August 03, 2015

S. 754 – Cybersecurity Information Sharing Act of 2015

Noteworthy

Background: On March 13, 2015, the Senate Intelligence Committee held a closed markup on S. 754, the Cybersecurity Information Sharing Act of 2015 and voted 14-1 to advance the legislation. The House companion, H.R. 1560, the Protecting Cyber Networks Act, passed on a bipartisan vote of 307-116. On June 11, 2015, the Senate failed to invoke cloture on Burr Amendment #1569 to the National Defense Authorization Act (the text of S. 754), 56-40, due to procedural, not substantive, concerns raised by Democrats.

Floor Situation: It is anticipated the Senate will vote on the bill during this work period.

Executive Summary: The bill would enhance the sharing of information about cybersecurity threats within the private sector and between the government and private sector. Specifically, the legislation would provide an exemption to antitrust laws and authorize liability protections for covered entities voluntarily sharing information for cybersecurity purposes. The bill would also enable private entities to take narrowly tailored “defensive measures” to prevent, detect, analyze, and mitigate cybersecurity threats. The bill includes measures to enhance privacy and civil liberties and the committee adopted a significant number of Democratic recommendations aimed at these issues. The managers’ amendment makes a number of changes to the bill, adding further bipartisan privacy protections and a number of technical changes.

Overview of the Issue

In May 2009, President Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” In the same speech, the president recognized that the United States is “not as prepared as we should be, as a government or country.” After that, his administration did little else to effectively address the threat.

The House passed the Cyber Intelligence and Sharing Protection Act in April 2012 and again in April 2013. These were bipartisan bills, with numerous amendments included to augment privacy protections. Forty-two Democrats voted for CISPA in 2012, and 92 voted for it in 2013.

In 2014, Intelligence Committee Chairwoman Dianne Feinstein and Ranking Member Saxby Chambliss agreed on information sharing legislation, the Cybersecurity Information Sharing Act, which was reported out of committee by a bipartisan vote of 12-3. That bill was blocked from any further action by Democrat Majority Leader Harry Reid. 

The White House failed to work with Congress to complete cybersecurity legislation, and instead acted on its own, issuing executive order 13636 in February 2013. The administration created voluntary incentives for the private sector to share information with the federal government and to create a framework to protect critical infrastructure. However, the framework, based on an executive order, fails to address liability protection for information sharing. In February 2015, the White House developed and transmitted its version of a cybersecurity bill to Congress. Senator Carper filed the bill – S. 456 – on behalf of the White House.

Considerations of the Bill

According to a 2013 study by the Center for Strategic and International Studies, cybercrime costs the United States an estimated $100 billion annually. A 2014 survey found that 69 percent of U.S. executives are worried about how cyber threats will affect their company’s growth.

That threat continues to escalate. Incidents of loss, theft, and exposure of personally identifiable information increased by 38 percent from 2011 to 2012. During the first nine months of 2014, there were reportedly 1,922 data breaches, exposing 904 million records. Last year alone, there were more than 67,000 cyber incidents against federal agencies; over 27,000 of these incidents involved personally identifiable information. This is a 1,100 percent increase from 2006.

The Office of Personnel Management recently suffered two noteworthy cybersecurity breaches. In April 2015, OPM found that “personnel data of 4.2 million current and former Federal government employees had been stolen.” During the investigation of this breach, OPM also discovered the theft of personal information including Social Security numbers of 21.5 million people.

To improve cybersecurity information sharing between the federal government and the private sector, Section 3 of S. 754 provides for the federal government to develop procedures to facilitate information sharing. Under Section 4, the bill authorizes the voluntary sharing and receipt of a cybersecurity threat and operation of defensive measures by private entities. A defensive measure, under Section 2, is narrowly defined and excludes offensive measures that would destroy, provide unauthorized access to, or substantially harm an information system or data on an information system.

Addressing privacy concerns, the bill includes a significant number of privacy protections in Sections 2 through 5, and calls for information not directly involved with a cybersecurity threat or defensive measure to be removed before being shared with any governmental entity. The legislation also calls for numerous reviews of privacy and civil liberty protections from department inspectors general and the Privacy and Civil Liberties Oversight Board.

A number of the changes in the managers’ amendment address concerns from privacy advocates. The managers’ amendment would eliminate the government’s ability to use cyber threat information to investigate and prosecute “serious violent felonies.” It would also limit the authorization for sharing cyber threat information provided in the bill to sharing for cybersecurity purposes.

Making further bipartisan changes to enhance privacy protections, the managers’ amendment also clarifies the types of cyber information sharing that are permitted to occur outside the “DHS portal” created by the bill. The exception to the DHS portal requirement concerning previously shared cyber threat indicators was revised to clarify that such communications must describe the relevant cybersecurity threat or the development of a defensive measure based on the threat. It also eliminates the creation of a new exemption in the Freedom of Information Act specific to cyber information. Information shared through the bill would still be eligible for existing FOIA exemptions.

