Upcoming proposed cyber legislation
Yesterday I read the article Cybersecurity is entangled in Washington turf wars on Politico. The article talked about how there are a lot of competing cyber security bills being proposed in Washington (D.C.) right now. I thought the article was going to talk about the partisan squabbles that threatened to get in the way of security. Instead, it went more into how there are multiple committees coming up with multiple bills, some of which overlap each other.
Need a scorecard? You will soon because the House is expected to move forward later this month on the Intelligence Committee’s bill, which would encourage private companies to voluntarily share information with intelligence agencies while providing liability protections… Nothing is set in stone yet but so far, four bills are expected to be put on the House floor for a vote.
The article gave the names of the bills but it didn’t describe what they contained. Therefore, I decided to go and research some of those bills and combine them into this blog post. So without further ado, here are the four proposed bills so far along with their summaries:
Cybersecurity Education Enhancement Act of 2011 [HR 76] [govtrack.us summary]
- Directs the Secretary of Homeland Security, acting through the Assistant Secretary of Cybersecurity, to establish, in conjunction with the National Science Foundation, a program to award grants to institutions of higher education for:
(1) cybersecurity professional development programs;
(2) associate degree programs in cybersecurity; and
(3) the purchase of equipment to provide training in cybersecurity for either professional development or degree programs.- Requires the Director of the National Science Foundation to operate the program.
- Amends the Homeland Security Act of 2002 to direct the Secretary to establish an E-Security Fellows program to bring state, local, tribal, and private sector officials to participate in the work of the National Cybersecurity Division in order to become familiar with Department of Homeland Security cybersecurity missions and capabilities.
Federal Information Security Amendments Act of 2012 (FISMA 2.0) [HR <TBD>] [govtrack.us summary]
This bill did not have neat summary I could copy-and-paste so I had to search the web. Worse yet, I had to read the bill. This bill is an update to FISMA 1.0 which passed in 2002.
- Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;
- Recognize the highly networked nature of the current Federal computing environment and provide effective Government wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities assets;
- Provide for development and maintenance of minimum controls required to protect Federal information and information infrastructure;
- Provide a mechanism for improved oversight of Federal agency information security programs and systems through a focus on automated and continuous monitoring of agency information systems and regular threat assessments [tzink: this is the biggest change];
- Acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the Nation that are designed, built, and operated by the private sector; and
- Recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.
The Department of Defense is excluded from the scope of this bill.
The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PrECISE Act) [HR 3674] [House.gov summary]
- Clearly articulates the cybersecurity authority of DHS, as well as DHS roles and responsibilities;
- Requires DHS to identify cybersecurity risks on a sector-by-sector basis and to collect existing performance standards to determine the best and most efficient methods to mitigate identified risks;
- Establishes the NISO, a private-sector-controlled not-for-profit organization to facilitate best practices, provide technical assistance, and enable the sharing of cyberthreat information across critical infrastructure and with the federal government [tzink: this conflicts with the Cyber Intelligence Sharing and Protection Act of 2011, see below]; and
- Provides for the continuous protection of personally identifiable information, privacy, and civil liberties.
Cyber Intelligence Sharing and Protection Act of 2011 [HR 3523] [govtrack.us summary]
- Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.
- Defines "cyber threat intelligence" as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from:
(1) efforts to degrade, disrupt, or destroy such system or network; or
(2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.- Requires the Director of National Intelligence to:
(1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities [tzink: this conflicts with the PrECISE ACT which creates the NISO which is under the supervision of the Department of Homeland Security], and
(2) encourage the sharing of such intelligence.- Requires the procedures established to ensure that such intelligence is only:
(1) shared with certified entities or a person with an appropriate security clearance,
(2) shared consistent with the need to protect U.S. national security, and
(3) used in a manner that protects such intelligence from unauthorized disclosure.- Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities.
- Authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to:
(1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity [tzink: again conflicts with NISO]; and
(2) share cyber threat information with any other entity designated by the protected entity, including the federal government.- Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure.
- Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.
- Directs the Privacy and Civil Liberties Oversight Board to submit annually to Congress a review of the sharing and use of such information by the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns. [tzink: Sounds similar to the final clause in the PrECISE ACT above]
- Preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.
Federal Information Security Amendments Act of 2012
The first two bills are non-overlapping and are about education and compliance. The last two show elements of a turf war between two different departments – Homeland Security and Defense .