Cybersecurity or surveillance? What does the language attached at the last minute to the 2,009 page omnibus government funding bill actually authorize? In this episode, we take a close look at what just became law.

Please support Congressional Dish:

Click here to contribute with PayPal or Bitcoin; click the PayPal “Make it Monthly” checkbox to create a monthly subscription



Click here to support Congressional Dish for each episode via Patreon



Mail Contributions to:

5753 Hwy 85 North #4576

Crestview, FL 32536

Thank you for supporting truly independent media!

The Cybersecurity Act of 2015 was attached at the last minute to the “omnibus” government funding bill, which was 2,009 pages long and available to read for less than three days before it became law. This is and outline of what became law:

Section 102: Definitions

“Agency“: “Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of Government” Does NOT include the Government Accountability Office, Federal Election Commission, or Government-owned contractor-operated facilities

“Cybersecurity threat“: An action that “ may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.

result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”. “Cyber threat indicator“: “Information that is necessary to describe or identify”… Spying, including strange patterns of communications that appear to be collecting technical information Security breaches Security vulnerabilities A legitimate user being used to defeat a security system Malicious cyber command and control “The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat” “Any other attribute of a cybersecurity threat , if disclosure of such attribute is not otherwise prohibited by law”

“Non-Federal entity“: “Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)” Does not include a foreign power, as defined in the FISA law



Section 103: Sharing of Information by the Federal Government

Procedures for sharing information both within and outside the Federal government will be created by: Director of National Intelligence Secretary of Homeland Security Secretary of Defense Attorney General

The procedures developed must… Allow real time sharing of information Include requirements for the government to protect the information from unauthorized access Require Federal entities to review cyber threat indicators for information not directly related to the threat that contains information that identifies a specific individual and remove the information Include procedures for notifying “any United States person” whose information has been shared by the Federal government



Section 104: Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats

“A non-Federal entity may… share with, or receive from, any other non-Federal entity or the Federal Government a cyber threat indicator or defensive measure” Non-Federal entities sharing information mush “review” the information for “personal information of a specific individual” and “remove such information” OR have a technical way of removing the information it “knows at the time of sharing” to be personal information.



Use of Cyber Threat Indicators by Government

Section 105: Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government”

Section 106: Protection from Liability

The courts must dismiss any lawsuits against “any private entity” for monitoring information systems or sharing/receiving “cyber threat indicators”

Section 107: Oversight of Government Activities

Heads of “appropriate Federal entities” will submit a report

Inspectors General of the “appropriate Federal entities” will submit reports every two years

The Comptroller General of the United States will submit a report on actions taken by the Federal Government to remove personal information. Report will be due in three years.

Unclassified portions of the reports will be available to the public.

Section 108: Construction and Preemption

Lists what this bill is not intended to do

Section 109: Report on Cybersecurity Threats

Report will be submitted by the Director of National Intelligence

NEW Section 110: Exception to Limitation on Authority of Secretary of Defense to Disseminate Certain Information

Specifically allows the Secretary of Defense to share information

Section 111: Effective Period

These provisions expire on September 30, 2015.

Section 203: Information Sharing Structure and Processes

Sections 206-209: Reports that will expire after 7 years

Subtitle B: Federal Cybersecurity Enhancement Act of 2015

Section 223: Improved Federal Network Security

Section 225: Federal Cybersecurity Requirements

The Secretary of Homeland Security will issue binding operational directives for agencies to secure their networks within a year. Agencies will have to… Identify sensitive and mission critical data stored by the agency Assess the need to store that data and determine which individuals need access to it Encrypt the data Implement a single sign-on platform for people using the agency website that requires user authentication Require multi-factor authentication for remote access

to secure their networks within a year. Agencies will have to… Agencies will not have to comply if they say it’s “overly burdensome to implement” or that it’s not necessary.

These binding operational directives will not apply to the Defense Department, a “national security system”, or the intelligence community.

Section 227: Termination

The directives and reports on them will expire in 7 years, December 2022.

Section 229: Direction to Agencies

The Secretary of Homeland Security can order the head of other agencies to take “lawful actions” in response to security threats.

Section 303: National Cybersecurity Workforce Measurement Initiative

Requires an assessment of all Federal positions that have cyber-related functions

Section 401: Study on Mobile Device Security

Orders a study on the security of mobile devices of the Federal Government

Section 402: Department of State International Cyberspace Policy Strategy

Orders a State Department report on threats from foreign sources and cooperation strategies within 90 days.

Section 403: Apprehension and Prosecution of International Cyber Criminals

The Secretary of State must consult with government officials in countries where we don’t have an extradition treaty to determine what actions they’ve taken to catch “cyber criminals” with arrest warrant issued by US judges or Interpol.

Section 404: Enhancement of Emergency Services

Orders the National Cybersecurity and Communications Integration Center to create a process for information sharing with Statewide Interoperability Coordinators

Section 405: Improving Cybersecurity in the Health Care Industry

Requires a report that will include a plan so that “the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures”

Additional Reading

Music Presented in This Episode

Cover Art

Design by Only Child Imaginations