User:HistoricMN44/cispa2

Cyber Intelligence Sharing and Protection Act (2013) (H.R. 624)
Long title	A bill to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
Acronyms (colloquial)	CISPA
Nicknames	Cyber Intelligence Sharing and Protection Act
Enacted by	the 113th United States Congress
Legislative history
	Introduced in the House as H.R. 624 by Representative Mike Rogers on February 13, 2013; Committee consideration by United States House Permanent Select Committee on Intelligence;

The Cyber Intelligence Sharing and Protection Act (2013) (H.R. 624), also known as CISPA, is a proposed law in the United States that would allow different bureaucracies in the United States federal government to share information about cybersecurity and cyber threats with various Internet Service Providers, cybersecurity providers, and other technology entities. More importantly, the law also allows, and orders the Director of National Intelligence to encourage these organizations to share information related to cybersecurity freely with the federal government.

CISPA has been criticized by advocates of Internet privacy and civil liberties, such as ________________ , as well as various conservative and libertarian groups including the __________________________. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers.________cite_______ CISPA garnered favor from corporations and lobbying groups such as __________________ , which look on it as a simple and effective means of sharing important cyber threat information with the government._________cite____________

H.R.624 was introduced on February 13, 2013 by U.S. Representative Michael Rogers (R-MI).^[1]

It is important to note that this is the second time a bill called "CISPA" has been introduced into Congress. H.R. 624 is the bill that introduced into the United States House of Representatives in the 113th United States Congress, which began on January 3rd, 2013 and is scheduled to end on January 3rd, 2015. The current debate and media attention is focused on H.R. 624, the second version of CISPA. The earlier version, the Cyber Intelligence Sharing and Protection Act (2011), was introduced as a piece of legislation, H.R. 3523, in the 112th United States Congress. Although that version of the bill passed the House in 2012, it never passed the United States Senate, and thus never became law. Because a new Congress is in session, the new version of the bill, H.R. 624, will need to go through the entire process of committee mark-up, House votes, and referral to the Senate again before it would ever become law.

Background[edit]

H.R. 624, introduced into the 113th Congress, is the second version of a bill named CISPA. The first version was introduced in the 112th Congress where it passed the House, but failed to gain traction in the Senate and died when the new Congress began.

Provisions/Elements of the bill[edit]

H.R. 624 amends Title XI of the National Security Act of 1947 (50 U.S.C. § 442et seq.) by adding a new section: "Section 1104: Cyber threat intelligence and information sharing". H.R. 624 would be adding provisions concerning cyber threat intelligence and information sharing to the National Security Act of 1947. The bill defines "cyber threat intelligence" as intelligence in the possession of an element of the intelligence community directly pertaining to:

(1) a vulnerability of a system or network of a government or private entity;

(2) a threat to the integrity, confidentiality, or availability of such a system or network or any information stored on, processed on, or transiting such a system or network;

(3) efforts to deny access to or degrade, disrupt, or destroy such a system or network; or

(4) efforts to gain unauthorized access to such a system or network, including for the purpose of exfiltrating (removing) information.

The bill would require the Director of National Intelligence (DNI) to:

(1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and utilities, and

(2) encourage the sharing of such intelligence.

H.R. 624 would further require that the procedures established to ensure that such intelligence is only:

(1) shared with certified entities or a person with an appropriate security clearance,

(2) shared consistent with the need to protect U.S. national security, and

(3) used in a manner that protects such intelligence from unauthorized disclosure.

The bill provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities. It also prohibits a certified entity receiving such intelligence from further disclosing the information to any entity other than another certified entity or a federal agency authorized to receive such intelligence.

H.R. 624 authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider), to:

(1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and

(2) share cyber threat information with any other entity designated by the protected entity, including the federal government.

The bill provides similar cybersecurity system use and threat information sharing authority to self-protected entities (an entity that provides goods or services for cybersecurity purposes to itself).

The bill requires the head of a federal agency receiving cyber threat information to provide such information to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security (DHS), and allows such agency head to request the Center to provide such information to another federal agency. The bill sets forth requirements with respect to the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure. Critically, the bill prohibits a civil or criminal cause of action against a protected entity, a self-protected entity, or a cybersecurity provider acting in good faith under the above circumstances.

