Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills



Similar documents
Information Sharing, Monitoring, and Countermeasures in the Cybersecurity Act, S. 2105, and the SECURE IT Act, S. 2151

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Cybersecurity Information Sharing Legislation Protecting Cyber Networks Act (PCNA) National Cybersecurity Protection Advancement (NCPA) Act

S. ll IN THE SENATE OF THE UNITED STATES A BILL

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Legislative Language

DIVISION N CYBERSECURITY ACT OF 2015

Virginia Joint Commission on Technology and Science. Cybersecurity Legislation

To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

Cybersecurity and Information Sharing: Comparison of H.R and H.R. 1731

Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So?

CYBERSECURITY INFORMATION SHARING BILLS FALL SHORT ON PRIVACY PROTECTIONS

The Department of Homeland Security The Department of Justice

CYBER-SURVEILLANCE BILL SET TO MOVE TO SENATE FLOOR

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

DIVISION N CYBERSECURITY ACT OF 2015

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

S. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

H. R. ll IN THE HOUSE OF REPRESENTATIVES A BILL

1st Session NATIONAL CYBERSECURITY PROTECTION ADVANCEMENT ACT OF 2015

Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015

Legislative Language. Law Enforcement Provisions Related to Computer Security

Legislative Language

S. 754 AN ACT. Be it enacted by the Senate and House of Representa- tives of the United States of America in Congress assembled,

H. R. ll. To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE DEPARTMENT OF DEFENSE [DOD-2009-OS-0183/RIN 0790-AI60]

S AN ACT. To codify an existing operations center for cybersecurity.

Summary of Privacy and Data Security Bills- 112 th Congress. Prepared for September 15, 2011 CT Privacy Forum

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

DEPARTMENT OF JUSTICE WHITE PAPER. Sharing Cyberthreat Information Under 18 USC 2702(a)(3)

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

One Hundred Thirteenth Congress of the United States of America

2d Session CYBER INTELLIGENCE SHARING AND PROTECTION ACT

NATIONAL CYBERSECURITY PROTECTION ACT OF 2014

S. ll [Report No. 114 lll]

Counterintelligence Awareness Glossary

United States House of Representatives United States House of Representatives. Washington, DC Washington, DC 20515

CODE OF ETHICS AND BUSINESS CONDUCT

S. ll IN THE SENATE OF THE UNITED STATES

S. 21 IN THE SENATE OF THE UNITED STATES

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

An Overview of Large US Military Cybersecurity Organizations

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Corporate Spying An Overview

In an age where so many businesses and systems are reliant on computer systems,

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

Public Law th Congress An Act

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

4/21/2015. Jim Reavis CEO, Cloud Security Alliance. Cloud Security Alliance, Agenda

Acceptable Use Policy

Public Private Partnerships and National Input to International Cyber Security

U. S. Attorney Office Northern District of Texas March 2013

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

CYBERSECURITY RISK MANAGEMENT

Computer Network Security & Privacy Protection

National Security Agency

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

Cloud Cyber Incident Sharing Center (CISC) Jim Reavis CEO, Cloud Security Alliance

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

FedRAMP Package Access Request Form For Review of FedRAMP Security Package

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

I N T E L L I G E N C E A S S E S S M E N T

Changing Legal Landscape in Cybersecurity: Implications for Business

H. R. 624 IN THE SENATE OF THE UNITED STATES. APRIL 22, 2013 Received; read twice and referred to the Select Committee on Intelligence AN ACT

Information Security and Electronic Communications Acceptable Use Policy (AUP)

BUSINESS ASSOCIATE AGREEMENT

The National Security Act of A Review

Cybersecurity y Managing g the Risks

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

SAMPLE BUSINESS ASSOCIATE AGREEMENT

White Paper on Financial Industry Regulatory Climate

Online Detainee Locator System

114 th Congress March, Cybersecurity Legislation and Executive Branch Activity I. ADMINSTRATION S CYBERSECURITY PROPOSALS

Middle Class Economics: Cybersecurity Updated August 7, 2015

Gaining the upper hand in today s cyber security battle

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

HIPAA BUSINESS ASSOCIATE AGREEMENT

OCIE Technology Controls Program

Privacy Issues Airports

Department of Defense DIRECTIVE

Balancing Privacy & Security: The Role of Privacy and Civil Liberties in the Information Sharing Environment

Department of Homeland Security

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

I. The Proposed Interpretation of Intrusion Software Inappropriately Fails to Exclude Software for Defensive Activities

Houston Regional Intelligence Service Center (Fusion Center) Privacy Policy. Privacy, Civil Rights, and Civil Liberties Policy

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

maintain and enforce on its user clients an acceptable use policy similar in scope and intent to this Acceptable Use Policy.

