H.R. 624: Cyber Intelligence Sharing and Protection Act

Introduced:
Feb 13, 2013 (113th Congress, 2013–2015)
Sponsor:
Rep. Mike Rogers [R-MI8]
Status:
Passed House

The bill’s title was written by the bill’s sponsor. H.R. stands for House of Representatives bill.

Track this bill
(About Ads | Go Ad-Free for $5)
Status

This bill passed in the House on April 18, 2013 and goes to the Senate next for consideration.

Progress
Introduced Feb 13, 2013
Referred to Committee Feb 13, 2013
Reported by Committee Apr 15, 2013
Passed House Apr 18, 2013
Passed Senate ...
Signed by the President ...
Votes

H.Amdt. 42 (Rogers) to H.R. 624: Amendment corrects reported language concerning a reference in subsection (c)(4) to the procedures created ...
Apr 17, 2013 4:56 p.m.
Agreed to 418/0

H.Amdt. 43 (Connolly) to H.R. 624: Amendment further defines how classified cyber threat intelligence may be shared and used, and ...
Apr 17, 2013 5:01 p.m.
Agreed to 418/0

H.Amdt. 45 (Langevin) to H.R. 624: Amendment replaces the term "local" with "political subdivision", which allows the inclusion of "utility ...
Apr 17, 2013 5:07 p.m.
Agreed to 411/3

On Agreeing to the Amendment: Amendment 5 to H R 624
Apr 18, 2013 12:13 p.m.
Agreed to 411/0

H.Amdt. 46 (Sinema) to H.R. 624: Amendment adds the Inspector General (IG) of DHS to the omnibus IG reporting requirement; ...
Apr 18, 2013 12:21 p.m.
Agreed to 413/0

H.Amdt. 50 (Barton) to H.R. 624: Amendment clarifies that companies sharing cyber threat information with other companies cannot treat this ...
Apr 18, 2013 12:27 p.m.
Agreed to 409/5

On Motion to Recommit with Instructions: H.R. 624: Cyber Intelligence Sharing and Protection Act
Apr 18, 2013 12:50 p.m.
Failed 189/224

House Vote on Passage
Apr 18, 2013 12:59 p.m.
Passed 288/127

Prognosis

29% chance of being enacted.

Only 28% of House bills that made it past committee in 2011–2013 were enacted. [show factors | methodology]

Cosponsors
37 cosponsors (25R, 12D) (show)
Committees

House Permanent Select Intelligence

Senate Select Intelligence

The committee chair determines whether a bill will move past the committee stage.

Full Title

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

Summary

No summaries available.

Text

Read Bill Text »

Last updated Apr 22, 2013.
39 pages

Primary Source

View on THOMAS (The Library of Congress)

GovTrack gets most information from THOMAS, which is updated generally one day after events occur. Activity since the last update may not be reflected here.

Citation

Click a format for a citation suggestion:

GovTrack’s Bill Summary

We don’t have a summary available yet.

Library of Congress Summary

The summary below was written by the Congressional Research Service, which is a nonpartisan division of the Library of Congress.

