Representatives Introduce Cyber Threat Information Sharing Bill

November 30, 2011. Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD) introduced HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act of 2011". See, discussion draft [11 pages in PDF]. The HIC scheduled an immediate mark up of this bill -- Thursday, December 1, 2011, at 3:00 PM.

This is a bill to promote, but not mandate, information sharing. It would allow sharing. It would create new immunities. On the other hand, it would create no new regulatory regime, no new criminal prohibition regime, no data retention mandate, and no new government surveillance powers.

This bill would amend Title 50, which pertains to national defense and intelligence, to authorize U.S. intelligence agencies to provide secret "cyber threat intelligence" to certain private sector entities, namely, "cybersecurity providers", "protected entities" (of cybersecurity providers), and "self-protected entities" (which provide their own cybersecurity). The bill further allows these entities to further share this intelligence, but prohibits "unauthorized disclosure".

This bill would also allow "cybersecurity providers" and "self-protected entities" to provide "cyber threat information" to others, and to the federal government. But, shared cyber threat information "may not be used by an entity to gain an unfair competitive advantage".

The bill would also grant sweeping immunity from state and federal, and civil and criminal, actions and liability, for "using cybersecurity systems or sharing information in accordance with this" bill, or "for not acting on information obtained or shared in accordance with this" bill.

Rep. Rogers is the Chairman of the House Intelligence Committee (HIC). Rep. Ruppersberger is the ranking Democrat on the HIC. The two spoke at an event at the National Cable and Telecommunications Association (NCTA) on November 30. See, video.

The two also issued a release that states that "American businesses are targeted every day by scheming hackers and nation-states such as China and Russia that are intent on stealing America’s intellectually property and sensitive government information through the Internet."

In addition, on November 17 the two announced an investigation "into the threat posed by Chinese-owned telecommunications companies working in the United States, and the government's response to that threat". See, story titled "House Intelligence Committee Launches Investigation of Huawei" in TLJ Daily E-Mail Alert No. 2,313, November 22, 2011.

Rep. Rogers stated in the joint release that "There is an economic cyber war going on today against U.S. companies ... There are two types of companies in this country, those who know they’ve been hacked, and those who don’t know they’ve been hacked. Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property."

Rep. Dutch RuppersbergerRep. Ruppersberger (at right) stated in this release that "We simply can’t stand by if we have the ability to help American companies protect themselves. Sharing information about cyber threats is a critical step to preventing them. This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems. The bill maintains vital protections for privacy and civil liberties without any new federal spending, regulations or unfunded mandates".

The bills defines "cybersecurity intelligence" as information "directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from -- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information."

Michael Powell, head of the NCTA, and former Chairman of the Federal Communications Commission (FCC), stated at the Wednesday event that there is an "inadequate information flow", and that this bill addresses this.

Powell stated in a release that "We applaud Chairman Rogers and Ranking Member Ruppersberger for introduction of the Cyber Intelligence Sharing and Protection Act of 2011 that will ensure better information sharing between all stakeholders involved in protecting our nation's critical cyber infrastructure. We appreciate that this legislation avoids a prescriptive regulatory regime that does not fit the constantly evolving cyber threat environment and it appropriately allows individual companies to determine how they can best participate. This legislation will protect both our national security and our customers and has the strong support of the nation's cable, telephone and wireless industries. We urge Congress to swiftly pass the Cyber Intelligence Sharing and Protection Act of 2011 into law."

Steve Largent, head of the CTIA, stated at the Wednesday event that "better sharing of information between carriers and their vendors" and the federal government is important.

Walter McCormack, head of the USTelecom, stated that his group and members are committed to protecting networks against cyber threats, and that "we can do so much better, we can do so much more, if we can share information with the government in a way that is protected ... This legislation will make that possible." See also, USTelecom release.

Rep. Rogers stated at this event that "there is a cyber war that is going on today." He added that "the threat is real, and our protections are not where they ought to be."

Rep. Rogers said that "the best thing that we can do is remove the barriers" to information sharing between the government and the private sector, and within the private sector. He also stated that "The bill has nothing to do with surveillance."

Rep. Ruppersberger stated that "We will have a catastrophic attack within the next year." He suggested that banking, air traffic control and the grid system could be targets.

Rep. Rogers mentioned several countries in his speech, including the People's Republic of China, Russia, and Iran. Rep. Ruppersberger mentioned North Korea.