit price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.
More than fair, obviously.
(f) Information Sharing Relationships.—Nothing in this Act shall be construed—
(1) to limit or modify an existing information sharing relationship;
(2) to prohibit a new information sharing relationship;
(3) to require a new information sharing relationship between any entity and the Federal Government; or
(4) to require the use of the capability and process within the Department of Homeland Security developed under section 5(c).
(g) Preservation Of Contractual Obligations And Rights.—Nothing in this Act shall be construed—
(1) to amend, repeal, or supersede any current or future contractual agreement, terms of service agreement, or other contractual relationship between any entities, or between any entity and a Federal entity; or
(2) to abrogate trade secret or intellectual property rights of any entity or Federal entity.
(h) Anti-Tasking Restriction.—Nothing in this Act shall be construed to permit the Federal Government—
(1) to require an entity to provide information to the Federal Government;
(2) to condition the sharing of cyber threat indicators with an entity on such entity’s provision of cyber threat indicators to the Federal Government; or
(3) to condition the award of any Federal grant, contract, or purchase on the provision of a cyber threat indicator to a Federal entity.
(i) No Liability For Non-Participation.—Nothing in this Act shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this Act.
(j) Use And Retention Of Information.—Nothing in this Act shall be construed to authorize, or to modify any existing authority of, a department or agency of the Federal Government to retain or use any information shared under this Act for any use other than permitted in this Act.
(k) Federal Preemption.—
Look, frankly, does this act change anything? Or does it just say, “You’re welcome to let us know if you notice a problem, and we promise it won’t be used for any purpose but alerting other people to the possibility that there’s a problem?
(1) IN GENERAL.—This Act supersedes any statute or other provision of law of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under this Act.
(2) STATE LAW ENFORCEMENT.—Nothing in this Act shall be construed to supersede any statute or other provision of law of a State or political subdivision of a State concerning the use of authorized law enforcement practices and procedures.
(l) Regulatory Authority.—Nothing in this Act shall be construed—
(1) to authorize the promulgation of any regulations not specifically authorized by this Act;
(2) to establish or limit any regulatory authority not specifically established or limited under this Act; or
(3) to authorize regulatory actions that would duplicate or conflict with regulatory requirements, mandatory standards, or related processes under another provision of Federal law.
(m) Authority Of Secretary Of Defense To Respond To Cyber Attacks.—Nothing in this Act shall be construed to limit the authority of the Secretary of Defense to develop, prepare, coordinate, or, when authorized by the President to do so, conduct a military cyber operation in response to a malicious cyber activity carried out against the United States or a United States person by a foreign government or an organization sponsored by a foreign government or a terrorist organization.
SEC. 9. REPORT ON CYBERSECURITY THREATS.
(a) Report Required.—Not later than 180 days after the date of the enactment of this Act, the Director of National Intelligence, in coordination with the heads of other appropriate elements of the intelligence community, shall submit to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives a report on cybersecurity threats, including cyber attacks, theft, and data breaches.
(b) Contents.—The report required by subsection (a) shall include the following:
(1) An assessment of the current intelligence sharing and cooperation relationships of the United States with other countries regarding cybersecurity threats, including cyber attacks, theft, and data breaches, directed against the United States and which threaten the United States national security interests and economy and intellectual property, specifically identifying the relative utility of such relationships, which elements of the intelligence community participate in such relationships, and whether and how such relationships could be improved.
(2) A list and an assessment of the countries and nonstate actors that are the primary threats of carrying out a cybersecurity threat, including a cyber attack, theft, or data breach, against the United States and which threaten the United States national security, economy, and intellectual property.
(3) A description of the extent to which the capabilities of the United States Government to respond to or prevent cybersecurity threats, including cyber attacks, theft, or data breaches, directed against the United States private sector are degraded by a delay in the prompt notification by private entities of such threats or cyber attacks, theft, and breaches.
(4) An assessment of additional technologies or capabilities that would enhance the ability of the United States to prevent and to respond to cybersecurity threats, including cyber attacks, theft, and data breaches.
(5) An assessment of any technologies or practices utilized by the private sector that could be rapidly fielded to assist the intelligence community in preventing and responding to cybersecurity threats.
