Cybersecurity Information Sharing Act - Is it really about warrantless data collection?

CD106: CISA and Friends

CISA – the Cybersecurity Information Sharing Act – has officially passed the Senate. While Congress is busy merging CISA with two other so-called cybersecurity bills that passed the House of Representatives, in this episode, by taking an in-depth look at the contents of all three bills, we discover that these bills are not what you’re being lead to believe.


Please support Congressional Dish:

  • Click here to contribute with PayPal or Bitcoin

  • Mail Contributions to: 2244 Oak Grove Rd., P.O. Box 10902, Walnut Creek, CA 94598

  • Click here to shop on Amazon – Congressional Dish will receive a referral commission.

Thank you for supporting truly independent media!


S. 754: Cybersecurity Information Sharing Act of 2015

  • Passed the Senate 74-21 on October 27, 2015.
  • Sponsored by Sen. Richard Burr of North Carolina
  • 118 pages

Outline of the Bill

Definitions:
  • "Agency" = "Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include

    • The Government Accountability Office
    • Federal Election Commission
    • The governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions
    • Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities
  • "Cybersecurity threat" = An action "not protected by the First Amendment to the Constitution" that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system."

    • A "cybersecurity threat" does not include "any action that soley involves a violation of a consumer term of service or a consumer licensing agreement.
  • "Cyber threat indicator" = Information that is needed to identify –

    • Spying, including strange patterns of communications that appear to be collecting technical information
    • Security breaches
    • Security vulnerabilities
    • A legitimate user being used to defeat a security system
    • Malicious cyber command and control
    • The harm caused by a cybersecurity incident, including the information taken as a result
    • "Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law"
  • "Entity" = "Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)

    • Does not include "a "foreign power", which means a foreign government or a foreign based political organization.
Sharing of Information by the Federal Government

Executive branch officials will write procedures for sharing classified and unclassified "cyber threat indicators" and Federal government information that would help the "entities" to prevent cybersecurity threats.

  • The officials writing the rules will be the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General.
  • The rules they write have to:
  • Their procedures will be due 60 days after CISA becomes law.
Monitoring Authorizations
Sharing of Information by "Entities" with the Federal Government

The Attorney General and Secretary of Homeland Security will write the policies and procedures governing receipt of information from private entities and local governments. The policies must include…

The Department of Homeland Security will receive and distribute all of the cyber threat indicators shared with the government.

Protection from Liability

No private entity can be successfully sued in court for sharing information with the government under CISA regulations.

  • The only way a private entity can be sued is in the cast of "gross negligence or willful misconduct"
Oversight of Government Activities

Federal Inspectors General will complete a report every two years.

  • The report may include recommendations for improvement
Other Rules

This bill does not permit price-fixing, attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

Intrusion Assessment Plan

The Secretary of Homeland Security will create a plan to identify and remove intruders on agency information systems.

Federal Cybersecurity Requirements

Agencies will have to encrypt or render indecipherable information that is stored or transmitted by their information systems, create a single sign-in method for individuals accessing their websites, and implement identity management systems for remote access for each user account.

  • This will not apply to the Department of Defense, a national security system, or elements of the intelligence community.
Emergencies

The Secretary of Homeland Security can authorize "intrusion detection and prevention capabilities" on another agency's information systems in the case of an "imminent threat"

Study on Mobile Device Security

The Secretary of Homeland Security will study threats caused by the shift of technology from desktops to mobile in the Federal Government

Health Care Industry Sharing

Creates a task force to create a plan for sharing with private health care entities specifically

Strategy for Protecting Critical Infrastructure

The Secretary of Homeland Security will have 180 days to develop a strategy ensuring that cyber security incidents would probably not be catastrophic for public health or safety, economic security, or national security. The strategy must include…

  • An assessment of whether each entity should be required to report cyber security incidents
  • A description of security gaps
  • Additional power needed
  • Some of this report can be classified.
Sunset

The provisions of this bill would expire 10 years after enactment


H.R. 1731: National Cybersecurity Protection Advancement Act of 2015

For reference, here's the text as of March 2015 of the Homeland Security Act, which is amended by this bill.

This bill:


H.R. 1560: Protecting Cyber Networks Act


Audio Sources

Senate Floor Proceeding CISA debate, October 27, 2015 (Transcript)

House Rules Committee: Hearing about HR 1731 and HR 1560, the House cybersecurity bills, April 21, 2015


Additional Information

Article: The fight over CISA is far from over by Eric Geller, The Daily Dot, October 28, 2015.

Webpage: About the National Cybersecurity and Communications Integration Center, Department of Homeland Security.


Music Presented in This Episode

How you can help the show...

Congressional Dish Voicemail Line: (339) 707-0307