Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
0Activity
0 of .
Results for:
No results containing your search query
P. 1
CRPT-112hrpt445

CRPT-112hrpt445

Ratings: (0)|Views: 0|Likes:
Published by bgkelley

More info:

Published by: bgkelley on Apr 18, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/27/2012

pdf

text

original

 
19–006
112
TH
C
ONGRESS
R
EPORT
 
 " !
HOUSE OF REPRESENTATIVES
 2d Session
112–445
CYBER INTELLIGENCE SHARING AND PROTECTION ACT
 A
PRIL
17, 2012.—Committed to the Committee of the Whole House on the State of the Union and ordered to be printed
Mr. R
OGERS
of Michigan, from the Permanent Select Committee onIntelligence, submitted the following
R E P O R T
together withMINORITY VIEWS
[To accompany H.R. 3523][Including cost estimate of the Congressional Budget Office]
The Permanent Select Committee on Intelligence, to whom wasreferred the bill (H.R. 3523) to provide for the sharing of certaincyber threat intelligence and cyber threat information between theintelligence community and cybersecurity entities, and for otherpurposes, having considered the same, report favorably thereonwith an amendment and recommend that the bill as amended dopass.The amendment is as follows:Strike all after the enacting clause and insert the following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘Cyber Intelligence Sharing and Protection Act’’.
SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING.
(a) I
N
G
ENERAL
.—Title XI of the National Security Act of 1947 (50 U.S.C. 442 etseq.) is amended by adding at the end the following new section:‘‘
CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
 ‘‘S
EC
. 1104. (a) I
NTELLIGENCE
C
OMMUNITY
S
HARING OF
C
 YBER
T
HREAT
I
NTEL
-
LIGENCE
W
ITH
P
RIVATE
S
ECTOR
.—‘‘(1) I
N GENERAL
.—The Director of National Intelligence shall establish proce-dures to allow elements of the intelligence community to share cyber threat in-telligence with private-sector entities and to encourage the sharing of such in-telligence.‘‘(2) S
HARING AND USE OF CLASSIFIED INTELLIGENCE
.—The procedures estab-lished under paragraph (1) shall provide that classified cyber threat intelligencemay only be—
VerDate Mar 15 2010 04:37 Apr 18, 2012Jkt 019006PO 00000Frm 00001Fmt 6659Sfmt 6621E:\HR\OC\HR445.XXXHR445
  r   f  r  e   d  e  r   i  c   k  o  n   D   S   K   6   V   P   T   V   N   1   P   R   O   D  w   i   t   h   H   E   A   R   I   N   G
 
2
‘‘(A) shared by an element of the intelligence community with—‘‘(i) certified entities; or‘‘(ii) a person with an appropriate security clearance to receive suchcyber threat intelligence;‘‘(B) shared consistent with the need to protect the national security of the United States; and‘‘(C) used by a certified entity in a manner which protects such cyberthreat intelligence from unauthorized disclosure.‘‘(3) S
ECURITY CLEARANCE APPROVALS
.—The Director of National Intelligenceshall issue guidelines providing that the head of an element of the intelligencecommunity may, as the head of such element considers necessary to carry outthis subsection—‘‘(A) grant a security clearance on a temporary or permanent basis to anemployee or officer of a certified entity;‘‘(B) grant a security clearance on a temporary or permanent basis to acertified entity and approval to use appropriate facilities; and‘‘(C) expedite the security clearance process for a person or entity as thehead of such element considers necessary, consistent with the need to pro-tect the national security of the United States.‘‘(4) N
O RIGHT OR BENEFIT
.—The provision of information to a private-sectorentity under this subsection shall not create a right or benefit to similar infor-mation by such entity or any other private-sector entity.‘‘(b) P
RIVATE
S
ECTOR
U
SE OF
C
 YBERSECURITY
S
 YSTEMS AND
S
HARING OF
C
 YBER
 T
HREAT
I
NFORMATION
.—‘‘(1) I
N GENERAL
.—‘‘(A) C
 YBERSECURITY PROVIDERS
.—Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entityfor which such cybersecurity provider is providing goods or services for cy-bersecurity purposes, may, for cybersecurity purposes—‘‘(i) use cybersecurity systems to identify and obtain cyber threat in-formation to protect the rights and property of such protected entity;and‘‘(ii) share such cyber threat information with any other entity des-ignated by such protected entity, including, if specifically designated,the Federal Government.‘‘(B) S
ELF
-
PROTECTED ENTITIES
.—Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes—‘‘(i) use cybersecurity systems to identify and obtain cyber threat in-formation to protect the rights and property of such self-protected enti-ty; and‘‘(ii) share such cyber threat information with any other entity, in-cluding the Federal Government.‘‘(2) U
SE AND PROTECTION OF INFORMATION
.—Cyber threat information sharedin accordance with paragraph (1)—‘‘(A) shall only be shared in accordance with any restrictions placed onthe sharing of such information by the protected entity or self-protected en-tity authorizing such sharing, including appropriate anonymization or mini-mization of such information;‘‘(B) may not be used by an entity to gain an unfair competitive advan-tage to the detriment of the protected entity or the self-protected entity au-thorizing the sharing of information; and‘‘(C) if shared with the Federal Government—‘‘(i) shall be exempt from disclosure under section 552 of title 5,United States Code;‘‘(ii) shall be considered proprietary information and shall not be dis-closed to an entity outside of the Federal Government except as author-ized by the entity sharing such information; and‘‘(iii) shall not be used by the Federal Government for regulatory pur-poses.‘‘(3) E
 XEMPTION FROM LIABILITY
.—No civil or criminal cause of action shall lieor be maintained in Federal or State court against a protected entity, self-pro-tected entity, cybersecurity provider, or an officer, employee, or agent of a pro-tected entity, self-protected entity, or cybersecurity provider, acting in goodfaith—‘‘(A) for using cybersecurity systems or sharing information in accordancewith this section; or‘‘(B) for not acting on information obtained or shared in accordance withthis section.
VerDate Mar 15 2010 04:37 Apr 18, 2012Jkt 019006PO 00000Frm 00002Fmt 6659Sfmt 6621E:\HR\OC\HR445.XXXHR445
  r   f  r  e   d  e  r   i  c   k  o  n   D   S   K   6   V   P   T   V   N   1   P   R   O   D  w   i   t   h   H   E   A   R   I   N   G
 
