House Handily Passes CISPALooking Inside the Cyber Intelligence Sharing and Protection Act
Ignoring a White House threat to veto the Cyber Intelligence Sharing and Protection Act [see White House Threatens CISPA Veto, Again], the House of Representatives approved by a 288-127 vote April 18 the bill known as CISPA.
The measure - aimed at establishing a process for the federal government and businesses to share cyberthreat intelligence - has proven to be one of the more contentious cybersecurity bills Congress has considered. Sponsors of CISPA and its critics have disagreed over whether it furnishes sufficient privacy and civil liberties safeguards [see Perceiving Cyberthreat Info Sharing Bill].
But aside from the controversies, proponents and critics of the current version of CISPA generally agree on its basic goal: knocking down the barriers that discourage government and businesses from sharing cyberthreat intelligence.
Defining Cyberthreat Intelligence
What cyberthreat intelligence is to be shared? CISPA defines it as intelligence that would directly pertain to a vulnerability of a system or network of a government or private enterprise; a threat to the integrity, confidentiality or availability of such a system or any information stored on, processed on or transiting such a system; efforts to deny access to or degrade, disrupt or destroy such a system; or efforts to gain unauthorized access to such a system, including for the purpose of exfiltrating information.
The bill would specifically exclude intelligence pertaining to efforts to gain unauthorized access to such a system or network that solely involves violations of consumer terms of service or consumer licensing agreements and does not otherwise constitute unauthorized access.
The Key Components of CISPA
The legislation would:
- Require the director of National Intelligence to establish procedures to allow the intelligence community to share cyberthreat intelligence with the private sector and utilities and encourage the sharing of such intelligence;
- Ensure that cyberthreat intelligence is only shared with certified organizations or a person with an appropriate security clearance in order to protect U.S. national interests;
- Provide guidelines for the granting of security clearance approvals to certified organizations or officers or employees of such enterprises;
- Restrict a certified organization receiving intelligence to disclose the intelligence only to another certified enterprise or a federal agency authorized to receive such information;
- Require the head of a federal agency receiving cyberthreat intelligence to provide the information to the Homeland Security's National Cybersecurity and Communications Integration Center, and allow the agency head to request the center to provide such information to another federal agency;
- Prohibit the use of shared intelligence to be used to gain a competitive advantage and, if shared with the federal government, exempt such information from public disclosure;
- Prohibit a civil or criminal cause of action against a protected entity, a self-protected organization or a cybersecurity provider acting in good faith when sharing cyberthreat information;
- Allow the federal government to use shared cyberthreat information for cybersecurity purposes to safeguard a system; for the investigation of cybersecurity crimes; for the protection of individuals from the danger of death or serious bodily harm; and for the prosecution of crimes involving such dangers, including the protection of minors from child pornography, sexual exploitation, kidnapping and trafficking;
- Prohibit the federal government from searching collected cyberintelligence for any other purpose;
- Provide for the protection of sensitive personal documents, such as library records, firearms sales records, educational records, tax returns and medical records;
- Prohibit federal agencies from retaining shared information for any unauthorized use.
CISPA now heads to the Senate.