H.R. 624 would allow the federal government to use shared cyber threat information:

(1) for cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network;

(2) for the investigation of cybersecurity crimes;

(3) for the protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such dangers (including the protection of minors from child pornography, sexual exploitation, kidnapping, and trafficking); or

(4) to protect U.S. national security.

The bill prohibits the federal government from affirmatively, purposefully searching such information for any other purpose.

The bill provides for the protection of sensitive personal documents such as library records, firearms sales records, educational records, tax returns, and medical records. The bill requires any federal agency receiving information that is not cyber threat information to so notify the entity or provider of such information. It prohibits federal agencies from retaining shared information for any unauthorized use. It also outlines federal government liability for violations of restrictions on the disclosure, use, and protection of voluntarily shared information.

Finally, the bill concludes with a sunset provision. In section 3 of H.R. 624, it states that five years after the date of the enactment of H.R. 624, the amendments made to the National Security Act of 1947 will expire..^[1] Since nearly the entire text of the H.R. 624 is devoted to adding a new section on cyber security to the National Security Act of 1947, this effectively means that all provisions of H.R. 624 will expire in five years.

Procedural history[edit]

Introduction in the House[edit]

H.R. 624 was introduced into the House of Representatives of the 113th Congress on February 13th, 2013 by Rep. Mike Rogers (R-MI) and his original co-sponsor Rep. Dutch Ruppersberger (D-MD).^[2] These two men also sponsored H.R. 3523, the version of CISPA from the 112th Congress. Rep. Rogers is the Chairman of the United States House Permanent Select Committee on Intelligence. Rep. Ruppersberger is the ranking member (senior Democrat) of that committee.

When it was introduced on February 13, 2013, H.R. 624 was referred to United States House Permanent Select Committee on Intelligence. On April 3, 2013, 41 different advocacy groups, news organizations, websites, and other associations wrote an open letter to the Committee requesting that they make all of the mark-up hearings open to the public, rather than closed.^[3] The letter expressed their belief that "all congressional committee hearings and votes should be conducted in accordance with our country’s highest principles of transparency and openness and made accessible to the public."^[3] The letter also requested the all amendments under consideration be posted online in advance of being voted on.

On April 15, 2013, H.R.624 was reported out of the House Intelligence Committee alongside House Report 113-39.^[4] H.R.624 was debated on the floor of the House on April 17 and April 18, 2013.^[5] On April 18, 2013, H.R.264 passed the House by a vote of 288 - 127 (Roll Call Vote 117.^[6] 196 Republicans and 92 Democrats voted in favor of the bill; 29 Republicans and 98 Democrats voted against it.

Referral to the Senate[edit]

After passing in the House, H.R.624 was received in the Senate on April 22, 2013 and immediately referred to the United States Senate Select Committee on Intelligence.

Support for H.R. 624[edit]

Supporters of H.R. 624 say that they believe the bill will allow the federal government to help protect private companies and its own agencies from cyber attacks, whether those attack originate from foreign governments or from non-state actors.^[7]

Rep. Ruppersberger, in a statement on his official House website, writes that the bill will accomplish three things: (1) "Allow the Federal government to provide classified cyber threat information to the private sector to help American companies better protect themselves from advanced cyber threats," (2) "Empower American businesses to share cyber threat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, all while providing strong protections for privacy and civil liberties," and (3) "Provides liability protection for companies acting in good faith to protect their own networks or share threat information."^[8] Rep. Ruppersberger and his cosponsors insist that the bill is necessary in order to protect American businesses and their trade secrets.^[8]

Organizations supporting H.R. 624[edit]

The following organizations have publicly stated their support for H.R. 624:

Opposition to H.R. 624[edit]

General criticism[edit]

Broadly speaking, civil liberties groups and privacy advocates are opposed to the bill.^[10]

Privacy concerns[edit]

One of the primary criticisms leveled at H.R. 624 is that it fails to adequately protect the privacy of individuals, and in fact, significantly undermines previous legal privacy protections.^[9] The proposed legislation found in Section 1104(b)(1) states that "notwithstanding any other provisions of law" a cybersecurity provider or a self-protected entity may "share such cyber threat information with any other entity, including the Federal Government."^[11] Any information shared with one department of the federal government can be shared with other departments, subject to some restrictions. Section 1104(b)(4) then exempts the organizations sharing information with the government from any civil or criminal prosecution for sharing the information.^[9] This provision would prevent wronged internet users from taking legal action when their privacy is violated.

