H.R. 624: Cyber Intelligence Sharing and Protection Act

H.R. 624

Cyber Intelligence Sharing and Protection Act

Date
April 17, 2013 (113th Congress, 1st Session)

Staff Contact
Emily Leviner

Floor Situation

On Wednesday, April 17, 2013, the House will begin consideration of H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), under a rule.  H.R. 624 was introduced on February 13, 2013 by Rep. Mike Rogers (R-MI) and was referred to the House Permanent Select Committee on Intelligence, which held a markup and reported the bill by a vote of 18-2.

Bill Summary

H.R. 624 breaks down policy and legal barriers to allow the federal government to share classified cyber threat intelligence with the private sector; and to allow private sector entities to share cyber threat information with one another and with the federal government on a purely voluntary basis.

Specifically, H.R. 624 requires the Director of National Intelligence (DNI) to establish procedures to enable the intelligence community to share classified cyber threat intelligence with private sector entities.  In addition, H.R. 624 authorizes private sector cybersecurity providers—if they receive the express consent of those they protect—to voluntarily share cyber threat information with other entities, including the federal government.

H.R. 624 protects private sector entities from civil or criminal liability if they, in good faith, share cyber threat information with other private entities and with the federal government.  The bill also prevents private sector liability for any decision made as a result of the information obtained or shared.  Nothing in H.R. 624 requires a private entity to share cyber threat information with the federal government, and nothing in the bill conditions a private entity’s receipt of cyber threat intelligence from the federal government on its willingness to provide information to the federal government

The information shared by the private sector must be limited to “cyber threat information,” and may only be used for the following limited purposes: cybersecurity; investigation and prosecution of cybersecurity crimes; protection of individuals from danger of death or serious physical injury; investigation and prosecution of crimes involving death or serious physical injury; protection of minors from harm such as child pornography, kidnapping, and trafficking; and investigation and prosecution of such crimes against minors.  In the markup of H.R. 624, the House Permanent Select Committee on Intelligence (HPSCI) removed a provision that allowed the federal government to use cyber threat information received from the private sector for the protection of national security.  H.R. 624 enforces the authorized uses listed above by allowing an adversely affected individual to sue the federal government if it intentionally or willfully misuses such information in a manner not provided for in the bill.

H.R. 624 requires the DNI, working with the Secretary of Homeland Security and the Attorney General, to establish and periodically review policies and procedures for the receipt, retention, use, and disclosure of cyber threat information shared with the federal government.  In part, the procedures must minimize the impact on privacy and civil liberties.   H.R. 624 requires the DNI to submit the procedures to Congress, and requires the establishment of a program to oversee federal agency compliance with the procedures.

H.R. 624 requires the issuance of two reports to analyze the information shared with the federal government under the measure: 1) The Inspector General of the Intelligence Community must submit an annual report to congressional intelligence committees, reviewing the use of information shared by the private sector with the federal government.  In part, the report must provide metrics for analyzing the impact of such information sharing on privacy and civil liberties; 2) H.R. 624 also requires the Civil Liberties Protection Officer of the Office of the DNI and the Chief Privacy and Civil Liberties Officer of the Department of Justice to submit to Congress an annual report on the privacy and civil liberties impact of the activities conducted by the federal government under the measure.  Both reports must be unclassified.

H.R. 624 will sunset five years after its enactment. 

Background

Each day, the U.S. government and private American companies are targeted by individual hackers and state-sponsored entities, which seek to gain access to sensitive national security and infrastructure information and valuable research and development from American companies.  When hackers steal trade secrets from American companies, those companies are placed at a disadvantage in the global market.  According to HPSCI, “China, in particular, is engaged in an extensive, day-in, day-out effort to pillage American intellectual property.”[1]  Although it is difficult to quantify, estimates of loss from cyber economic espionage range up to $400 billion per year.[2]   

In the 112th Congress, HPSCI held a series of briefings and hearings to examine the extent and impact of cybersecurity threats, and to determine what actions the intelligence community could take to better defend against these attacks. The Committee found that the intelligence community possesses valuable intelligence that—if made available to the private sector—would significantly improve the ability of American companies to better defend themselves.[3]  Yet a lack of positive legal authority has kept the intelligence community from sharing such information with private companies.  In addition, policy and legal barriers have prevented the private sector from sharing cyber threat information with other parts of the private sector and with the federal government. 

H.R. 624 aims to provide positive authority to permit the voluntary sharing of information about cybersecurity threats and vulnerabilities with others—including entities within the private sector, and with the federal government.  H.R. 624 was modeled after the Defense Industrial Base Enhanced Cybersecurity Services program (DECS) program, operated by the Department of Defense, through which “the government provides threat intelligence to key Internet Service Providers, who use the information to protect a limited number of companies in the defense industrial base, all on a voluntary basis.”[4]

 

The House passed similar legislation (H.R. 3523) in the 112th Congress on April 26, 2012 by a vote of 248-168; however, the Senate did not take up the measure.  On April 16, 2013 the White House issued a Statement of Administration Policy (SAP) recommending that the President veto H.R. 624.