4/18/2013--Passed House amended.
Cyber Intelligence Sharing and Protection Act -
Section 2 -
Directs the federal government to conduct cybersecurity activities to provide shared situational awareness enabling integrated operational actions to protect, prevent, mitigate, respond to, and recover from cyber incidents.
Defines "shared situational awareness" as an environment where cyber threat information is shared in real time between all designated federal cyber operations centers to provide actionable information about all known cyber threats.
Directs the President, with respect to information shared by a cybersecurity provider (a non-federal entity that provides goods or services intended to be used for cybersecurity purposes) or self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), to designate:
(1) an entity within the Department of Homeland Security (DHS) as the civilian federal entity to receive cyber threat information under prescribed procedures and subject to specified exceptions, and
(2) an entity within the Department of Justice (DOJ) as the civilian federal entity to receive information related to cybersecurity crimes.
Requires federal agencies receiving shared cyber threat information to establish procedures to:
(1) ensure that specified information is also shared in real time with appropriate federal agencies with a national security mission;
(2) ensure real-time information distribution to other federal agencies; and
(3) facilitate information sharing, interaction, and collaboration among and between federal, state, local, tribal, and territorial governments, cybersecurity providers, and self-protected entities.
Directs the DHS, Attorney General, Director of National Intelligence (DNI), and Department of Defense (DOD) to jointly establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government.
Requires such procedures, consistent with the need to protect against and mitigate cyber threats in a timely manner, to:
(1) minimize the impact on privacy and civil liberties;
(2) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is unnecessary to protect against or mitigate cyber threats in a timely manner;
(3) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(4) protect the confidentiality of cyber threat information associated with specific persons; and
(5) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
Instructs:
(1) the DHS, Attorney General, DNI, and DOD to submit such procedures to Congress and establish a program to monitor and oversee the compliance of federal agencies; and
(2) federal agencies to implement such procedures and notify such officials and Congress of any significant violations.
Prohibits such procedures from being construed to prohibit any federal agency from engaging in technical discussions regarding cyber threat information with a cybersecurity provider or self-protected entity or from providing technical assistance to address vulnerabilities or mitigate threats at their request.
Requires any such activity to be coordinated with DHS and other agencies.
Directs the President's designated DHS entity to share with all appropriate federal agencies all significant information resulting from:
(1) technical discussions with a cybersecurity provider or self-protected entity about cyber threat information, or
(2) any technical assistance it provides to such cybersecurity provider or such self-protected entity to address vulnerabilities or mitigate threats.
Directs the DHS Inspector General to submit annually to Congress a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.
Requires the DHS Officer for Civil Rights and Civil Liberties to submit to Congress an annual report assessing the privacy and civil liberties impact of the federal government's cyber threat information sharing activities.
Section 3 -
Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.
Defines "cyber threat intelligence" as intelligence in the possession of an element of the intelligence community directly pertaining to:
(1) a vulnerability of a system or network of a government or private entity or utility;
(2) a threat to the integrity, confidentiality, or availability of such a system or network or any information stored on, processed on, or transiting such a system or network;
(3) efforts to deny access to or degrade, disrupt, or destroy such a system or network; or
(4) efforts to gain unauthorized access to such a system or network, including for the purpose of exfiltrating information.
Excludes intelligence pertaining to efforts to gain unauthorized access to such a system or network that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
Requires the DNI to:
(1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and utilities, and
(2) encourage the sharing of such intelligence.
Requires the procedures established to ensure that such intelligence is only:
(1) shared with certified entities or a person with an appropriate security clearance;
(2) shared consistent with the need to protect U.S. national security;
(3) used in a manner that protects such intelligence from unauthorized disclosure; and
(4) used, retained, or further disclosed by a certified entity for cybersecurity purposes.
Provides guidelines for the granting of security clearance approvals to certified entities or officers, employees, or independent contractors of such entities.
Prohibits a certified entity receiving such intelligence from further disclosing the information to any entity other than another certified entity or a federal agency authorized to receive such intelligence.
Authorizes a cybersecurity provider, with the express consent of a protected entity (an entity that contracts with a cybersecurity provider), to:
(1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and
(2) share cyber threat information with any other entity designated by the protected entity, including, if specifically designated, the DHS and DOJ entities designated by the President. Provides cybersecurity system use and threat information sharing authority to self-protected entities.
Sets forth requirements with respect to the use and protection of shared information, including anonymization or minimization of such information and prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure and prohibits the use of such information for regulatory purposes.
Specifies that a non-federal recipient may only use such information for a cybersecurity purpose.
Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity, or a cybersecurity provider acting in good faith under the above circumstances.
Prohibits such shared information requirements from being construed to provide new authority to:
(1) a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, or
(2) a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity.
Allows the federal government to use shared cyber threat information for:
(1) cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network;
(2) the investigation of cybersecurity crimes; or
(3) the protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such dangers (including the protection of minors from child pornography, sexual exploitation, kidnapping, and trafficking).
Prohibits the federal government from affirmatively searching such information for any other purpose.
Prohibits the federal government from using certain personally identifiable information shared from sensitive personal documents such as library records, firearms sales records, educational records, tax returns, and medical records.
Requires a federal agency receiving information that is not cyber threat information to so notify the entity or provider of such information.
Prohibits federal agencies from retaining shared information for any unauthorized use.
Outlines federal government liability for violations of restrictions on the disclosure, use, and protection of voluntarily shared information.
Preempts any state statute that restricts or otherwise regulates specified activity authorized by this Act. States that nothing in this section shall be construed to:
(1) provide additional authority to, or modify existing authority of, any element of the intelligence community to control or direct the cybersecurity efforts of a private-sector entity or a component of the federal government or a state, local, or tribal government;
(2) limit or affect existing information sharing relationships of the federal government;
(3) preclude the federal government from requiring an entity to report significant cyber incidents under another provision of law; or
(4) provide additional authority to, or modify existing authority of, any entity to use a cybersecurity system owned or controlled by the federal government on a private-sector system or network to protect the latter system or network.
Prohibits this section from being construed to authorize the DOD, National Security Agency (NSA), or any other intelligence community element to target a U.S. person for surveillance.
Section 4 -
Repeals amendments made by this Act five years after enactment of this Act.
Section 5 -
Expresses the sense of Congress that international cooperation with regard to cybersecurity should be encouraged wherever possible.
Section 6 -
Prohibits this Act from being construed to provide new or alter any existing authority for an entity to sell personal information of a consumer to another entity for marketing purposes.
Section 7 -
Prohibits this Act from being construed to authorize a federal agency to require a federally contracted cybersecurity provider to provide information about cybersecurity incidents that do not pose a threat to the federal government's information.