Congressional[edit]

Organizations opposed to H.R. 624[edit]

The following organizations have publicly stated their opposition to H.R. 624:

American Library Association^[9]
American Civil Liberties Union (ACLU)^[9] - The ACLU raised the issue of privacy and objected to the bill because it allows companies to turn over private information to the government without sufficient safeguards for individuals.^[7] The ACLU argued that there should be civilian safeguards overseeing any transfer of information from private companies to the federal government.^[7]
The Constitution Project^[12]
Electronic Frontier Foundation^[9]
Reporters Without Borders^[9]

Presidential position[edit]

President Barack Obama threatened to veto the first version of CISPA that was introduced into the 112th Congress.^[9] At the time, President Obama's Administration indicated that they preferred an alternate piece of legislation on cyber security, one that was backed by Congressional Democrats.^[9] Regarding the 2013 version of CISPA, however, the President's position may shift. In early February 2013, Representative Ruppersberger told reporters that he and the bill's other supporters were working hard to bring the Obama administration on-board with the new bill.^[13]

Proposed improvements to CISPA[edit]

Some organizations, such as The Constitution Project^[14], offered suggestions for ways to reform CISPA to address their concerns. These are some of the common changes suggested.

Change who controls the data[edit]

The Constitution Project suggested that CISPA be changed to insist that civilian agencies receive the data turned over by private companies, rather than military branches of the government.^[15]

Sanitize the data[edit]

One common suggestion for for improving H.R. 624 is to require that companies strip personal information out of any data they turn over to the federal government. This was one of the four main suggestions for reform offered by The Constitution Project.^[16] According to industry experts who testified before the House of Representatives Select Committee on Intelligence in a hearing on H.R. 624, removing this data is technologically possible.^[17] The Electronic Frontier Foundation also advocates this approach.^[18]

Limit mission scope[edit]

The Constitution Project also suggested that the law should be rewritten to better limit the scope of the law by prohibiting the government from using the data for any purpose beyond cybersecurity, in order to avoid "mission creep".^[19]

Internet activism over H.R. 624/CISPA[edit]

An internet domain name registrar called Namecheap held a promotion in March 2013 where it donated $1 to the Electronic Frontier Foundation, campaigning against CISPA, every time a Twitter user tweeted the Hashtag #CISPAalert.^[20] Representative Mike Rogers, the sponsor of CISPA, was apparently unaware of this and thus donated at least $4 to one of the organizations fighting against his bill.^[20]

External links[edit]

Notes/References[edit]

^ ^a ^b "H.R. 624 - CISPA - Congress.gov". United States Congress. Retrieved 31 March 2013.
^ "H.R. 624 Co-sponsors". United States Congress. Retrieved 31 March 2013.
^ ^a ^b "Open CISPA Mark-Up" (PDF). The Constitution Project. Retrieved 5 April 2013.
^ "House Report 113-39" (PDF). U.S. Government Printing Office. Retrieved 23 April 2013.
^ "H.R.624 - All major actions". United States Congress. Retrieved 23 April 2013.
^ "Final Vote Results Roll Call 117". Clerk of the House of Representatives. Retrieved 23 April 2013.
^ ^a ^b ^c Woodsome, Kate (13 Feb 2013). "Privacy Advocates Prepare New Fight Against US Cyber Bill". Voice of America. Retrieved 5 April 2013.
^ ^a ^b "Ruppersberger & Rogers Reintroduce Cybersecurity Bill to Protect American Economy". Congressman Ruppersberger. Retrieved 7 April 2013.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ McCullagh, Declan. "Privacy backlash against CISPA cybersecurity bill gains traction". C|Net. Retrieved 1 April 2013.
^ Martinez, Jennifer (5 Feb 2013). "Ruppersberger: House Intelligence Committee to re-introduce CISPA this year". The Hill. Retrieved 2 April 2013.
^ "H.R. 624 - Bill Text". United States Congress. Retrieved 1 April 2013.
^ Tsukayama, Hayley (13 Feb 2013). "CISPA's reintroduction stirs new debate". The Washington Post. Retrieved 5 April 2013.
^ Martinez, Jennifer (5 Feb 2013). "Ruppersberger: House Intelligence Committee to re-introduce CISPA this year". The Hill. Retrieved 2 April 2013.
^ "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.
^ "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.
^ "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.
^ "Companies Say They Can Strip Personal Data from Shared Cybersecurity Info". Reason Magazine. 19 Feb 2013. {{cite news}}: |access-date= requires |url= (help)
^ Reitman, Rainey. "Industry Experts to Congress: We Can Remove Personally Indentifiable Information Before Reporting Cybersecurity Threats". Electronic Frontier Foundation. Retrieved 5 April 2013.
^ "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.
^ ^a ^b Collier, Kevin. "CISPA sponsor inadvertently donates to anti-CISPA campaign". Daily Dot. Retrieved 1 April 2013.