Section 6 of the bill provides liability protections for private entities sharing cyber threat information for cybersecurity purposes with other entities and the federal government. The liability protection is authorized by providing an exemption from antitrust laws such as Section 1 of the Clayton Act and Section 5 of the Federal Trade Commission Act for unfair methods and competition, as well as preemption over any state laws.

Notable Bill Provisions

Section 2(4) – Cybersecurity purpose

Defines the term “cybersecurity purpose” as the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

Section 2(7) – Defensive measure

This section defines “defensive measure” to mean an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.

Section 2(7)(B) – Exclusion

Under this section, defensive measure does not include a measure that destroys, renders unusable, or substantially harms an information system or data on an information system. The managers’ amendment clarifies that the authorization to employ defensive measures does not allow an entity to gain unauthorized access to a computer network.

Section 3 – Sharing of information by the federal government

The director of national intelligence, secretary of homeland security, secretary of defense, and attorney general will develop and promulgate procedures to promote the timely sharing of cybersecurity information.

Section 4(a) – Authorization for preventing, and mitigating cybersecurity threats

Enables a private entity to monitor information systems for a cybersecurity purpose.

Section 4(b) – Authorization for operation of defensive measures

Enables a private entity to operate a defensive measure that is applied to information systems for cybersecurity purposes and narrowly permits the type of defensive actions a private entity may take.

Section 4(c) – Authorization for sharing or receiving of cyber threat indicators or defensive measures

This section allows a private entity to share with, or receive from, any other entity or the federal government a threat indicator or defensive measure. The managers’ amendment would limit the authorization for sharing cyber threat information provided in the bill to sharing for cybersecurity purposes.

Section 4(d)(1) – Protection and use of information

Says that any entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure shall protect against unauthorized access or acquisition of such information.

Section 4(d)(2) – Removal of certain personal information

This section requires that, before sharing cybersecurity information, an entity review information and remove personal information not directly related to a cybersecurity threat. The provision also calls for entities to implement and utilize technical capability to remove any personal information not directly related to a cybersecurity threat.

Section 4(e) – Antitrust exemption

This provision provides that it will not be a violation of antitrust laws for two or more private entities to exchange or provide a cyber threat indicator, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat.

Section 5 – Sharing cyber threat indicators and defensive measures with the federal government

This section provides for the federal government to implement procedures to facilitate cybersecurity information sharing not later than 60 days after enactment of the bill. The federal government will provide guidelines on the types of information that qualifies as a cybersecurity threat indicator and information protected under applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.

Section 5(b) – Privacy and civil liberties

Not later than 60 days after enactment of this bill, the attorney general shall develop, submit to Congress, and make available guidelines relating to privacy and civil liberties that shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a federal entity obtained in connection with the cybersecurity activities in this act.

Section 5(b)(2)(B) – Periodic review

This section calls for the attorney general to periodically review the guidelines and content comprising cybersecurity information.

Section 5(c) – Capability and process within the Department of Homeland Security

The secretary of the Department of Homeland Security will develop and implement a capability and process within DHS to accept cyber threat information through an automated system in real time. The managers’ amendment clarifies the types of cyber information sharing that are permitted to occur outside the “DHS portal” created by the bill. Specifically, the bill clarifies the scope of communications regarding previously shared cyber threat information that can be shared outside of the DHS portal.

Section 5(d) – Information shared with or provided to federal government

This provision provides that information sharing will not constitute a waiver of any applicable privilege or protection. Sharing of cybersecurity information will be voluntary and rights to proprietary information will not be infringed upon. The managers’ amendment would eliminate the government’s ability to use cyber information to investigate and prosecute “serious violent felonies.” This represents a significant privacy change.

Section 6 – Protection from liability

No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of information systems or sharing or receipt of cyber threat indicators and defensive measures.

Section 7(a) – Oversight of government activities

Federal agencies shall submit information to various inspectors general in order to examine and oversee the implementation of cybersecurity information sharing, including content, effectiveness, and privacy and civil liberties.

Section 7(b) – Reports on privacy and civil liberties

This section calls for a biennial report from the Privacy and Civil Liberties Oversight Board.

Section 8(h)(3)(i)– No Liability for non-participation

This section calls for voluntary information sharing and entities not participating will not be held liable for non-participation.

Section 8(k) – Federal preemption

This section provides for a narrow construction of the bill and preempts federal and state laws.

Section 10(a) – Conforming amendment

The managers’ amendment eliminates the creation of a new exemption in the Freedom of Information Act specific to cyber information. Information shared through the bill would still be eligible for existing FOIA exemptions.

Administration Position

The Obama administration has not yet publicly taken a stance on S. 754 but has made a statement of administration policy supporting the House companion bill on information sharing, H.R. 1560.

Cost

CBO estimates that S. 754 “would cost approximately $20 million over the 2016-2020 period, assuming appropriation of the estimated amounts.” CBO also estimates that the “aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates.”

Amendments

There are no amendments at this time.