CISA – the Cybersecurity Information Sharing Act – has officially passed the Senate. While Congress is busy merging CISA with two other so-called cybersecurity bills that passed the House of Representatives, in this episode, by taking an in-depth look at the contents of all three bills, we discover that these bills are not what you’re being lead to believe.

Please support Congressional Dish:

Click here to contribute with PayPal or Bitcoin; click the PayPal “Make it Monthly” checkbox to create a monthly subscription



Click here to support Congressional Dish for each episode via Patreon



Mail Contributions to:

5753 Hwy 85 North #4576

Crestview, FL 32536

Thank you for supporting truly independent media!

S. 754: Cybersecurity Information Sharing Act of 2015

Passed the Senate 74-21 on October 27, 2015.

Sponsored by Sen. Richard Burr of North Carolina

118 pages

Outline of the Bill

Definitions:

“Agency” = “Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include — The Government Accountability Office Federal Election Commission The governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions Government-owned contractor-operated facilities , including laboratories engaged in national defense research and production activities

(including the Executive Office of the President), or any independent regulatory agency, but — “Cybersecurity threat” = An action “not protected by the First Amendment to the Constitution” that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.” A “cybersecurity threat” does not include “any action that soley involves a violation of a consumer term of service or a consumer licensing agreement.

“Cyber threat indicator” = Information that is needed to identify – Spying, including strange patterns of communications that appear to be collecting technical information Security breaches Security vulnerabilities A legitimate user being used to defeat a security system Malicious cyber command and control The harm caused by a cybersecurity incident, including the information taken as a result “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”

“Entity” = “ Any private entity , non-Federal government agency or department, or State, tribal, or local government ( including a political subdivision , department, or component thereof) Does not include “a “foreign power”, which means a foreign government or a foreign based political organization.

, non-Federal government agency or department, or State, tribal, or local government ( , department, or component thereof)

Sharing of Information by the Federal Government

Executive branch officials will write procedures for sharing classified and unclassified “cyber threat indicators” and Federal government information that would help the “entities” to prevent cybersecurity threats.

The officials writing the rules will be the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General.

The rules they write have to: Ensure “cyber threat indicators” can be shared in real time Include notification procedures for false alarms Include requirements for the Federal government agencies to protect against unauthorized access to the information Requires a Federal entity sharing information to remove personal information Include notification procedures for people whose personal information is shared by the government.

Their procedures will be due 60 days after CISA becomes law.

Monitoring Authorizations

Sharing of Information by “Entities” with the Federal Government

The Attorney General and Secretary of Homeland Security will write the policies and procedures governing receipt of information from private entities and local governments. The policies must include…

The Department of Homeland Security will receive and distribute all of the cyber threat indicators shared with the government.

Information shared will be withheld from the public under the Freedom of Information Act and all State, tribal, and local laws.

In addition to the items of the list of allowed uses of information by State, tribal, and local governments (see Monitoring Authorizations section), the Federal Government can also use the information to… “Prevent or mitigate a serious threat to a minor, including sexual exploitation and threats to their physical safety”



Protection from Liability

No private entity can be successfully sued in court for sharing information with the government under CISA regulations.

The only way a private entity can be sued is in the cast of “gross negligence or willful misconduct”

Oversight of Government Activities

Federal Inspectors General will complete a report every two years.

The report may include recommendations for improvement

Other Rules

This bill does not permit price-fixing, attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

Intrusion Assessment Plan

The Secretary of Homeland Security will create a plan to identify and remove intruders on agency information systems.

The plan will not apply to the Department of Defense, a national security system or an element of the intelligence community.

The deployment and operation of the new monitoring system can be privatized The private contractor would not be allowed to disclose any of the information they access without permission from the government The private contractor will have immunity from prosecution Internet service providers can not use their immunity to break a user agreement with a customer without their customer’s consent

The activities carried out in this new monitoring plan need to be “reasonably necessary” to protect agency information systems from cybersecurity risks

Federal Cybersecurity Requirements

Agencies will have to encrypt or render indecipherable information that is stored or transmitted by their information systems, create a single sign-in method for individuals accessing their websites, and implement identity management systems for remote access for each user account.

This will not apply to the Department of Defense, a national security system, or elements of the intelligence community.

Emergencies

The Secretary of Homeland Security can authorize “intrusion detection and prevention capabilities” on another agency’s information systems in the case of an “imminent threat”

Study on Mobile Device Security

The Secretary of Homeland Security will study threats caused by the shift of technology from desktops to mobile in the Federal Government

Health Care Industry Sharing

Creates a task force to create a plan for sharing with private health care entities specifically

Strategy for Protecting Critical Infrastructure

The Secretary of Homeland Security will have 180 days to develop a strategy ensuring that cyber security incidents would probably not be catastrophic for public health or safety, economic security, or national security. The strategy must include…

An assessment of whether each entity should be required to report cyber security incidents

A description of security gaps

Additional power needed

Some of this report can be classified.

Sunset

The provisions of this bill would expire 10 years after enactment

H.R. 1731: National Cybersecurity Protection Advancement Act of 2015

For reference, here’s the text as of March 2015 of the Homeland Security Act, which is amended by this bill.

This bill:

H.R. 1560: Protecting Cyber Networks Act

Audio Sources

Senate Floor Proceeding CISA debate, October 27, 2015 (Transcript)

House Rules Committee: Hearing about HR 1731 and HR 1560, the House cybersecurity bills, April 21, 2015

Additional Information

Article: The fight over CISA is far from over by Eric Geller, The Daily Dot, October 28, 2015.

Webpage: About the National Cybersecurity and Communications Integration Center, Department of Homeland Security.

Music Presented in This Episode