Chairman Rogers and Ranking Member Ruppersberger announced today they have agreed to make several additional significant changes to their cyber security bill, H.R. 3523, the Cyber Intelligence Sharing and Protection Act to address privacy concerns expressed by the Center for Democracy and Technology (CDT) and other privacy groups. These changes will be offered by members as amendments on the floor this week. These important changes include:
Minimization, Retention, and Notification Amendment: An amendment will be filed today that would:
Provide clear authority to the Federal Government to undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the government, consistent with the need of the government to protect federal systems and cybersecurity.
Prohibit the Federal Government from retaining or using information other than for the purposes specified in the legislation.
Require the Federal Government to notify an entity voluntarily sharing cyber threat information with the government if the government determines that the shared information is not in fact cyber threat information.
Use Amendment: An amendment will be filed today that would significantly tighten the bill's current limitation on the Federal Government's use of cyber threat information that is voluntarily provided by the private sector. The amendment strictly limits the Federal Government's use of voluntarily shared cyber threat information to the following five purposes:
Investigation and prosecution of cybersecurity crimes;
Protection of individuals from the danger of death or serious bodily harm, including the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
Protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking, including the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking , and any crime referred to in 18 USC 2258A(a)(2); and
Protection of the national security of the United States.
Definitions Amendment: An amendment will be filed today that would tighten the bill's definitions to narrow what cyber threat information may be identified, obtained, and shared, as well as the purposes for which such information may be identified, obtained and shared. The new definitions are limited to information that directly pertains to:
A vulnerability of a system or network of a government or private entity;
A threat to the integrity, confidentiality or availability of such system or network or any information stored on, processed on, or transiting such system or network;
Efforts to degrade, disrupt or destroy such system or network; and
Efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting such system or network, but not including efforts to gain such unauthorized access solely involving violations of consumer terms of service or consumer licensing agreements.
Amendments to Limit Federal Government Use of Cybersecurity Systems: Two amendments will be filed today that would make clear (1) that nothing in this bill would alter existing authorities or provide new authority to any entity to use a federal government owned or operated cybersecurity system on a private sector system or network to protect such system or network; and (2) that the liability provision of the bill extends only to the authorities granted in the legislation. These amendments are designed to clear up any misunderstandings regarding private sector use of cybersecurity systems under the bill.
Chairman Rogers said "I am very pleased with where the bill stands today. Our bill is designed to help protect American companies from advanced foreign cyber threats, like those posed by the Chinese government. It has always been my desire to do that in manner that doesn't sacrifice the privacy and civil liberties of Americans, and I am confident that we have achieved that goal. I appreciate all the constructive input we have received and I look forward to getting the bill passed by the House and signed into law. America will be a little safer and our economy a little better protected from foreign cyber predators once this measure is enacted."
"Throughout this entire open process, we have been working with all interested parties to improve the bill. We believe these proposals will be important changes to expand protections for privacy and civil liberties," said C.A. Dutch Ruppersberger, Ranking Member of the House Intelligence Committee.