Get documents about "aclu_cs_info_sharing_leg_chart_march_2012__final
Document Sample
H.R. 3674, the PRECISE Act of 2011, H.R. 3523, the Cyber Intelligence S. 2105, the Cybersecurity Act of S. 2151, the SECURE IT Act of
as reported from HHSC Subcmte on sharing and Protection Act of 2011, as 2012, as introduced (Lieberman- 2012, as introduced (McCain)
Cybersecurity (Lungren) reported from HPSCI (Rogers- Feinstein)
Ruppersberger)
WHAT INFORMATION -Notwithstanding any provision of -Notwithstanding any provision of law, -Notwithstanding any provision of -Notwithstanding any provision of
MAY BE SHARED law, law, law
-“Cyber threat information:” -“Cyber threat information:” -“Cybersecurity threat indicator:” -“Cyber threat information:”
information ‘necessary to identify information ‘directly pertaining’ to, information that ‘may be indicative information that ‘may be
or describe,’ or describe,’ indicative or describe,’
-six types of cyber data, -Vulnerability or threat to system or -Eight types of cyber data, -Nine types of cyber data,
network of government or private
entity including (A) efforts to degrade,
disrupt, or destroy such system or
network; or (B) theft or
misappropriation of private or
government info, intellectual property
or personally identifiable info,
-From which reasonable efforts have -With the express consent of a -From which reasonable efforts -“If the CTI described in paragraph
been made to remove info that can protected entity for which such have been made to remove info (1) is obtained, in the course of
be used to identify specific persons cybersecurity provider is providing that can be used to identify specific services to another entity, that
unrelated to a cyber-attack. goods or services for cybersecurity persons unrelated to the entity shall, at any time prior to
purposes. cybersecurity threat. disclosure of such information, be
given a reasonable opportunity to
authorize or prevent such
disclosure or to request
anonymization of such
information.”
(Sec. 248(f)(6) at p. 44) (Sec. 6 at p. 10; Sec. 2 at p. 4) (Sec. 708(6)) (Sec. 101(4))
American Civil Liberties Union | Comparison of Cybersecurity Information Sharing Legislation | March 2012 Page 1
H.R. 3674, the PRECISE Act of 2011 H.R. 3523, the CISPA of 2011 (Rogers- S. 2105, the CSA of 2012 S. 2151, the SECURE IT Act of
(Lungren) Ruppersberger) (Lieberman-Feinstein) 2012 (McCain)
WHO MAY RECEIVE -New semi-private entity called the -Any private or governmental entity if - Any private entity (Sec. 3(a)), - Six existing federal
CYBERSECURIT Y RELATED National Information Sharing the protected entity gives consent, ‘cybersecurity centers’ including
INFORMATION Organization (NISO), which will be including military agencies such as the -DHS approved private exchanges the NSA, and offices at DHS, DoD,
overseen by a board of government NSA or DoD. (Sec. 2(b) at p. 4-5). (Sec. 4(e)), DNI, and the FBI(Sec. 101(5)),
and private sector officials, and
include a membership of cyber -DHS approved government -‘Any other entity in order to
related companies federal agencies. exchanges including one lead assist with preventing,
The NISO will be responsible for exchange (Sec. 4(c)) and possibly investigating, or otherwise
distributing cyber info amongst its additional ones if so approved by mitigating threats to info
members and to the public. (Sec. DHS (Sec. 4(d)). security.’ (Sec. 102(a)(2).
248(a)(2) and(3)).
