Bill Text
112th Congress (2011-2012)
H.R.3523.IH


Bill PDFXML
[Help]
Printer Friendly[Help] Congressional Record ReferencesBill Summary & Status


H.R.3523 -- Cyber Intelligence Sharing and Protection Act of 2011 (Introduced in House - IH)

HR 3523 IH

112th CONGRESS

1st Session

H. R. 3523

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

November 30, 2011

Mr. ROGERS of Michigan (for himself, Mr. RUPPERSBERGER, Mr. KING of New York, Mr. UPTON, Mrs. MYRICK, Mr. LANGEVIN, Mr. CONAWAY, Mr. MILLER of Florida, Mr. BOREN, Mr. LOBIONDO, Mr. CHANDLER, Mr. NUNES, Mr. GUTIERREZ, Mr. WESTMORELAND, Mrs. BACHMANN, Mr. ROONEY, Mr. HECK, Mr. DICKS, Mr. MCCAUL, Mr. WALDEN, Mr. CALVERT, Mr. SHIMKUS, Mr. TERRY, Mr. BURGESS, Mr. GINGREY of Georgia, Mr. THOMPSON of California, Mr. KINZINGER of Illinois, Mr. AMODEI, and Mr. POMPEO) introduced the following bill; which was referred to the Select Committee on Intelligence (Permanent Select)


A BILL

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the `Cyber Intelligence Sharing and Protection Act of 2011'.

SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.

    (a) In General- Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section:

`CYBER THREAT INTELLIGENCE AND INFORMATION SHARING

    `Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector-

      `(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.

      `(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--

        `(A) shared by an element of the intelligence community with--

          `(i) certified entities; or

          `(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;

        `(B) shared consistent with the need to protect the national security of the United States; and

        `(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.

      `(3) SECURITY CLEARANCE APPROVALS- The Director of National Intelligence shall issue guidelines providing that the head of an element of the intelligence community may, as the head of such element considers necessary to carry out this subsection--

        `(A) grant a security clearance on a temporary or permanent basis to an employee or officer of a certified entity;

        `(B) grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities; and

        `(C) expedite the security clearance process for a person or entity as the head of such element considers necessary, consistent with the need to protect the national security of the United States.

      `(4) NO RIGHT OR BENEFIT- The provision of information to a private-sector entity under this subsection shall not create a right or benefit to similar information by such entity or any other private-sector entity.

    `(b) Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information-

      `(1) IN GENERAL-

        `(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--

          `(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

          `(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

        `(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

          `(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

          `(ii) share such cyber threat information with any other entity, including the Federal Government.

      `(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

        `(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including, if requested, appropriate anonymization or minimization of such information;

        `(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

        `(C) if shared with the Federal Government--

          `(i) shall be exempt from disclosure under section 552 of title 5, United States Code;

          `(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and

          `(iii) shall not be used by the Federal Government for regulatory purposes.

      `(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

        `(A) for using cybersecurity systems or sharing information in accordance with this section; or

        `(B) for not acting on information obtained or shared in accordance with this section.

      `(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION- The submission of information under this subsection to the Federal Government shall not satisfy or affect any requirement under any other provision of law for a person or entity to provide information to the Federal Government.

    `(c) Report on Information Sharing- The Privacy and Civil Liberties Oversight Board established under section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (5 U.S.C. 601 note) shall annually submit to Congress a report in unclassified form containing--

      `(1) a review of the sharing and use of information by the Federal Government under this section and the procedures and guidelines established or issued by the Director of National Intelligence under subsection (a); and

      `(2) any recommendations of the Board for improvements or modifications to such authorities to address privacy and civil liberties concerns.

    `(d) Federal Preemption- This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under subsection (b).

    `(e) Savings Clause- Nothing in this section shall be construed to limit any other authority to use a cybersecurity system or to identify, obtain, or share cyber threat intelligence or cyber threat information.

    `(f) Definitions- In this section:

      `(1) CERTIFIED ENTITY- The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--

        `(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

        `(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

      `(2) CYBER THREAT INTELLIGENCE- The term `cyber threat intelligence' means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

        `(A) efforts to degrade, disrupt, or destroy such system or network; or

        `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

      `(3) CYBERSECURITY PROVIDER- The term `cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.

      `(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--

        `(A) efforts to degrade, disrupt, or destroy such system or network; or

        `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

      `(5) CYBERSECURITY SYSTEM- The term `cybersecurity system' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from--

        `(A) efforts to degrade, disrupt, or destroy such system or network; or

        `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

      `(6) CYBER THREAT INFORMATION- The term `cyber threat information' means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

        `(A) efforts to degrade, disrupt, or destroy such system or network; or

        `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

      `(7) PROTECTED ENTITY- The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

      `(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'.

    (b) Procedures and Guidelines- The Director of National Intelligence shall--

      (1) not later than 60 days after the date of the enactment of this Act, establish procedures under paragraph (1) of section 1104(a) of the National Security Act of 1947, as added by subsection (a) of this section, and issue guidelines under paragraph (3) of such section 1104(a); and

      (2) following the establishment of such procedures and the issuance of such guidelines, expeditiously distribute such procedures and such guidelines to appropriate Federal Government and private-sector entities.

    (c) Initial Report- The first report required to be submitted under subsection (c) of section 1104 of the National Security Act of 1947, as added by subsection (a) of this section, shall be submitted not later than one year after the date of the enactment of this Act.

