The top two members of the House Permanent Select Committee on Intelligence announced they will offer four amendments on the House floor this week to the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 3523, which is intended to help private companies and the federal government share information about cyber attacks.
Committee Chairman Mike Rogers (R-Mich.) and Ranking Member Dutch Ruppersberger (D-Md.) told reporters during a conference call Tuesday these amendments are, according to a statement:
· Minimization, Retention and Notification Amendment. This would provide clear authority to the federal government to undertake “reasonable” efforts to limit the impact on privacy and civil liberties of sharing cyber threat information with the government, consistent with the need of the government to protect federal systems and cybersecurity. This amendment would also prohibit the government from retaining or using information for purposes other than specified in the legislation and would require the government to notify an entity voluntarily sharing cyber threat information with the government if it determines that the shared information is not, in fact, cyber threat information.
· Use Amendment. This would significantly tighten the bill’s current limitation on the federal government’s use of cyber threat information that is voluntarily provided by the private sector. This amendment strictly limits the government’s use of voluntarily shared cyber threat information to the following five purposes: Cyber security purposes, investigation and prosecution of cyber security crimes, protection of individuals from the danger of death or serious bodily harm (including the investigation and prosecution of such crimes), protection of minors from child pornography (including any risk of sexual exploitation and serious threats to the physical safety of minors) and protection of the national security of the United States.
· Definitions Amendment: This would narrow what cyber threat information may be identified, obtained and shared as well as identify the purposes of which such information may be identified, obtained and shared. The new definitions are limited to information that directly pertains to: A vulnerability of a system or network of a government or private entity; a threat to the integrity, confidentiality or availability of such system, network or any information stored on, processed on or transiting such system or network; efforts to degrade, disrupt or destroy such system or network and efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting such system or network, but not including efforts to gain such unauthorized access solely involving violations of consumer terms of service or consumer licensing agreements.
· Amendments to Limit Federal Government Use of Cyber Security Systems: This consists of two amendments that would make clear that: Nothing in the bill would alter existing authorities or provide new authority to any entity to use a federal government-owned or operated cyber security system on a private sector system or network to protect such system or network and that the liability provision of the bill extends only to the authorities granted in the legislation.
House Speaker John Boehner (R-Ohio) said the three other bills the House will consider this week are:
· The Federal Information Security Amendments (H.R. 4257) measure, which is intended to overhaul the rules for securing federal government networks;
· The Cyber Security Enhancement Act (H.R. 2096), which is aimed at improving federal government cyber security research; and
· Advancing America’s Networking and Information Technology Research and Development (NITRD) Act (H.R. 3834), which would reauthorize the federal government’s NITRD program.
· The CIPSA is one of four cybersecurity bills scheduled to be debated on the House floor this week–the CISPA could be debated as early as today. Large defense companies support the measure, yet civil liberties groups oppose it and the White House has suggested the bill does not call for enough federal oversight of private networks (Defense Daily, April 24).
A similar bill was introduced in the Senate in February. The Cyber Security Act of 2012 would require the Department of Homeland Security (DHS) to assess risks and vulnerabilities to the nation’s critical infrastructure and to work with the owners and operators of designated critical infrastructure to develop risk-based performance requirements. The bill would also require a Senate-confirmed cyber security director at DHS (Defense Daily, Feb. 15).