HOW MAY INFORMATION BE -Federal government and private -Federal government may use for any -Private entities can use, retain or -CTI given to a cybersecurity
USED / REDISTRIBUTED entities may use for CS purposes lawful purpose only if (A) not for further disclose in order to protect center may be disclosed to and
(Sec. 248(b)(3-4) at p. 38-39), regulatory purposes; and B) at least info systems from CS threats or used by the government for
one significant purpose is mitigate CS threats (Sec. 702(b)), cybersecurity or national security
-Federal government may cybersecurity or national security purposes or to prosecute any of
additionally use 1) to further (Rogers/Ruppersberger amdt, -Exchanges and government can the offenses listed in 18 USC 2516
investigation or the prosecution of a available at HPSCI website). use, retain or further disclose in (wiretapping predicates); may
cybersecurity related criminal act as order to protect info systems from also be used by communication or
defined at 248(f)(2)on p. 43; or 2) to CS threats or mitigate CS threats cybersecurity provider for
disclose the info to the appropriate (Sec. 704(b) and (c)), ‘purposes related to such
congressional committee, services’ (Sec. 102(c)),
-Government can disclose to law
-Note: stripping unnecessary PII enforcement if information appears -May be shared with local and
before dissemination listed in to pertain to a crime which has state law enforcement for
mission and activities (Sec. 242(1)(A) been, is being or is about to be criminal or CS purposes (Sec.
at p. 27). committed (Sec. 704(g)(2)). 102(c)).
American Civil Liberties Union | Comparison of Cybersecurity Information Sharing Legislation | March 2012 Page 2
H.R. 3674, the PRECISE Act of 2011 H.R. 3523, the CISPA of 2011 (Rogers- S. 2105, the CSA of 2012 S. 2151, the SECURE IT Act of
(Lungren) Ruppersberger) (Lieberman-Feinstein) 2012 (McCain)
EXPANSION OF PRIVATE -Notwithstanding any other -‘Notwithstanding any other provision -Notwithstanding ECPA, FISA, or the -‘Notwithstanding any other
MONITORING/SURVEILLANCE provision of law, CS providers with of law, a CS provider, with the express Communications Act, any private provision of law, a private entity
the express consent of a protected consent of a protected entity for entity may monitor its info systems may, for the purpose of
and entity and self-protected entities which such CS provider is providing and info that is stored on, preventing, investigating or
may use ‘CS systems to identify and goods or services for CS purposes, or processed by or transiting such info otherwise mitigating threats to
AUTHORIZATION TO TAKE obtain cyber threat information to self-protected entity may use ‘CS for cyber threats, and monitor 3rd information security on its own
COUNTERMEASURES protect the rights and property of systems to identify and obtain cyber party if it lawfully authorizes such networks, or as authorized by
such protected entity’(Sec 248(a) at threat information to protect the monitoring(701(1-2)); or operate another entity, on such entity’s
p.36-37). rights and property of such protected countermeausres on own or 3rd networks, employ
entity’ (Sec 2(b) at p. 4-5). party’s info systems if it lawfully countermeasures and use
authorizes such monitoring (701(3- cybersecurity systems in order to
4)). obtain, identify or otherwise
possess cyber threat information’
(Sec. 102(a)(1)).
LIABILITY PROTECTION / -Provided against tort or criminal -Against a CS provider or protected -For monitoring (706(a)(1)), -For any entity for use, receipt or
IMMUNITY right of action in Fed or State court entity acting in good faith for ‘using disclosure of cyber threat
for failure to warn or disclose, cybersecurity systems or sharing info’ -For sharing with exchange, CI information or subsequent action
provided the info is shared with or ‘for not acting on information operators, customers of CS or inaction of any lawful recipient
NISO (sec. 248(b)(7) at p. 39), obtained or shared in accordance with services or any other entity if an of cyber threat information;
this section’ (Sec. 2(b)(3) at p. 6). exchange is notified ( 706(a)(2)), (102(g)),
-Private right of action to sue private
entity if it uses info for any purpose -Complete bar for ‘good faith’ -Additionally for private entities
other than a cybersecurity purpose; reliance on Title VII of the bill for taking countermeasures
subject to good faith defense (706(b)). (102(g)).
(Keating amdt; available on HHSC
website).
