The Cybersecurity Act of 2015 was passed in December of 2015 as part of the Omnibus spending bill agreed to by the House and Senate. Companies would be able to voluntarily share cyberthreat data in “real time” with industry partners and the federal government under a spending agreement for fiscal 2016.
The measure represents a compromise between the House and Senate intelligence committees and the House Homeland Security Committee. It includes various components of three separate information sharing bills: H.R. 1560 and H.R. 1731, passed by the House earlier this year, and S. 754, passed by the Senate in October.
The legislation includes provisions, similar to S. 754, that would provide liability protections to companies that share cyberthreat data through a new “portal” at the Homeland Security Department (DHS), which would then share that data with other federal agencies to address the threat.
The compromise version -- called the “Cybersecurity Act of 2015” -- includes additional language that would allow the president to designate an additional portal, if DHS turns out to be “inadequate,” reports Bloomberg’s Alexei Alexis.
The agreement also would direct DHS to share both classified and unclassified information with the private sector.
The legislation would retain a sunset provision from S. 754; requirements would expire on Sept. 30, 2025.
Proponents of the measure say it would prevent attacks by encouraging data sharing between the private and public sectors. Civil liberties advocates oppose the legislation, arguing that it wouldn’t provide adequate privacy protections and could become a tool for the federal government to conduct surveillance.
Sharing Cyberthreat Indicators
The procedures would provide for the timely, automated sharing of both classified and declassified federal cyberthreat indicators and defensive measures with private entities, and state, tribal, or local governments that have appropriate security clearances.
The procedures would also be developed in consultation with the Small Business Administration to take into challenges unique to small businesses.
The measure would define a “cyber threat indicator” as information that’s necessary to indicate, describe or identify, among other things:
- Malicious reconnaissance or cyber command and control.
- Security vulnerabilities to hardware, software, processes and procedures.
- Methods of defeating a security control or the exploitation of a security vulnerability, including allowing illegitimate users to access information.
Under the agreement, “defensive measures” would include actions, devices, procedures, signatures or techniques used to detect, prevent, or mitigate known or suspected cybersecurity threats or security vulnerabilities.
Private entities -- including nonprofit organizations, businesses, partnerships, corporations or trusts -- could share cyber threat indicators and defensive measures with the federal government and state, tribal or local agencies on a voluntary basis. The measure would stipulate that private entities that choose not to share information would remain eligible for federal funds and contracts.
Although communications would be exempt from public disclosure laws, including the Freedom of Information Act, the measure would prohibit the federal government from using cybersecurity as a reason for denying requests for information under FOIA.
The legislation would prevent companies from “hacking back” or taking offensive measures against hackers.
Cyber threat indicators and defensive measures could only be provided to the federal government for cybersecurity purposes or non-cyber incidents that involve a “specific threat,” and to:
- Protect information or networks from cybersecurity threats or security vulnerabilities.
- Respond to, prevent or mitigate against imminent threats of death, serious bodily harm or threats to minors.
- Investigate or prosecute offenses related to death threats, fraud and identity theft, espionage and censorship, and trade secrets.
The measure would prohibit the use of cyber threat data in the investigation or prosecution of violent felonies.
The legislation would allow state, tribal or local agencies to share cyber threat data to prevent, investigate or prosecute computer crimes.
The Justice Department and DHS would be required to issue procedures governing the receipt of cyber threat indicators and defensive measures by the federal government, including an audit capability and sanctions for federal officers, employees and agents who conduct unauthorized activities.
The agreement also would require the Justice Department to develop and periodically review privacy and civil liberties guidelines to ensure personal or identifying information is protected.
Private entities would share cyber threat indicators through a “portal” at the Homeland Security Department. DHS would act as a clearinghouse by receiving data and then sharing it with other federal agencies. The portal could be used only for sharing cybersecurity threat data.
Within 90 days of enactment, DHS would be required to establish and certify as operational a portal to accept cyber threat indicators in “real time,” and distribute them as quickly as “operationally practicable.” The department would be required to put automated controls in place to remove personal information from data going through the portal.
The measure includes new language that would authorize the president to designate another federal civilian agency to develop and implement a similar sharing capability. The president would need to certify to Congress that the additional portal is needed to ensure private entities are able to share cyber threats.
Private entities monitoring networks, operating defensive measures or sharing cyber threat indicators would be required to use security controls to protect against unauthorized access.
Companies would be required to remove any personal information that isn’t related to a cyber threat before sharing it with the government or other companies. The measure includes a new provision requiring DHS to complete an additional scrub of data to remove personal information prior to sharing.
The government would be required to notify individuals in a “timely manner” if their personal information was inadvertently shared with cyber threat data.
The measure would provide liability protections for companies that share cyber threat indicators and defensive measures through the DHS portal. It would also apply to companies that are contracted to operate or deploy federal network protections.
The agreement also would provide exemptions from antitrust laws for entities that exchange or provide cyber threat data or assistance to prevent, investigate or mitigate a threat.