(c) Form Of Report.—The report required by subsection (a) shall be made available in classified and unclassified forms.
(d) Intelligence Community Defined.—In this section, the term “intelligence community” has the meaning given that term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).
SEC. 10. CONFORMING AMENDMENTS.
(a) Public Information.—Section 552(b) of title 5, United States Code, is amended—
(1) in paragraph (8), by striking “or” at the end;
(2) in paragraph (9), by striking “wells.” and inserting “wells; or”; and
(3) by inserting after paragraph (9) the following:
“(10) information shared with or provided to the Federal Government pursuant to the Cybersecurity Information Sharing Act of 2015”..”.
(b) Modification Of Limitation On Dissemination Of Certain Information Concerning Penetrations Of Defense Contractor Networks.—Section 941(c)(3) of the National Defense Authorization Act for Fiscal Year 2013 (Public Law 112–239; 10 U.S.C. 2224 note) is amended by inserting at the end the following: “The Secretary may share such information with other Federal entities if such information consists of cyber threat indicators and defensive measures and such information is shared consistent with the policies and procedures promulgated by the Attorney General under section 5 of the Cybersecurity Information Sharing Act of 2015.”
—————————————-
So that’s it, as far as I understand it. Am I missing something? Why is it being reported like this?
The US Senate overwhelmingly passed a controversial cybersecurity bill critics say will allow the government to collect sensitive personal data unchecked, over the objections of civil liberties groups and many of the biggest names in the tech sector.
Did you read anything that suggested that? It seemed quite the opposite to me, but maybe I don’t fully understand the language.
Published in Domestic Policy, General
I am going to need to go through this again. I just woke up and haven’t even finished my first cup of coffee yet. However, one of the biggest complaints I have heard that has made me give the same look my dogs give me when I start talking to them is that this allows the Feds to collect “up stream” data. Now, I don’t want to get too into the weeds here, but we already can access “up stream” data. And I didn’t see any language in there that could be construed to mean “access ‘up stream’ data.” But I will check back in later today and read this again.
You were headed in the right direction with “other purposes”.
Look at the “AUTHORIZED ACTIVITIES” section and contemplate adding a comment.
Consider what regulations might be promulgated using that as justification.
After Joe the Plumber, Lois Lerner, and Servergate, it is 100% clear that the public cannot rely on the criminal conspiracy known as the Democratic Party-Permanent Bureaucracy to police itself and cannot rely on the Republican establishment to intervene.
I could not support any such bill without built-in civil and criminal penalties for abuse and private enforcement actions for both.
All bills have that catchall, for good or ill. One for ill is Obamacare. Revenue bills have to originate in the House; that’s why a House-passed bill was gutted and amended by the Senate as the vehicle for Obamacare’s origination in the Senate.
They left out Interior. I guess Parks and Recs users don’t need to worry about government intrusion.
I’m chary of any “potentiality” that can be used by government. That smacks of prior restraint, however well intended this time.
I’m fairly sanguine about this. This is a threat information sharing bill. Foreign powers like the PRC or Russia (or Iran…) ought to be excluded from it. We have other means of sharing such information with our friends and allies.
A small part of my broad ignorance: do none of these operate other networks like oil/gas distribution, toll roads, etc?
I’d like to see this definition expanded to include the digitial “fingerprint” of malicious code itself, including to the extent possible, Day 0 exploits. This becomes especially important in SEC 3(a)(1).
I’d like to see this expanded to allow, even on an exception basis, sharing of classified information with key, vetted IT personnel.
So far, so good….
Same thing as applied to the Feds in an earlier paragraph: the discovering entity has to take measures to prevent unauthorized things–hackers, e.g.–from learning about the threat and/or the counter.
It could be a form of collusion.
The bigger deal in my mind is that such sharing is exempt from FOIA requests. I’m down with that, too.
Implications of this section on attorney-client privilege?
My understanding is that you can’t be held liable for having shared, if the sharing was in good faith consistent with the methods and procedures of this bill. The bill already says in a couple of places that the sharing is voluntary, which means no liability attaches for not doing the voluntary thing.