Key Messaging

  • Each day, American companies are confronted with an onslaught of cyber attacks from countries like China, Russia and Iran, which seek to steal valuable research and development and other vital trade secrets.
  • These entities also work to obtain sensitive national security information, including information on U.S. weapons systems and military installations. The nation’s critical infrastructure systems—the electronic power grid, and vital transportation and telecommunications systems—also are at risk.
  • When trade secrets are exploited by foreign companies, American jobs are stolen and U.S. companies are placed at a competitive disadvantage within the global economy.
  • If cybersecurity were dramatically strengthened, up to $400 billion lost on economic espionage each year could instead be reinvested in the American economy.
  • National security would also be reinforced, preserving an environment where individuals are safe to pursue the American dream.
  • Rather than burdening businesses with costly regulation, H.R. 624 would equip private companies with as much intelligence as possible, leaving protection of the private sector in private hands.


[1] House Permanent Select Committee on Intelligence report 113-39 at 9.

[2] House Permanent Select Committee on Intelligence, The Rogers-Ruppersberger Cybersecurity Bill at 1.

[3] House Permanent Select Committee on Intelligence report 113-39 at 9-10.

[4] Id. at 10.

Cost

The CBO estimates the implementing the bill would have a discretionary cost of $20 million over the 2014-2018 period, assuming appropriation of the necessary amounts.  Enacting H.R. 624 could affect direct spending or revenues; therefore, pay-as-you-go procedures apply.  However, CBO estimates that those effects would be insignificant for each year.  The bill would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to entities and cybersecurity providers that share or use cyber threat information. The bill also would impose additional intergovernmental mandates on state governments by preempting state disclosure and liability laws. Because of uncertainty about the number of cases that would be limited and any forgone compensation that would result from compensatory damages, CBO cannot determine whether the costs of the mandate would exceed the annual threshold established in UMRA for private-sector mandates ($150 million in 2013, adjusted annually for inflation). However, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($75 million in 2013, adjusted annually for inflation).  For more information, see CBO’s cost estimate on H.R. 624.

Amendments

  1. Rep. Rogers (R-MI) Amendment #28amendment corrects reported language concerning a reference in subsection (c)(4) to the procedures created in (c)(7).
  2. Rep. Connolly (D-VA) Amendment #33amendment further defines how classified cyber threat intelligence may be shared and used.  Adds an additional provision stipulating that classified threat intelligence may only be used, retained, or further disclosed by a certified entity only for cybersecurity purposes.
  3. Rep. Schneider (D-IL) Amendment #9amendment clarifies that independent contractors are eligible for security clearances for purposes of employment to handle cyber threat intelligence and cyber threat information.
  4. Rep. Langevin (D-RI) Amendment #35– amendment replaces the term “local” with “political subdivision”, which allows the inclusion of utility “districts” that would not otherwise be covered but that are intended to be covered in the bill.
  5. Reps. Conyers (D-MI), Schakowsky (D-IL), Jackson Lee (D-TX), Johnson (D-GA), Holt (D-NJ) Amendment #7 – amendment amends liability exemption to exclude "decisions made" from coverage.
  6. Reps. Amash (R-MI), Massie (R-KY), Polis (D-CO), Broun (R-GA) Amendment #32– amendment prohibits the federal government from using, inter alia, library records, firearms sales records, and tax returns that it receives from private entities under CISPA.
  7. Rep. Sinema (D-AZ) Amendment #37– amendment adds the Inspector General (IG) of the Department of Homeland Security (DHS) to the omnibus IG reporting requirement.  Adds the DHS IG to rest of the group responsible for submitting an annual report to Congress.  Adds the House Committee on Homeland Security and the Senate Committee on Homeland Security and Governmental Affairs to the recipients of the report.
  8. Rep. Sanchez (D-CA) Amendment #5– amendment inserts language that would include the Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS in issuing a report on assessing the privacy and civil liberties impact of this bill.
  9. Reps. LaMalfa (R-CA), Rogers (R-MI) Amendment #29– amendment makes clear that nothing in this bill authorizes the government to target a US person for surveillance
  10. Rep. Paulsen (R-MN) Amendment #6– amendment establishes the sense of Congress that international cooperation should be encouraged where possible in regards to cyber security.
  11. Rep. Barton (R-TX) #8– amendment clarifies that companies sharing cyber threat information with other companies cannot treat this sharing relationship as a loophole to sell a consumer's personal information for a marketing purpose.
  12. Rep. Jackson Lee (D-TX) #17– amendment clarifies that cybersecurity service providers may not be required to provide information about cybersecurity incidents that do not pose a threat to the federal government’s information, and protects individuals’ private data from being accessed by the government solely because it is stored by a company that provides information services to a government agency.

Additional Information

Since CISPA was first introduced in the 112th Congress, 19 changes to the text have been made to address privacy concerns.  For more information, see HPSCI’s document entitled 19 Privacy Improvements: The Cyber Information Sharing and Protection Act (CISPA).

In addition, H.R. 624 has support from a broad range of industry representatives.  For additional information, see more than 60 letters of support for the measure.