    (d) Table of Contents Amendment- The table of contents in the first section of such Act is amended by adding at the end the following new item:

      `Sec. 1104. Cyber threat intelligence and information sharing.'.
13

    `(2) CYBER THREAT INTELLIGENCE- The term `cyber threat intelligence' means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

    `(A) efforts to degrade, disrupt, or destroy such system or network; or

    `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

  • Best
    Hot
    Earliest
    Latest
  • bo1024
    posted 5 days ago - 5 replies
    25

    From my reading, it explicitly includes intellectual property as a cybersecurity issue unto itself. (I have no idea why this would be justified.)

    GovernmentOverreach
    12
    • IWantSpaceships
      posted 5 days ago - 3 replies

      That's not what I see when I read it. It doesn't state that intellectual property as a cybersecurity issue unto itself, only "protection of a system or network" from theft or misappropriation of that property. The bill does not expand an entity's power to control the distribution of that property after its theft/misappropriation from its network.

      FactuallyIncorrect
      • malogos
        posted 4 days ago - 2 replies

        Your reading is correct. This bill is about cyber security and not copyright protection. ISPs are actually a minor part of this bill it's aimed to protect critical infrastructure. ISPs would only be sharing data that involves there role as critical US infrastructure, and so monitoring individual users isn't the point at all. If the wording needs cleaned up, that's one thing, but the intent is clearly not to spy on citizens.

        Agree
        • jnt8686
          posted 4 days ago

          While you guys are technically correct, why does it seem like our government keeps passing laws that are designed to be confusing and misleading? I don't care what the nitpicky little reading could be, if a law appears at all to infringe upon our constitutional rights, it needs to be rewritten.

          Disagree
          • theThoughtful1
            posted 4 days ago

            I would not argue against your guys' reading. In fact, although I personally read it differently, I would rather go with your reading. However, the very fact that it can be read the way the OP and I read it means that it is too ambiguous.

            Yes, the bill is about cyber security. And yes, the bill is clearly designed to facilitate the foiling of and the apprehension of those who would hack into networks or systems to do malicious things. And yes, the bill does not create new crimes of any sort.

            However, it allows for novel forms of collection and aggregation of personal data. This data can then be used for myriad purposes, all in the guise of "cyber security," such as "theft" of intellectual property. Copyright infringement, patent infringement, and piracy of any sort are sometimes equated to theft, and although perhaps in most places at the current time it is not, that could easily become a widespread interpretation of this clause. Besides, if any company or government organization is caught misinterpreting it, they are safe

            Disagree
          • mary367
            posted 3 days ago

            Hello there, simply turned into aware of your blog thru Google, and found that it is really informative. I?m gonna watch out for brussels. I will appreciate if you continue this in future. A lot of other folks will be benefited from your writing. Cheers!

            Welcome you come here,come our uggs outlet stores .ugg outlet stores is the best stores of ugg boots outlet,offer all kinds of cheap ugg sale,

            Ugg outlet store sales various of discount uggs products,including boots, sandals, slipper, welcome to ugg outlet store to buy high quality products.

            uggsunlimit.br
            Please flag only annotations which are clearly spam, or against hypothes.is terms of service.
        • bo1024
          posted 4 days ago - 5 replies

          From my reading, it explicitly includes intellectual property as a cybersecurity issue unto itself. (I have no idea why this would be justified.)

          GovernmentOverreach
        • retrvor
          posted 3 days ago - 12 replies

          The bill's authors could take this provision out and companies will still get all the benefits they wanted in the first place. This spying section is the portion that will destroy our privacy and it's a section that's not even needed to accomplish the bill's goals.

          Facebook even admitted on Friday they don't like this section, don't need it, or don't want it, but for now, it's still in the bill. So that's why we need people to go here and email their member of Congress to vote against it.

          Facebook
        • glass
          posted 2 days ago - 12 replies

          The bill's authors could take this provision out and companies will still get all the benefits they wanted in the first place. This spying section is the portion that will destroy our privacy and it's a section that's not even needed to accomplish the bill's goals.

          Facebook even admitted on Friday they don't like this section, don't need it, or don't want it, but for now, it's still in the bill. So that's why we need people to go here and email their member of Congress to vote against it.

          NewZealand
        • waywardfrantz
          posted 5 days ago - 3 replies

          I am fearful that the current reactive approach to these bills will fail. They keep coming and coming and the ability to mobilize people time after time decreases. Eventually, the lobbying groups will slip these pieces of legislation through one small piece at a time. It's an effective tactic. It is my opinion that we need take a proactive stance to preempt these actions. My question to you, EFF, is what are our options, legislatively or other wise, to pass/ensure some basic protections for the architecture of a free and open Internet to discourage the seemingly unending onslaught to these harmful pieces of legislation?

          Instead of trying to educate, organize, and mobilize citizens 10,20, or 50 times, why can't we nail down some sort of basic internet bill of rights and mobilize everybody once to support it? The impact of that would be magnitudes greater.

          NewZealand
        • waywardfrantz
          posted 5 days ago - 3 replies

          I say focus on two lines, the main description where it says "for other purpose" i mean WTF? and then later when it says people are clear of liability if they have good intentions. Lets get people to read the bill, these are ludicrous lines in a fairly moderate bill. The line stating that any requests authorized by this bill must be reported in non-classified form is AWESOME and helps us a lot.

          WTF