|
Letting any almost company legally get all your phone and email records. CISPA would allow companies to share any information they have with government if claimed related to cyber-security. Civil libertarians hate that; others think anything done in the  name of security needs to be allowed. You can and should make up your own mind on what's right. The bill (below) goes much further, including allowing essentially any company to share essentially anything with other companies. They merely need to claim it's somehow related to "cyber-security."
But it's ridiculous to allow say Microsoft to ask Verizon for all my phone call records and who I emailed because I break a story about Microsoft, say how they price Microsoft Mediaroom that disadvantages community television. They could claim that a "trade secret" and hence intellectual property. This "cyber-security" bill provides near total protection to private companies sharing information about "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." The plain language of the bill would allow Verizon to hand over my email and phone contacts if I reported, as I have, that three separate senior FCC employees thought the Spectrum Crunch report was a fiction invented for political reasons. That's government information not officially released I may have "mis-appropriated." Cisco, I discovered, was damned mad I reported they were offering to sell AT&T femtocells (quantity 10M) for $50 and certainly both companies believed it "private information." Especially because Cisco was selling the same unit to others at $125-150. Gucci would love to get the complete list of emails from a company they think is selling counterfeits on eBay. They could follow up with (legal) questions to every customer asking about counterfeits and probably destroy the business even if they found nothing. Think of the possibilities for a lawyer chasing "pirates" of pornography if they could get someone complete email and phone records.
Adding fake handbags and basic reporting makes this far more than a bill about security and totally abusive. Reasonable people may disagree about how far government should go in the name of security. But giving private companies complete access with no recourse for abuses is off the wall. So shame on Christopher Padilla of IBM, Tim McKone of AT&T, Peter Davidson of Verizon, Michael Powell of NCTA and Fred Humphries of Microsoft for their strong support of the House bill. Maybe that didn't bother to read what they were signing on to and didn't realize the bombshell built in. At minimum, all ISPs should make clear they will not provide information outside of government unless subpoenaed.
Those who believe this bill is important for "security" should be the first to strip "theft or misappropriation of private or government information, intellectual property, or personally identifiable information" out so the bill isn't blocked.
Below, a poster from Spencer Belkofer from the civil liberties point of view, Verizon and the others supporting the bill, and the actual text.
From the Congressional committee.
See What They’re Saying
See what major US corporations and business associations have to say about the new bipartisan ‘Cyber Intelligence Sharing and Protection Act of 2011’.
See what they’re saying…
**********************************
“The U.S. Chamber of Commerce, the world’s largest business federation representing the interests of more than three million businesses and organizations of every size, sector, and region, supports the “Cyber Intelligence Sharing and Protection Act of 2011”, which would be an important step in assisting the nation’s public and private sectors to prevent, deter, and mitigate the array of cyber threats from illicit actors without imposing burdensome regulations on industry.”
R. Bruce Josten
Executive Vice President, Government Affairs
U.S. Chamber of Commerce
**********************************
“The ‘Cyber Intelligence Sharing and Protection Act of 2011’ provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers.”
Christopher Padilla
Vice President governmental Programs
IBM
**********************************
“The sharing of cyber threat and attack information is an essential component of an effecdtive cyber-defense strategy, and the legislation helps to provide greater clarity for private sector entities.”
Tim McKone
Executive Vice President, Federal Relations
AT&T
**********************************
“There is a critical role for government in securing cyberspace, and today’s bill sets forth a path that would enable government and network providers to better share information in real time, while relying on market incentives to drive continuous improvement and innovation in cybersecurity.”
Walter B. McCormick Jr.
President & CEO
USTelecom
**********************************
“Verizon supports the “Cyber Intelligence Sharing and Protection Act of 2011” and applauds its sponsors for taking a focused approach to enhancing our national cybersecurity-defense capabilities.”
Peter Davidson
Senior Vice President for Federal Government Relations
Verizon
**********************************
“This legislation will protect both our national security and our customers and has the strong support of the nation’s cable, telephone and wireless industries.”