Answering your cybersecurity questions The need for continued action

HIPAA BUSINESS ASSOCIATE AGREEMENT

Transcription:

April 4, 2012 Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills The chart below compares on civil liberties grounds four bills that seek to promote cybersecurity. The PRECISE Act, H.R. 3674 ( Lungren bill) is scheduled for mark-up the week of April 16 at the House Homeland Security Committee. The Cyber Intelligence Sharing and Protection Act, H.R. 3523 ( Rogers bill) was marked up in December by the House Permanent Select Committee on Intelligence. The Cybersecurity Act, S. 2105 ( Lieberman bill) was introduced on February 14. The SECURE IT Act, S. 2151 ( McCain bill) was introduced on March 1. The Lieberman, McCain and Lungren bills all include cybersecurity measures unrelated to information sharing that are not reflected in this chart. For more information, please contact CDTʼs Gregory T. Nojeim (gnojeim@cdt.org) or Kendall C. Burman (kburman@cdt.org), 202/637-9800. Does the bill protect privacy by narrowly defining the cyber threat information that can be shared? (Bill language defining the info that can be shared is so critically important we set it forth for each bill in the appendix.) Yes. Authorizes the No. Very broadly defines Somewhat. Like the No. Cyber threat sharing only of the information that can Lungren bill, authorizes information includes information that is be shared as information entities to disclose eight information that is necessary to identify or directly pertaining to a specific categories of indicative of or describe one of six vulnerability of, or threat information called cyber describes nine carefully defined to a system or network, threat indicators, categories of information, categories of information including information although information including that which may related to cyber attacks, pertaining to protecting a need only indicative of signify malicious intent or and requires reasonable system or network from those categories in order fosters situational efforts to strip irrelevant an attack or theft of to be shared. Also awareness of US information on specific information, with no requires reasonable security. Does not persons. Sec. 248 requirement to strip efforts to strip irrelevant require any effort to strip personal information. information on specific personal information. Sec. 1104(b)(f)(6) persons. Secs. 702, 704 Sec. 101(4)

Method of sharing? Establishes a non-profit, Allows for private Cyber threat indicators Allows for private quasi-governmental entity companies and may be shared through companies to exchange the National Information government agencies to DHS-designated federal information with each Sharing Organization exchange information or non-federal exchanges other and with existing (NISO) -- that would directly for any or directly among cybersecurity centers. 1 serve as a clearinghouse cybersecurity purpose. companies. Since liability Sec. 102(a)(2). Federal for the exchange of cyber Companies would choose protection for private contractors providing threat information. NISOʼs the agency or agencies companies only applies certain IT services to the board of directors would with which they would for information shared government would be be dominated by industry, share information and with an exchange, required to disclose with government and could also share companies will be information. Sec. 102(b) privacy interests also at information directly with disinclined to share the table. Sec. 241 each other. The bill strictly with each other. creates no clearinghouse. Secs. 702, 703 Sec. 1104(b)(1) Does the bill promote transfer of cybersecurity authority from civilian to military control by permitting private civilian entities to share communications info with NSA? No. Wisely cements DHS, a civilian agency, as the lead federal agency for cybersecurity. Information sharing authorized in the bill would go through a primarily private entity. Yes. The bill creates a real possibility that a military agency, such as NSA or DODʼs Cyber Command, would take the lead. Information sharing is authorized through amendment to Title 50 of National Security Act, rather than through amendment of civilian homeland security authorities. Unclear. The bill requires DHS, the AG, ODNI, and DOD create a process for designating cyber exchanges. The lead federal cyber exchange could be NSA, Cyber Command, or a DHS entity, but DHS is the lead exchange for up to 60 days until this designation. Other federal exchanges could be civilian or military. Sec. 703(c) and (d) Yes. Goes beyond even Rogers by allowing cyber information to be shared by civilian private entities with a host of government cybersecurity centers, the majority of which are military. 1 The McCain bill defines cybersecurity center as the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, [and] the National Cybersecurity and Communications Integration Center, and any successor center. Sec. 101(5)