External links[edit]

This article incorporates public domain material from websites or documents of the United States Government.

Category:113th United States Congress Category:Cyberwarfare Category:Internet in the United States Category:Internet security Category:Computer security procedures Category:Computer law Category:Internet privacy Category:Digital rights Category:Computer security Category:United States proposed federal legislation of the 113th Congress

[con624overview-1] "H.R. 624 - CISPA - Congress.gov". United States Congress. Retrieved 31 March 2013.

[con624cosponsors-2] "H.R. 624 Co-sponsors". United States Congress. Retrieved 31 March 2013.

[openletter-3] "Open CISPA Mark-Up" (PDF). The Constitution Project. Retrieved 5 April 2013.

[hrep11339-4] "House Report 113-39" (PDF). U.S. Government Printing Office. Retrieved 23 April 2013.

[624actions-5] "H.R.624 - All major actions". United States Congress. Retrieved 23 April 2013.

[rollcall117-6] "Final Vote Results Roll Call 117". Clerk of the House of Representatives. Retrieved 23 April 2013.

[voa1-7] Woodsome, Kate (13 Feb 2013). "Privacy Advocates Prepare New Fight Against US Cyber Bill". Voice of America. Retrieved 5 April 2013.

[RupStatement-8] "Ruppersberger & Rogers Reintroduce Cybersecurity Bill to Protect American Economy". Congressman Ruppersberger. Retrieved 7 April 2013.

[cnet1-9] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l ^m ⁿ McCullagh, Declan. "Privacy backlash against CISPA cybersecurity bill gains traction". C|Net. Retrieved 1 April 2013.

[10] Martinez, Jennifer (5 Feb 2013). "Ruppersberger: House Intelligence Committee to re-introduce CISPA this year". The Hill. Retrieved 2 April 2013.

[624text-11] "H.R. 624 - Bill Text". United States Congress. Retrieved 1 April 2013.

[washpo1-12] Tsukayama, Hayley (13 Feb 2013). "CISPA's reintroduction stirs new debate". The Washington Post. Retrieved 5 April 2013.

[13] Martinez, Jennifer (5 Feb 2013). "Ruppersberger: House Intelligence Committee to re-introduce CISPA this year". The Hill. Retrieved 2 April 2013.

[14] "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.

[15] "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.

[16] "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.

[reason1-17] "Companies Say They Can Strip Personal Data from Shared Cybersecurity Info". Reason Magazine. 19 Feb 2013. {{cite news}}: |access-date= requires |url= (help)

[eff1-18] Reitman, Rainey. "Industry Experts to Congress: We Can Remove Personally Indentifiable Information Before Reporting Cybersecurity Threats". Electronic Frontier Foundation. Retrieved 5 April 2013.

[19] "House Cybersecurity Bill Lacks Vital Privacy Safeguards". 19 Feb 2013. The Constitution Project. Retrieved 5 April 2013.

[RogersTwitter-20] Collier, Kevin. "CISPA sponsor inadvertently donates to anti-CISPA campaign". Daily Dot. Retrieved 1 April 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

Background[edit]

Provisions/Elements of the bill[edit]

Procedural history[edit]

Introduction in the House[edit]

Referral to the Senate[edit]

Support for H.R. 624[edit]

Organizations supporting H.R. 624[edit]

Opposition to H.R. 624[edit]

General criticism[edit]

Privacy concerns[edit]

Congressional[edit]

Organizations opposed to H.R. 624[edit]

Presidential position[edit]

Proposed improvements to CISPA[edit]

Change who controls the data[edit]

Sanitize the data[edit]

Limit mission scope[edit]

Internet activism over H.R. 624/CISPA[edit]

See also[edit]

External links[edit]

Notes/References[edit]

External links[edit]