Michael Powell
President & CEO
National Cable & Telecommunications Association
**********************************
“Enactment of this sort of legislation will contribute significantly to the expansion of sound cybersecurity practices.”
“Your legislation will promote the sort of public-private partnership that will be necessary to defeat those intent on gaining unauthorized access to public and private sector networks.”
Steve Largent
President & CEO
CTIA - The Wireless Association
**********************************
“On behalf of Microsoft, I want to commend Intelligence Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger for the introduction of the Cyber Intelligence Sharing and Protection Act of 2011.”
“…this bill is an important first step towards addressing significant problems in cyber security.”
Fred Humphries
Vice President, U.S. Government Affairs
Microsoft Corporation
**********************************
“This bill provides important updates and clarifications ot he US Code that will facilitate and increase cyber intelligence information sharing within the private and public sectors.”
“This legislation will modify current constraining rules to allow for improved information sharing, which is essential to the continued protection of the cyber ecosystem.”
Steve Bartlett Paul Smocer
President and CEO President
The Financial Services Roundtable BITS, The Technology Policy Division
The Financial Services Roundtable
**********************************
“We believe that this bi-partisan legislation will help advance the sharing of threat intelligence and actionable information that can assist organizations in addressing advanced cyber attacks.”
“…this legislation, if enacted, will be an important step forward in creating more effective ecosystems between the public and private sector to improve our nation’s cyber security posture.”
Art Coviello David Martin
EVP & Executive Chairman of RSA VP & Chief Security Officer
EMC Corporation EMC Corporation
**********************************
“ITTA applauds House Intelligence Chairman Mike Rogers and Ranking Member Dutch Ruppersberger for moving aggressively on legislation to tackle daily threats to the nation’s broadband networks”
“…absent the ability for private network owners and the government to exchange intelligence on cyber threats, our national security and economic well-being will remain vulnerable to attack.”
Genny Morelli
President
Independent Telephone & Telecommunications Alliance (ITTA)
**********************************
“Because of its importance, we hope this legislation can be acted upon quickly. Passage of this legislation will truly be a significant step forward to help protect American companies from these evolving challenges.”
James W. Sheaffer
President, North American Public Sector
CSC
**********************************
“The framework proposed in the “Cyber Intelligence Sharing and Protection Act of 2011” will move industry and government in the right direction on sharing timely and actionable information to protect ourselves from cyber attacks.”
“…we applaud the effort that has been put forward by you and your staff in support of this long-time, critical goal by the private sector to enhance information sharing efforts with the U.S. government on cyber threats.”
Kevin Richards
Senior Vice President
Federal Government Affairs
TechAmerica
**********************************
“The Association admires your bi-partisan approach to policy and legislation, as well as your strategy of proposing a bill which is tightly focused on a critical issue, sharing threat data which can be readily used by companies who need to counter Cyber attacks.”
Richard Coleman
Chairman & President
Cyber, Space & Intelligence Association
H.R.3523 -- Cyber Intelligence Sharing and Protection Act of 2011 (Introduced in House - IH)
HR 3523 IH
112th CONGRESS1st Session
H. R. 3523
To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
IN THE HOUSE OF REPRESENTATIVESNovember 30, 2011
Mr. ROGERS of Michigan (for himself, Mr. RUPPERSBERGER, Mr. KING of New York, Mr. UPTON, Mrs. MYRICK, Mr. LANGEVIN, Mr. CONAWAY, Mr. MILLER of Florida, Mr. BOREN, Mr. LOBIONDO, Mr. CHANDLER, Mr. NUNES, Mr. GUTIERREZ, Mr. WESTMORELAND, Mrs. BACHMANN, Mr. ROONEY, Mr. HECK, Mr. DICKS, Mr. MCCAUL, Mr. WALDEN, Mr. CALVERT, Mr. SHIMKUS, Mr. TERRY, Mr. BURGESS, Mr. GINGREY of Georgia, Mr. THOMPSON of California, Mr. KINZINGER of Illinois, Mr. AMODEI, and Mr. POMPEO) introduced the following bill; which was referred to the Select Committee on Intelligence (Permanent Select)
A BILL
To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Cyber Intelligence Sharing and Protection Act of 2011'.
SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.
(a) In General- Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section:
`CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
`Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector-
`(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.
`(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--
`(A) shared by an element of the intelligence community with--
`(i) certified entities; or
`(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;
`(B) shared consistent with the need to protect the national security of the United States; and
`(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.
`(3) SECURITY CLEARANCE APPROVALS- The Director of National Intelligence shall issue guidelines providing that the head of an element of the intelligence community may, as the head of such element considers necessary to carry out this subsection--
`(A) grant a security clearance on a temporary or permanent basis to an employee or officer of a certified entity;
`(B) grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities; and
`(C) expedite the security clearance process for a person or entity as the head of such element considers necessary, consistent with the need to protect the national security of the United States.
`(4) NO RIGHT OR BENEFIT- The provision of information to a private-sector entity under this subsection shall not create a right or benefit to similar information by such entity or any other private-sector entity.
`(b) Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information-
`(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
`(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
`(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--
`(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and
`(ii) share such cyber threat information with any other entity, including the Federal Government.
`(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--
`(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including, if requested, appropriate anonymization or minimization of such information;
`(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and
`(C) if shared with the Federal Government--
`(i) shall be exempt from disclosure under section 552 of title 5, United States Code;
`(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and
`(iii) shall not be used by the Federal Government for regulatory purposes.
`(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--
`(A) for using cybersecurity systems or sharing information in accordance with this section; or
`(B) for not acting on information obtained or shared in accordance with this section.
`(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION- The submission of information under this subsection to the Federal Government shall not satisfy or affect any requirement under any other provision of law for a person or entity to provide information to the Federal Government.
`(c) Report on Information Sharing- The Privacy and Civil Liberties Oversight Board established under section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (5 U.S.C. 601 note) shall annually submit to Congress a report in unclassified form containing--
`(1) a review of the sharing and use of information by the Federal Government under this section and the procedures and guidelines established or issued by the Director of National Intelligence under subsection (a); and
`(2) any recommendations of the Board for improvements or modifications to such authorities to address privacy and civil liberties concerns.
`(d) Federal Preemption- This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under subsection (b).
`(e) Savings Clause- Nothing in this section shall be construed to limit any other authority to use a cybersecurity system or to identify, obtain, or share cyber threat intelligence or cyber threat information.
`(f) Definitions- In this section:
`(1) CERTIFIED ENTITY- The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--
`(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and
`(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.
`(2) CYBER THREAT INTELLIGENCE- The term `cyber threat intelligence' means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
`(A) efforts to degrade, disrupt, or destroy such system or network; or
`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
`(3) CYBERSECURITY PROVIDER- The term `cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.
`(4) CYBERSECURITY PURPOSE- The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--
`(A) efforts to degrade, disrupt, or destroy such system or network; or
`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
`(5) CYBERSECURITY SYSTEM- The term `cybersecurity system' means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from--
`(A) efforts to degrade, disrupt, or destroy such system or network; or
`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
`(6) CYBER THREAT INFORMATION- The term `cyber threat information' means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
`(A) efforts to degrade, disrupt, or destroy such system or network; or
`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
`(7) PROTECTED ENTITY- The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.
`(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'.
(b) Procedures and Guidelines- The Director of National Intelligence shall--
(1) not later than 60 days after the date of the enactment of this Act, establish procedures under paragraph (1) of section 1104(a) of the National Security Act of 1947, as added by subsection (a) of this section, and issue guidelines under paragraph (3) of such section 1104(a); and
(2) following the establishment of such procedures and the issuance of such guidelines, expeditiously distribute such procedures and such guidelines to appropriate Federal Government and private-sector entities.
(c) Initial Report- The first report required to be submitted under subsection (c) of section 1104 of the National Security Act of 1947, as added by subsection (a) of this section, shall be submitted not later than one year after the date of the enactment of this Act.
(d) Table of Contents Amendment- The table of contents in the first section of such Act is amended by adding at the end the following new item:
`Sec. 1104. Cyber threat intelligence and information sharing.'.
|