I’d like to see a departure from this boilerplate procedure: not reporting by the deadline shall mean the relevant Departments believe their procedures (and other aspects identified in this Section) are deemed insufficient, and a clock triggered by which draft and then final procedures are promulgated that correct the deficiency.
It’s important in that it exists and provides a framework for the sharing. It’s also important in that it explicitly indemnifies those who share in good faith.
I didn’t see anything addressing whether sharing threat indicator information, etc, exempts the sharer from sanction for having used/benefited from such threat indicators prior to disclosure, as in, “Here’s how that bank could be robbed, copper, now you can’t arrest me for having done it in the past.”
Otherwise, this bill seems like a good start.
Well, it is The Guardian. And of course ACLU, et al., are going to object; they’re just setting up their lawsuits in advance.
Big Tech objects because it authorizes them to share with Little Tech, whose security procedures might not be up to snuff, and with Comey’s demand for government back doors into encryption and this administration’s general handling of cyber security and cyber threats makes them rightfully paranoid of government move to authorize this sort of sharing. The next step, after all, is to mandate the sharing. “What do you have to hide?”
Eric Hines
Do you mean Section 4?
And the problem with this is that Little Tech gets to free-ride on Big Tech’s investment, I presume?
Section 5 (d) (5) (A)
I am troubled with the claim that this does not pertain to foreign entities, or at least that is how the language of the bill reads to me. So are we pushing a piece of legislation through that seeks to only protect from US threats–read “citizens”?
It seems so, doesn’t it? Does anyone else read it differently?
This part?
That exempts from disclosure under the Freedom of Information Act. Interesting — why would they add that, do you think?
You have to look for where the term “entity” is used vs. something else like “person”, “foreign government”, and “terrorist organization”.
Without reading deeper, it seems like one or both of two things may be at play:
I mean this:
Yes, the language does seem overbroad (“for the purpose of mitigating a serious economic harm?” To whom? How is this defined?) though they specify it must be consistent with other provisions of federal law. Why not leave it at that — the information may be used in ways consistent with other provisions of federal law — rather than emphasizing these points?
The bill is designed to allow sharing of information between entities and the federal government. Entities specifically excludes foreign countries because we don’t want to share information with them. The definition of entities has nothing to do with where the threats come from.
As I explained previously, this bill will not do what is intended, and is unnecessary.
Because if “entities” start loading up government websites with piles of “cyber threat indicators”, the federal government isn’t going to want to be required to share that data with other people, except as they see fit. And as they see fit is going to be via whatever mechanism they come up with, as defined in this bill. Which should be good enough.
Big tech objects because there is not enough in this bill to protect privacy. The bill doesn’t sufficiently define what kind of data can be shared with “entities” and the federal government.
Spin objects because it won’t work. What IT director is going to, in the midst of some cyber attack, take the time to navigate some government website and provide data about the attack? Especially when all the information is already out there?
That’s one aspect. Another is that, absent adequate security measures, the data concerning the threat and any counter-threat might become exposed to those who shouldn’t have it.
Eric Hines
There’s a lot of text in the bill that pertains to controlling the shared threat and counter-threat information so that the wrong folks–the hackers whose efforts got discovered, for instance, or other hackers, or those foreign powers who are excluded from entities–don’t learn about the discovery or the mitigation methods.
Blocking access to the information via FOIA requests blocks this avenue of discovery by those nefarious ones. I’m down with that.
Eric Hines
Claire,
I don’t see that someone else answered this.
This to me pertains to the security of security procedures taken. If someone gets in control of your anti-malware program they can turn it off.
For me your comment sums up the entire bill. It is very important to share this kind of information to maintain overall security but I am surprised that foreign threats are excluded. It makes it clear on what terms the sharing will take place, which is good, but then doesn’t want to know about the foreign threats. The internet is a big place and threats from anywhere happen instantaneously.
So I guess my reaction is “meh”.
Regards,
Jim
This is my issue with the bill as well, it seems to be a solution in search of a problem.
There already exists an entire Threat Intelligence industry that is geared to distributing precisely this type information for enterprises that are interested in it, if they are interested.
What exactly is this bill intended to do? On first blush it appears completely pointless.