Does the bill protect privacy by requiring that information shared with a private company for cybersecurity purposes be used only for cybersecurity purposes? Yes. Private companies can only use information for a cybersecurity purpose. Sec. 248(b)(5). No. No use restriction protects consumers. Other than a prohibition against using information to gain an unfair competitive advantage, bill leaves all restrictions on use up to the companies who share this information. Also exempts companies from liability for abuses of sharing information if they act in good faith. Sec. 1104 (b)(2) and (3) Yes. Companies that receive information can use it only for cybersecurity. Secs. 702(b)(4) and 704(c)(4). Companies must agree to any lawful restrictions placed on the disclosure of the info by the disclosing entity or exchange. Secs. 702(b)(2), 704(c)(2), 704(g)(1)(B). They are also prohibited from using info to gain an unfair competitive advantage. Sec. 702(b); 704(c). While there is no immunity for breach of info sharing rules, companies have a good faith defense in any civil or criminal action. Sec. 706(b) No. No use restriction protects consumers. Private entities to place restrictions on the use or further sharing of information by the receiving entity. Sec. 102(e). Provides civil and criminal liability protection for the use or disclosure of information under the Act, undermining even this use restriction. Sec. 102(g)

Does the bill protect privacy by limiting government use of shared information to cybersecurity purposes? Yes. Properly restricts the government from using shared information for anything other than a cybersecurity purpose, which includes the prosecution of cybersecurity crimes. Sec. 248(b)(3) No. As amended, information shared with the government for cybersecurity purposes can be used by the government for any nonregulatory purpose whatsoever, including intelligence surveillance. It can also be used in any criminal prosecution if also used for a significant national security or cybersecurity purpose. No. Like Rogers, bill provides no real restriction on law enforcement use. Law enforcement can receive cyber threat indicators from federal cyber exchanges and only restriction is that information must appear[] to relate to a crime. Sec. 704(g)(2) and (3) No. Bill puts even fewer limits on government use than in the other bills, permitting cyber threat information the Fed. Govʼt receives to be used for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute the many crimes listed under the Wiretap Act. Sec. 102(c)(1) Does the bill include strong measures to ensure that entities authorized to share and receive info are held accountable? Yes. Requires NISO to commission an independent audit to review compliance of NISO and its members with information sharing rules. Creates limited private right of action for willful violations of obligation to use information only for cybersecurity purposes, and makes good faith compliance with information sharing rules a complete defense. Sec. 249 and Sec. 251 as amended No. Because the bill imposes such limited use restrictions, there isnʼt much for a private or governmental entity to be held accountable for. As amended, authorizes the Inspector General of the Intelligence Community to submit an annual report to Congress on the exchange and use of cyber threat information. No accountability mechanism designed to ensure that private companies do not use information received for non-cybersecurity purposes or that they abide by use and disclosure restrictions. Somewhat. Requires private companies to agree by contract with disclosing federal agency that they will not misuse the cyber threat information they receive, but creates no private right of action. Sec. 704(g)(2)(b). DHS given wide discretion to develop policies that balance cybersecurity needs with civil liberties interests for Federal entities. Compliance program for cyber policies set by DHS and DOJ who will also issue report to Congress. Sec. 704(g)