The exemption wouldn’t apply to activities that constitute future competitive planning, price-fixing, allocating markets between competitors, monopolizing a market, boycotting, or exchanging price and cost information.
The measure would stipulate that companies wouldn’t be required to share cyber threat data or provide warning of a threat.
Private entities would be permitted to monitor their own computer networks, and those of consenting federal agencies or customers, for cyber threats. Companies could block threats, such as attempted unauthorized access, by implementing defensive measures.
The legislation would direct DHS to report to Congress within a year of enactment on the feasibility of producing a risk-informed plan to address simultaneous cyber-incidents affecting critical infrastructure.
DHS would also be required to report to Congress, within 180 days of enactment, on risks to the 10 U.S. ports at greatest risk for a cyber-attack, including recommendations to mitigate vulnerabilities.
A provision from S. 754 requiring owners and operators of critical infrastructure to report potentially catastrophic cyber-intrusions that could affect public health or safety, the economy or national security, was left out of the measure.
Securing Federal Networks
The legislation would formally authorize the DHS “Einstein” system, which is used to detect and remove or block intrusions on federal agency networks.
The agreement would require an accelerated deployment of the third and final phase of the system and would require all federal agencies to use it. DHS would be permitted to contract with private industry to deploy and operate the system. The first two iterations of Einstein only helped to detect hackers.
The measure would authorize DHS to conduct regular risk assessments of federal networks and issue binding operational directives requiring agencies to respond to cybersecurity threats. DHS would be directed to use protective measures if an intrusion is detected.
Federal agencies would implement cybersecurity controls, such as multi-factor authentication and encryption, for sensitive information systems.
Federal inspectors general would be required to assess protective measures used to secure personal or classified information. Reports on the assessments would be due to Congress and the Government Accountability Office within two years of enactment.
Defense Department Authorities
The Defense Department would be authorized to share with other federal agencies information reported by cleared defense contractors when their network or information system has been compromised.
The measure would stipulate that it wouldn’t affect the department’s authority to respond to malicious cyber attacks against the U.S. It cites language included in the fiscal 2016 defense authorization, Public Law 114-92, that directed DOD to develop, prepare and coordinate military cyber-operations, make the armed forces ready for such operations and conduct them “when appropriately authorized to do so.” See Kevin Brancato’s analysis of the deterrence authority and potential opportunities for contractors.
State Department Requirements
The State Department would be required to determine what other countries are doing to apprehend and prosecute international cyber criminals and to prevent crimes against the U.S.
The department would provide annual updates to Congress on the number of international cyber criminals located in countries that don’t have an extradition treaty or mutual legal assistance with the U.S., as well as data on criminals that have been extradited to the U.S.
The department also would be directed to develop a comprehensive strategy on U.S. international cyberspace policy, including:
- An evaluation of actions supporting the president’s May 2011 International Strategy for Cyberspace.
- A plan to conduct bilateral and multilateral talks to establish international norms for engaging in cyberspace, including alternative concepts from China, Russia, Brazil and India.
- An assessment of threats to the U.S from foreign countries, state-sponsored actors and private actors.
- A review of policy tools and resources to deter such threats.
The department would have to submit the strategy within 90 days of enactment and make it publicly available.
The legislation would preempt or invalidate state disclosure and liability laws and regulations. The preemption wouldn’t block state law enforcement activities, or laws that require information disclosures during a criminal prosecution.
The Office of Personnel Management (OPM) would be directed to create an employment code structure within the National Initiative for Cybersecurity Education’s Cybersecurity Workforce Framework for cybersecurity-related positions throughout the federal government.
OPM would implement the new coding structure for civilian personnel within nine months of enactment and for military personnel within 18 months of enactment. Agencies would then have a year to assign the codes to positions throughout their respective organizations.
Agencies would be required to identify critical cybersecurity-related roles that need to be filled, starting one year after codes are assigned and then annually through fiscal 2022.
Cyber Threats to Emergency Services
Statewide inter-operability coordinators would be required to report cybersecurity threats to their emergency response systems and networks to DHS.
Using that information, DHS would conduct an analysis with the National Institute of Standards and Technology (NIST) to improve emergency response network security.
NIST would be required to facilitate and develop, on a continuing basis, methods to further reduce such risks.
Health Sector Risks
The Health and Human Services Department would be required to work with DHS and NIST to:
- Evaluate how to secure networked medical devices and other software or systems that connect to electronic health records.
- Develop a single, voluntary framework of common security practices and standards unique to health care organizations.
- Report to Congress on how the department is facilitating cybersecurity efforts throughout the health-care industry.
Study on Mobile Devices
DHS would be directed, within one year of enactment, to study cybersecurity threats to federal mobile devices and subsequent effects on federal information systems and networks.
Networks used by the Defense Department and the intelligence community would be excluded from the study.
Companies that participate in information sharing would benefit because they could gain access to data, trends and emerging threats that are typically unavailable.
Business leaders have suggested the legislation will help limit liability and subsequent litigation costs when it comes to voluntary information sharing.