On Wednesday, April 17, 2013, the House will begin consideration of H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), under a rule. H.R. 624 was introduced on February 13, 2013 by Rep. Mike Rogers (R-MI) and was referred to the House Permanent Select Committee on Intelligence, which held a markup and reported the bill by a vote of 18-2.
H.R. 624 breaks down policy and legal barriers to allow the federal government to share classified cyber threat intelligence with the private sector; and to allow private sector entities to share cyber threat information with one another and with the federal government on a purely voluntary basis.
Specifically, H.R. 624 requires the Director of National Intelligence (DNI) to establish procedures to enable the intelligence community to share classified cyber threat intelligence with private sector entities. In addition, H.R. 624 authorizes private sector cybersecurity providers—if they receive the express consent of those they protect—to voluntarily share cyber threat information with other entities, including the federal government.
H.R. 624 protects private sector entities from civil or criminal liability if they, in good faith, share cyber threat information with other private entities and with the federal government. The bill also prevents private sector liability for any decision made as a result of the information obtained or shared. Nothing in H.R. 624 requires a private entity to share cyber threat information with the federal government, and nothing in the bill conditions a private entity’s receipt of cyber threat intelligence from the federal government on its willingness to provide information to the federal government.
The information shared by the private sector must be limited to “cyber threat information,” and may only be used for the following limited purposes: cybersecurity; investigation and prosecution of cybersecurity crimes; protection of individuals from danger of death or serious physical injury; investigation and prosecution of crimes involving death or serious physical injury; protection of minors from harm such as child pornography, kidnapping, and trafficking; and investigation and prosecution of such crimes against minors. In the markup of H.R. 624, the House Permanent Select Committee on Intelligence (HPSCI) removed a provision that allowed the federal government to use cyber threat information received from the private sector for the protection of national security. H.R. 624 enforces the authorized uses listed above by allowing an adversely affected individual to sue the federal government if it intentionally or willfully misuses such information in a manner not provided for in the bill.
H.R. 624 requires the DNI, working with the Secretary of Homeland Security and the Attorney General, to establish and periodically review policies and procedures for the receipt, retention, use, and disclosure of cyber threat information shared with the federal government. In part, the procedures must minimize the impact on privacy and civil liberties. H.R. 624 requires the DNI to submit the procedures to Congress, and requires the establishment of a program to oversee federal agency compliance with the procedures.
H.R. 624 requires the issuance of two reports to analyze the information shared with the federal government under the measure: 1) The Inspector General of the Intelligence Community must submit an annual report to congressional intelligence committees, reviewing the use of information shared by the private sector with the federal government. In part, the report must provide metrics for analyzing the impact of such information sharing on privacy and civil liberties; 2) H.R. 624 also requires the Civil Liberties Protection Officer of the Office of the DNI and the Chief Privacy and Civil Liberties Officer of the Department of Justice to submit to Congress an annual report on the privacy and civil liberties impact of the activities conducted by the federal government under the measure. Both reports must be unclassified.
H.R. 624 will sunset five years after its enactment.
Each day, the U.S. government and private American companies are targeted by individual hackers and state-sponsored entities, which seek to gain access to sensitive national security and infrastructure information and valuable research and development from American companies. When hackers steal trade secrets from American companies, those companies are placed at a disadvantage in the global market. According to HPSCI, “China, in particular, is engaged in an extensive, day-in, day-out effort to pillage American intellectual property.” Although it is difficult to quantify, estimates of loss from cyber economic espionage range up to $400 billion per year.
In the 112th Congress, HPSCI held a series of briefings and hearings to examine the extent and impact of cybersecurity threats, and to determine what actions the intelligence community could take to better defend against these attacks. The Committee found that the intelligence community possesses valuable intelligence that—if made available to the private sector—would significantly improve the ability of American companies to better defend themselves. Yet a lack of positive legal authority has kept the intelligence community from sharing such information with private companies. In addition, policy and legal barriers have prevented the private sector from sharing cyber threat information with other parts of the private sector and with the federal government.
H.R. 624 aims to provide positive authority to permit the voluntary sharing of information about cybersecurity threats and vulnerabilities with others—including entities within the private sector, and with the federal government. H.R. 624 was modeled after the Defense Industrial Base Enhanced Cybersecurity Services program (DECS) program, operated by the Department of Defense, through which “the government provides threat intelligence to key Internet Service Providers, who use the information to protect a limited number of companies in the defense industrial base, all on a voluntary basis.”
The House passed similar legislation (H.R. 3523) in the 112th Congress on April 26, 2012 by a vote of 248-168; however, the Senate did not take up the measure. On April 16, 2013 the White House issued a Statement of Administration Policy (SAP) recommending that the President veto H.R. 624.
 Id. at 10.
The CBO estimates the implementing the bill would have a discretionary cost of $20 million over the 2014-2018 period, assuming appropriation of the necessary amounts. Enacting H.R. 624 could affect direct spending or revenues; therefore, pay-as-you-go procedures apply. However, CBO estimates that those effects would be insignificant for each year. The bill would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to entities and cybersecurity providers that share or use cyber threat information. The bill also would impose additional intergovernmental mandates on state governments by preempting state disclosure and liability laws. Because of uncertainty about the number of cases that would be limited and any forgone compensation that would result from compensatory damages, CBO cannot determine whether the costs of the mandate would exceed the annual threshold established in UMRA for private-sector mandates ($150 million in 2013, adjusted annually for inflation). However, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($75 million in 2013, adjusted annually for inflation). For more information, see CBO’s cost estimate on H.R. 624.
Since CISPA was first introduced in the 112th Congress, 19 changes to the text have been made to address privacy concerns. For more information, see HPSCI’s document entitled 19 Privacy Improvements: The Cyber Information Sharing and Protection Act (CISPA).
In addition, H.R. 624 has support from a broad range of industry representatives. For additional information, see more than 60 letters of support for the measure.