American Civil Liberties Union | Comparison of Cybersecurity Information Sharing Legislation | March 2012 Page 3
H.R. 3674, the PRECISE Act of H.R. 3523, the CISPA of 2011 S. 2105, the CSA of 2012 S. 2151, the SECURE IT Act of
2011 (Lungren) (Rogers-Ruppersberger) (Lieberman-Feinstein) 2012 (McCain)
FURTHER GUIDANCE/RULES ON -NISO charter shall include -none -DHS shall issue policies on -The head of each of the six
SHARING PRIVATE protections of privacy and civil privacy and civil liberties for named cybersecurity centers shall
INFORMATION liberties including A) transparency government receipt, retention, submit procedures to congress
and oversight, B) ensure only CTI use and disclosure of CTI under within 60 days that shall ensure
is shared with NISO, C) omit PII bill; must be approved by AG CTI ‘is handled by the federal
not necessary describe a cyber within one year of passage of this government in a reasonable
threat from info shared with and act; policies must be sent to manner, including consideration
by the NISO (Sec 244(9) at p. 33), Congress (704(g)(4)), of the need to protect the privacy
and civil liberties of individuals
--Within 90 days, board of NISO -AG shall establish mandatory through anonymization or other
shall issue procedures including program to monitor and oversee appropriate methods, while fully
protection of privacy rights and compliance with policies and accomplishing the objectives of
civ libs (Sec. 248(d) at p. 40), procedures (704(g)(5)). this title.’ (102(d)).
--Mission includes ‘ensuring that
the information exchanged shall
be stripped of all information
identifying the submitted and of
any unnecessary personally
identifiable information’ (Sec. 242
(1)(A) at p. 27).
American Civil Liberties Union | Comparison of Cybersecurity Information Sharing Legislation | March 2012 Page 4
H.R. 3674, the PRECISE Act of H.R. 3523, the CISPA of 2011 S. 2105, the CSA of 2012 S. 2151, the SECURE IT Act of
2011 (Lungren) (Rogers-Ruppersberger) (Lieberman-Feinstein) 2012 (McCain)
OVERSIGHT -Annual independent audits by a -Annual audits by DNI IG on type -Annual report to Congress from -One year after enactment then
private firm to be appointed by and use of information shared privacy and civil liberties officers every two years thereafter, the
NISO and approved by DHS. Shall under the program, including a of DOJ, DHS and other heads of the six cybersecurity
be shared with DHS, the review of actions taken by the appropriate agencies on centers, in consultation with their
Homeland Security Committees, Federal government and impacts government exchanges (Sec. civil liberties officers, shall report
shall be made public with on privacy and civil liberties; shall 704(g)(5)(C)), to congress concerning the
appropriate redactions, and may be submitted in unclassified form, implementation of this title. It
include a classified annex (Sec. but may include a classified annex -PCLOB report to Congress two shall include a review of the type
249 at p. 46). (Rep. Mike Thompson amdt, years after enactment (Sec. of information shared, impacts on
available on HPSCI website). 704(g)(6)), privacy, government use of
information and a description of
-Report on implementation to any violations by the Federal
include discussion on civ libs (Sec. government. Shall be
707(h)). unclassified by may include
classified annex (Sec. 104).
ACCOUNTABILITY MEASURES -Government, NISO and member -none -The heads of federal entities that -none
entities may not knowingly receive information shall inform
publish, divulge, disclose or make AG of significant violations of the
known in any manner… any CTI privacy and civil liberties policies
protected from disclosure by this required by the bill (704(g)(5)(B),
title; Violations shall be fined
under Title 18, imprisoned for not -The heads of federal entities shall
more than one year, or both, and develop and enforce sanctions for
shall be removed from office or officers employees, or agents who
employment (Sec. 250(a) and (b) conduct activities under this title
at p. 47-48). in violation of their duties or the
policies required by this bill.
(704(g)(7).
EXEMPTION FROM PUBLIC -FOIA -FOIA -FOIA -FOIA
DISCLOSURE LAWS -FACA
American Civil Liberties Union | Comparison of Cybersecurity Information Sharing Legislation | March 2012 Page 5