Does the bill confer overly broad authority for providers to monitor internet usersʼ communications? Somewhat. Permits ISPs Yes. Permits ISPs to use Yes. Also authorizes ISPs Yes. Authorizes ISPs and to use cybersecurity cybersecurity systems and others to monitor others to use on their systems on their on their networks and their networks, and the networks, and the networks and permits permits cybersecurity computers of consumers networks of those who cybersecurity providers to providers to do so as well and companies who give give permission, do so as well in order to in order to monitor the permission, for cybersecurity systems monitor the networks of networks of companies cybersecurity threats to obtain cyber threat companies they protect, they protect, to identify which are broadly defined information, which is to identify and obtain only and obtain much more to include any action that broadly defined to include narrowly defined cyber broadly defined cyber may result in any information that may threat information. threat information, which unauthorized access to, be indicative of any Proposed Homeland includes information theft of, or manipulation information that would Security Act Sec 248(a) pertaining to the of data that is stored on foster situational misappropriation of or transiting any system. awareness of the US intellectual property. Sec. 701 security posture. Sec. Proposed National 102(a) Security Act Sec. 1104(b)(1) Do private companies receive overly-broad authority to employ countermeasures against Internet users, including their customers? Unclear. The bill vaguely gives cybersecurity providers and selfprotected entities authority to use cybersecurity systems to protect rights and property which may be roughly equivalent of authority to employ countermeasures. Sec. 248(a) Unclear. Similar to Lungren, the Rogers bill includes authority to use cybersecurity systems to protect rights and property, which may authorize overly-broad countermeasures. Sec. 1104(b)(1) Yes. The bill gives companies broad power to modify or block traffic to protect against any action that might result in compromise of an information system. Exercise of this authority could violate net neutrality. Sec. 701 Yes. McCain gives the same broad and problematic authority to interfere with traffic as does Lieberman, and compounds the problem by immunizing countermeasures conduct against any legal liability. Secs. 102(a), (g)

Appendix - Defining What Information Can Be Shared Each of the four bills analyzed in this chart permits companies to share cybersecurity information notwithstanding any law.ʼ This means that information sharing is authorized even if a federal or state privacy law, or another law, would protect the information against disclosure. As a result, it is critically important that the bills narrowly describe the information that can be shared. This is so critically important that this appendix quotes the description of the information that can be shared under each bill. Of the four bills, only the Lungren bill has a sufficiently narrow description. The Lungren bill defines the term cyber threat information that can be shared notwithstanding any law (see Sec. 248) as the information that is (A) necessary to identify or describe-- (1) a method of defeating a technical or operational control that corresponds to a cyber attack; (2) a method of causing a person with authorized access to an information system or to information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a technical control; (3) information exfiltrated in a cyber attack when such information necessary to identify or describe the attack; (4) anomalous patterns of communications that appear to be transmitted in connection with a cyber attack, but does not include other communications content, or dialing, routing, addressing and signaling information not necessary to describe such attack; (5) anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information to be used in a cyber attack; or (6) a method for remote identification of, access to, or use of an information system or information that is stored on, processed by, or transiting an information system associated with a known or suspected cyber attack; and (B) from which reasonable efforts have been made to remove information that can be used to identify specific persons unrelated to a cyber attack. Sec. 248 (f)(6) The Rogers bill defines cyber threat information that can be shared notwithstanding any law (see Secs. 1104(b) and 9d)) as information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from-- (A) efforts to degrade, disrupt or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. Sec. 1104(b)(f)(6) The Lieberman defines cybersecurity threat indicators that can be shared notwithstanding any law (see Secs. 702(a), 704(a), and 707(b)) as information that (A) may be indicative of or describe (1) malicious reconnaissance, including anomalous patterns of communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (2) a method of defeating a technical control; (3) a technical vulnerability; (4) a method of defeating an operational control; (5) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a technical control or an operational control; (6) malicious cyber command and control; (7) the actual or potential harm caused by an incident, including information exfiltrated as a result of subverting a technical control when it is necessary in order to identify or describe a cybersecurity threat; (8) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or (9) any combination thereof; and (B) from which reasonable efforts have been made to remove information that can be used to identify specific persons unrelated to the cybersecurity threat. Sec. 708(6) The McCain bill defines cyber threat information that can be shared notwithstanding any law (see Sec. 102(f)) as information that may be indicative or describe: (A) a technical or operation vulnerability or a cyber threat mitigation measure; (B) an action or operation to mitigate a cyber threat; (C) malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; (D) a method of defeating a technical control; (E) a method of defeating an operational control; (F) network activity or protocols known to be associated with a malicious cyber actor or that may signify malicious intent; (G) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; (H) any other attribute of a cybersecurity threat or information that would foster the situational awareness of the United States security posture, if disclosure of such attribute or information is not otherwise prohibited by law; (I) the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a security threat; or (J) any combination thereof. Sec. 101(4).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information