There are three problems, however:
First, most people who are in the middle of a cyber attack are not going to say anything to anyone beyond what they are absolutely required to. I spoke with a agent of the FBI who specializes in cyber crime. He told me that some organizations are required by law to tell regulators (not law enforcement) when they’ve had a data breach. They will often tell them that, and only that. This is because they do not want anyone to know they are vulnerable to some specific intrusion until the breach is fixed.
Second, most of the hacks and vulnerabilities that hackers user are already well known by anyone who is paying attention to this area. There’s just no point taking steps to keeping the info out of the hands of the bad guys, except my point above.
Third, the hackers are way smarter than we are. Way smarter. The instant we get wise to them, they know it. These guys are super smart, super sophisticated. And they laugh at us.
That was certainly my point as well. This bill smacks of two things:
First, it smacks of small-ball, American liberalism. “There’s a problem out there and ain’t nobody knows how to solve it but the government. See there? There’s a bill that proves we know what time it is!”
Second, it smacks of the airplane exec, who read a piece on WSJ while he was in the air, and decides that if he comes home and blusters about and demands a policy be put in place, convincing himself that the Chinese won’t steal his crown jewels if he’s got a policy in place.
Nothing in the present bill changes that.
It’s the rest that are of interest.
Not relevant. Unless you’re suggesting we do nothing at all.
What’s your alternative?
Eric Hines
I’m providing the three problems as reasons to oppose this bill.
I will put my alternative in a separate comment.
As I see the term entity, that excludes foreign entities, it has nothing to do with those causing a threat, entity is only used to describe those reacting to the threat and sharing information. Thus one can share information between US companies and the US government and its territories, commonwealths etc, but cannot exchange information with a foreign power, but can react to threats from same, because they are not entities, in that context.
Other flaws are as others have indicatged.
This is the alternative, that is, here is what will actually help combat cyber threats: user awareness training. According to the same FBI special agent I mentioned above, in over 90% of the breaches we’ve seen, the threat vector was phishing scam. Other research tells us that 70% of the time, people will click the link in a phishing e-mail.
When a hacker takes advantage of an actual vulnerability, say on a website, or network perimeter device, they are using a vulnerability that has existed for many months, and to which a patch or fix has been released. This is not always the case, but it is mostly the case.
Here is the issue: we do not take cyber threats seriously enough. Our users do not, our software developers do not, our IT people do not.
We need to do anything and everything we can to train our people to understand the threat, and respond to it. That is the alternative.
Let me tell you what I am doing.
First, I have instituted “Security Thursday”. I send an email to my entire, worldwide organization with relevant information about some specific threat, or something that has happened out there. I then tie that in to what we are doing, and how our users can be involved in stopping this if it happens here.
Second, I’ve changed my outlook on users. Instead of saying things like “These people are so stupid”, I praise the users who screw up, but tell me about it. The other day I said to a gal in accounting “Thanks for being part of the IT Security Team!” I am trying to create a culture where people can self-report, where people are willing to let us know right away when they see something fishy.
Third, I’ve formed a group within my community of IT managers and professionals with the purpose of developing relevant user training. I don’t mean training where someone reads off some security policy, but training users how to spot an attack, how to stop it, and what to do when they see it.
Finally, I am pushing all of my IT people to always think of security first, not last. I know it’s easier to send that password via IM or e-mail (!). But that isn’t secure. Call the person and give them the password over the phone. That’s just an example.
They key to this alternative: recognizing that people are the weak link. Not the machines.
John,
Makes sense. The other way makes no sense.
Regards,
Jim
Certainly necessary. But how is this an alternative, rather than a “do this, too?”
Eric Hines
Here’s the question: What is this for? Cyber security, as it is understood by the layman, is a euphemism for Russia and China for the most part. But there isn’t much language in this bill that indicates that either of these two countries will be or could be prevented from, degraded while conducting, or attacked during a cyber attack. My biggest worry is that this bill will become a means–another means that is–of surveilling the American people under the guise that this is the new “public space.” The language is vague and that is by design so as to have a wide berth when using it until getting busted. And mark my words the federal government, at some point, is going to try this and they are going to get busted. The history of the Intelligence Community is rife with these kinds of stories.