On Thursday, April 26, 2012, the House is scheduled to begin consideration of H.R. 3523, the Cyber Intelligence Sharing and Protection Act, under a rule.  The bill was introduced by Rep. Mike Rogers (R-MI) on November 30, 2011, and referred to the Committee on Intelligence.  The committee held a mark-up session on December 1, 2011, and ordered the bill to be reported by a vote of 17-1.

H.R. 3523 would amend the National Security Act of 1947 to require that the Director of National Intelligence (DNI) establish procedures allowing element of the intelligence community to share cyber threat intelligence with private-sector entities.

The bill would define "cyber threat intelligence" as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

The bill would also require that the procedures established ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure.  The bill would also provide for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities.

H.R. 3523 would authorize a “cybersecurity provider” (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a “protected entity” (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government.

The bill would regulate the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, would exempt such information from public disclosure.  The bill would also prohibit a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.

The bill would also allow the federal government to use shared cyber threat information only if: (1) the use is not for a regulatory purpose, and (2) at least one significant use purpose is either for cybersecurity or the protection of U.S. national security.  The bill would prohibit the federal government from affirmatively searching such information for any other purpose.

Lastly, the bill would direct the Inspector General of the Intelligence Community to submit annually to the congressional intelligence committees a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.

The bill would preempt any state statute that restricts or otherwise regulates an activity authorized by the Act.

According to H.Rept. 112-445, the House Permanent Select Committee on Intelligence found that a number of advanced nation-state actors are actively engaged in a series of wide-ranging, aggressive efforts to penetrate American computer systems and networks; these efforts extend well beyond government networks, and reach deep into nearly every sector of the American economy, including companies serving critical infrastructure needs.

The Committee report notes, “these efforts are targeted not only at sensitive national security and infrastructure information, but are also often aimed at stealing the corporate research and development information that forms the very lifeblood of the American economy. China, in particular, is engaged in an extensive, day-in, day-out effort to pillage American corporate and government information.  There can be no question that in today’s modern world, economic security is national security, and the government must help the private sector protect itself.”

While the government is already doing much to provide support and assistance to the private sector to address this threat, in particular through the Department of Homeland Security and the Federal Bureau of Investigation, more can and should be done in the immediate future. In particular, the Committee determined that the Intelligence Community is currently in possession of tremendously valuable intelligence and strategic insights derived from its extensive overseas intelligence collection efforts that can and should be provided—in both classified and unclassified form (when possible)—to the private sector in order to help the owners and operators of the vast majority of America’s information infrastructure better protect themselves. The Committee believes that the recent Defense Industrial Base Pilot project (“DIB Pilot”) is a good model for demonstrating how sensitive government threat intelligence can be shared with the private sector in an operationally usable manner. Under the DIB Pilot, the government provides classified threat intelligence to key Internet Service Providers, who use the information to protect a limited number of companies in the defense industrial base, all on a voluntary basis.

The Committee’s review also determined that while much cybersecurity monitoring and threat information sharing takes place today within the private sector, real and perceived legal barriers substantially hamper the efforts of the private sector to protect itself. The Committee determined that these issues are best resolved in the first instance by providing clear, positive authority to permit the monitoring—by the private sector—of privately-owned and operated networks and systems for the purpose of detecting cybersecurity threats and to permit the voluntary sharing of information about those threats and vulnerabilities with others, including entities within the private sector and with the federal government.

In the view of the Committee, an approach based on voluntary, private sector defense of private systems and networks, informed by government intelligence information, best protects individual privacy and takes advantage of the natural incentives built into our economic system, including harnessing private sector drive and innovation. The Committee’s review revealed that America’s cyber infrastructure is distressingly vulnerable to espionage and attacks by nation-states and others with advanced capabilities. The Committee believes that immediate and serious action is necessary to staunch the bleeding of American corporate research and development information and to better protect our national security.

The Congressional Budget Office (CBO) estimates that implementing H.R. 3523 would have a discretionary cost of $15 million over the 2012–2016 period, assuming appropriation of the necessary amounts. Enacting H.R. 3523 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply.

Amendment No. 1—Reps. Langevin (D-RI), Lungren (R-CA): This amendment would expand eligibility to participate in the information sharing program to include critical infrastructure owners and operators, such as airports, utilities, and public transit systems, to receive cyber threat information and better secure their networks.

Amendment No. 2—Rep. Conyers (D-MI): This amendment would strike the criminal and civil liability exemption for decisions made based upon cyber threat information identified, obtained, or shared under this Act.

Amendment No. 3—Rep. Pompeo (R-KS): This amendment would clarify the bill’s liability provision that the use of cybersecurity systems is the use of such systems to identify and obtain cyber threat information.

Amendment No. 4—Reps. Rogers (R-MI), Ruppersberger (D-MD): This amendment would add a provision to clarify that regulatory information already required to be provided remains subject to FOIA requests, as under current law.

Amendment No. 5—Rep. Jackson-Lee (D-TX): This amendment would authorize the Secretary of Homeland Security to intercept and deploy countermeasure with regard to system traffic for cybersecurity purposes and risks to federal systems.

Amendment No. 6—Reps. Quayle (R-AZ), Eshoo (D-CA), Thompson (D-CA), Broun (R-GA): This amendment would limit government use of shared cyber threat information to only 5 purposes: 1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States.

Amendment No. 7—Reps. Amash (R-MI), Labrador (R-ID), Paul (R-TX), Nadler (D-NY), Polis (D-CO): This amendment would prohibit the federal government from using, inter alia, library records, firearms sales records, and tax returns that it receives from private entities under this Act.

Amendment No. 8—Reps. Mulvaney (R-SC), Dicks (D-WA): This amendment would authorize the federal government to create reasonable procedures to protect privacy and civil liberties, consistent with the needs of cybersecurity. The amendment would also prohibit the federal government from retaining or using information shared pursuant to the Act for anything other than a use permitted under the provisions in the bill.

Amendment No. 9—Rep. Flake (R-AZ): This amendment would add a requirement to include a list of all federal agencies receiving information shared with the federal government to the report from the Inspector General of the Intelligence Community required under the bill.

Amendment No. 10—Rep. Richardson (D-CA): This amendment would add a provision allowing a department or agency of the federal government to provide cyber threat information to owners and operators of critical infrastructure.

Amendment No. 11—Rep. Pompeo (R-KS): This amendment would clarify that nothing in the bill would alter existing authorities or provide new authority to any federal agency, including Department of Defense, National Security Agency, Department of Homeland Security, or the Intelligence Community to install, employ, or otherwise use cybersecurity systems on private sector networks.

Amendment No. 12—Rep. Woodall (R-GA): This amendment would add a provision stating that entities who choose not to participate in the voluntary information sharing authorized by this bill are not subject to new liabilities.

Amendment No. 13—Rep. Goodlatee (R-VA): This amendment would narrow definitions in the bill regarding what information may be identified, obtained, and shared.

Amendment No. 14—Rep. Turner (R-OH): This amendment would make a technical correction to definitions in Section 2 (g) to provide consistency with other cyber security policies within the Executive branch and the Department of Defense.

Amendment No. 15—Rep. Mulvaney (R-SC): This amendment would sunset the provisions of the bill five years after the date of enactment.

Amendment No. 16—Rep. Paulsen (R-MN): This amendment would encourage international cooperation on cyber security where feasible.