House Republican Conference Summary

The summary below was written by the House Republican Conference, which is the caucus of Republicans in the House of Representatives.

This summary can be found at http://www.gop.gov/bill/113/1/hr624.

Background

Each day, the U.S. government and private American companies are targeted by individual hackers and state-sponsored entities, which seek to gain access to sensitive national security and infrastructure information and valuable research and development from American companies.  When hackers steal trade secrets from American companies, those companies are placed at a disadvantage in the global market.  According to HPSCI, “China, in particular, is engaged in an extensive, day-in, day-out effort to pillage American intellectual property.”[1]  Although it is difficult to quantify, estimates of loss from cyber economic espionage range up to $400 billion per year.[2]   

In the 112th Congress, HPSCI held a series of briefings and hearings to examine the extent and impact of cybersecurity threats, and to determine what actions the intelligence community could take to better defend against these attacks. The Committee found that the intelligence community possesses valuable intelligence that—if made available to the private sector—would significantly improve the ability of American companies to better defend themselves.[3]  Yet a lack of positive legal authority has kept the intelligence community from sharing such information with private companies.  In addition, policy and legal barriers have prevented the private sector from sharing cyber threat information with other parts of the private sector and with the federal government. 

H.R. 624 aims to provide positive authority to permit the voluntary sharing of information about cybersecurity threats and vulnerabilities with others—including entities within the private sector, and with the federal government.  H.R. 624 was modeled after the Defense Industrial Base Enhanced Cybersecurity Services program (DECS) program, operated by the Department of Defense, through which “the government provides threat intelligence to key Internet Service Providers, who use the information to protect a limited number of companies in the defense industrial base, all on a voluntary basis.”[4]

 

The House passed similar legislation (H.R. 3523) in the 112th Congress on April 26, 2012 by a vote of 248-168; however, the Senate did not take up the measure.  On April 16, 2013 the White House issued a Statement of Administration Policy (SAP) recommending that the President veto H.R. 624.

Key Messaging

  • Each day, American companies are confronted with an onslaught of cyber attacks from countries like China, Russia and Iran, which seek to steal valuable research and development and other vital trade secrets.
  • These entities also work to obtain sensitive national security information, including information on U.S. weapons systems and military installations. The nation’s critical infrastructure systems—the electronic power grid, and vital transportation and telecommunications systems—also are at risk.
  • When trade secrets are exploited by foreign companies, American jobs are stolen and U.S. companies are placed at a competitive disadvantage within the global economy.
  • If cybersecurity were dramatically strengthened, up to $400 billion lost on economic espionage each year could instead be reinvested in the American economy.
  • National security would also be reinforced, preserving an environment where individuals are safe to pursue the American dream.
  • Rather than burdening businesses with costly regulation, H.R. 624 would equip private companies with as much intelligence as possible, leaving protection of the private sector in private hands.

[1] House Permanent Select Committee on Intelligence report 113-39 at 9.

[2] House Permanent Select Committee on Intelligence, The Rogers-Ruppersberger Cybersecurity Bill at 1.

[3] House Permanent Select Committee on Intelligence report 113-39 at 9-10.

[4] Id. at 10.

Summary

H.R. 624 breaks down policy and legal barriers to allow the federal government to share classified cyber threat intelligence with the private sector; and to allow private sector entities to share cyber threat information with one another and with the federal government on a purely voluntary basis.

