U.S. House Passes Cyberthreat Information Sharing Bills
On Wednesday, April 22, 2015, the U.S. House of Representatives passed two bills that would promote
First, the House voted 307–116 to pass the Protecting Cyber Networks Act (PCNA, H.R. 1560), a bill designed to allow
Among other things, the bill would do the following:
- The Director of National Intelligence (DNI) would be required to write procedures to share classified and declassified cyberthreat indicators in the possession of federal agencies with private entities and
other state , tribal, and local governments. - PCNA would also explicitly allow private entities to:
- monitor and operate defensive measures on their own networks;
- with written authorization, monitor and operate defensive measures on other private or government entities’ networks; and
- conduct defensive activities on information stored on, processed by, or transiting their own networks, or (with written authorization) the network of another party.
- Federal entities would be authorized to use
cyberthreat information and defensive measures to:- protect networks and information from cybersecurity threats;
- respond to, prosecute, or prevent or mitigate the threat of death or serious bodily harm or an offense arising from the threat;
- respond to, or prevent or mitigate, a serious threat to a minor, including sexual exploitation and threats to physical safety; and
- prevent, investigate, disrupt, or prosecute specified criminal offenses relating to fraud and identity theft, serious violent felonies, espionage
and censorship, or trade secrets.
- Non-federal entities would be permitted to share and receive
cyberthreat indicators or defensive measures with other non-federal entities and with certain designated federal entities, but not directly with the U.S. Department of Defense (DOD), including the National Security Agency (NSA), unless authorized by another applicable law or regulation. - State, tribal, and local authorities would be permitted to use
cyberthreat information and defensive measures to:- protect networks;
- respond to, prosecute, prevent, or mitigate threats of death or serious bodily harm; and
- respond to, prevent, or mitigate serious threats to minors, including sexual exploitation and threats to physical safety.
- The President would be directed to submit procedures to Congress for the receipt of cyberthreat information and defensive measures by the federal government, including real-time sharing with all appropriate federal agencies, audit capability, and sanctions for the inappropriate use of the
cyberthreat information or defensive measures. A Cyber Threat Intelligence Integration Center (CTIIC ) would be established under the DNI, with the primary responsibility for coordinating the sharing of threat information, threat analysis, and cyberthreat intelligence activities and strategic planning. - The U.S. Department of Justice (DOJ) would be required to set privacy and civil liberties guidelines to govern the receipt, retention, use, and dissemination of
cyberthreat indicators by federal entities, including guidelines to ensure that personal information of, or information identifying, specific personsis removed from information received, retained, used, or disseminated by a federal entity. Individuals would be authorized to bring a cause of action against the federal government if an agency intentionally or willfully violated DOJ’s privacy and civil liberties guidelines.
The Administration’s concerns with the bill include what OMB characterized as the “sweeping” liability protection measures, and the ability to use certain “potentially disruptive defensive measure in response to network incidents.” The Administration said it was committed to working with stakeholders to address its concerns. The statement noted that “[i]nformation sharing is one piece of a larger suite of legislation needed to provide the private sector, the Federal Government, and law enforcement with the necessary tools to combat cyber threats.”
The House also passed the National Cybersecurity Protection Advancement Act of 2015 (
The two measures now head to the Senate, where another bill, the Cyberthreat Information Sharing Act of 2015 (CISA, S. 754), is under consideration. The Administration’s qualified support for the measures is something of a reversal, as the Administration last year had opposed similar measures. Privacy advocates, including the American Civil Liberties Union (ACLU), the American Library Association (ALA), and the Electronic Frontier Foundation (EFF), oppose the bills, and launched a website, Stop Cyber Surveillance, calling on President Obama to veto them. However, with reports of increasing
For more information on privacy and data security requirements and developments, and other related consumer product safety issues, contact Sheila A. Millar at +1 202 434-4143 or millar@khlaw.com, or Tracy P. Marshall at marshall@khlaw.com or +1 202 434-4234. Follow privacy, advertising, and data security developments and other similar topics on Keller and Heckman’s Consumer Protection Connection blog.