Specifically, H.R. 624 requires the Director of National Intelligence (DNI) to establish procedures to enable the intelligence community to share classified cyber threat intelligence with private sector entities.  In addition, H.R. 624 authorizes private sector cybersecurity providers—if they receive the express consent of those they protect—to voluntarily share cyber threat information with other entities, including the federal government.

H.R. 624 protects private sector entities from civil or criminal liability if they, in good faith, share cyber threat information with other private entities and with the federal government.  The bill also prevents private sector liability for any decision made as a result of the information obtained or shared.  Nothing in H.R. 624 requires a private entity to share cyber threat information with the federal government, and nothing in the bill conditions a private entity’s receipt of cyber threat intelligence from the federal government on its willingness to provide information to the federal government

The information shared by the private sector must be limited to “cyber threat information,” and may only be used for the following limited purposes: cybersecurity; investigation and prosecution of cybersecurity crimes; protection of individuals from danger of death or serious physical injury; investigation and prosecution of crimes involving death or serious physical injury; protection of minors from harm such as child pornography, kidnapping, and trafficking; and investigation and prosecution of such crimes against minors.  In the markup of H.R. 624, the House Permanent Select Committee on Intelligence (HPSCI) removed a provision that allowed the federal government to use cyber threat information received from the private sector for the protection of national security.  H.R. 624 enforces the authorized uses listed above by allowing an adversely affected individual to sue the federal government if it intentionally or willfully misuses such information in a manner not provided for in the bill.

H.R. 624 requires the DNI, working with the Secretary of Homeland Security and the Attorney General, to establish and periodically review policies and procedures for the receipt, retention, use, and disclosure of cyber threat information shared with the federal government.  In part, the procedures must minimize the impact on privacy and civil liberties.   H.R. 624 requires the DNI to submit the procedures to Congress, and requires the establishment of a program to oversee federal agency compliance with the procedures.

H.R. 624 requires the issuance of two reports to analyze the information shared with the federal government under the measure: 1) The Inspector General of the Intelligence Community must submit an annual report to congressional intelligence committees, reviewing the use of information shared by the private sector with the federal government.  In part, the report must provide metrics for analyzing the impact of such information sharing on privacy and civil liberties; 2) H.R. 624 also requires the Civil Liberties Protection Officer of the Office of the DNI and the Chief Privacy and Civil Liberties Officer of the Department of Justice to submit to Congress an annual report on the privacy and civil liberties impact of the activities conducted by the federal government under the measure.  Both reports must be unclassified.

H.R. 624 will sunset five years after its enactment. 

Cost

The CBO estimates the implementing the bill would have a discretionary cost of $20 million over the 2014-2018 period, assuming appropriation of the necessary amounts.  Enacting H.R. 624 could affect direct spending or revenues; therefore, pay-as-you-go procedures apply.  However, CBO estimates that those effects would be insignificant for each year.  The bill would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to entities and cybersecurity providers that share or use cyber threat information. The bill also would impose additional intergovernmental mandates on state governments by preempting state disclosure and liability laws. Because of uncertainty about the number of cases that would be limited and any forgone compensation that would result from compensatory damages, CBO cannot determine whether the costs of the mandate would exceed the annual threshold established in UMRA for private-sector mandates ($150 million in 2013, adjusted annually for inflation). However, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($75 million in 2013, adjusted annually for inflation).  For more information, see CBO’s cost estimate on H.R. 624.

House Democratic Caucus Summary

The House Democratic Caucus does not provide summaries of bills.

So, yes, we display the House Republican Conference’s summaries when available even if we do not have a Democratic summary available. That’s because we feel it is better to give you as much information as possible, even if we cannot provide every viewpoint.

We’ll be looking for a source of summaries from the other side in the meanwhile.

The bill contains the following citations to other parts of U.S. law:

Slip Laws

Slip laws refer to enacted bills and joint resolutions in their original form as enacted by Congress, that is, before other laws amend them. Slip laws are cited as “Public Law XXX-YYY”, where XXX is the number of the Congress in which the bill or resolution was introduced.

United States Code

The United States Code is the compilation of permanent laws enacted by Congress. Temporary and other non-permanent laws do not appear in the United States Code. (About half of the United States Code is the law itself, called positive law. The other half is merely a compilation of the laws but has no legal significance.)