3
‘‘(4) R
ELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMA
-
TION
.—The submission of information under this subsection to the Federal Gov-ernment shall not satisfy or affect any requirement under any other provisionof law for a person or entity to provide information to the Federal Government.‘‘(c) F
EDERAL
G
OVERNMENT
U
SE OF
I
NFORMATION
.—‘‘(1) L
IMITATION
.—The Federal Government may use cyber threat informationshared with the Federal Government in accordance with subsection (b) for anylawful purpose only if—‘‘(A) the use of such information is not for a regulatory purpose; and‘‘(B) at least one significant purpose of the use of such information is—‘‘(i) a cybersecurity purpose; or‘‘(ii) the protection of the national security of the United States.‘‘(2) A
FFIRMATIVE SEARCH RESTRICTION
.—The Federal Government may not af-firmatively search cyber threat information shared with the Federal Govern-ment under subsection (b) for a purpose other than a purpose referred to inparagraph (1)(B).‘‘(3) A
NTI
-
TASKING RESTRICTION
.—Nothing in this section shall be construed topermit the Federal Government to—‘‘(A) require a private-sector entity to share information with the FederalGovernment; or‘‘(B) condition the sharing of cyber threat intelligence with a private-sec-tor entity on the provision of cyber threat information to the Federal Gov-ernment.‘‘(d) R
EPORT ON
I
NFORMATION
S
HARING
.—‘‘(1) R
EPORT
.—The Inspector General of the Intelligence Community shall an-nually submit to the congressional intelligence committees a report containinga review of the use of information shared with the Federal Government underthis section, including—‘‘(A) a review of the use by the Federal Government of such informationfor a purpose other than a cybersecurity purpose;‘‘(B) a review of the type of information shared with the Federal Govern-ment under this section;‘‘(C) a review of the actions taken by the Federal Government based onsuch information;‘‘(D) appropriate metrics to determine the impact of the sharing of suchinformation with the Federal Government on privacy and civil liberties, if any; and‘‘(E) any recommendations of the Inspector General for improvements ormodifications to the authorities under this section.‘‘(2) F
ORM
.—Each report required under paragraph (1) shall be submitted inunclassified form, but may include a classified annex.‘‘(e) F
EDERAL
P
REEMPTION
.—This section supersedes any statute of a State or po-litical subdivision of a State that restricts or otherwise expressly regulates an activ-ity authorized under subsection (b).‘‘(f) S
 AVINGS
C
LAUSE
.—Nothing in this section shall be construed to limit anyother authority to use a cybersecurity system or to identify, obtain, or share cyberthreat intelligence or cyber threat information.‘‘(g) D
EFINITIONS
.—In this section:‘‘(1) C
ERTIFIED ENTITY
.—The term ‘certified entity’ means a protected entity,self-protected entity, or cybersecurity provider that—‘‘(A) possesses or is eligible to obtain a security clearance, as determinedby the Director of National Intelligence; and‘‘(B) is able to demonstrate to the Director of National Intelligence thatsuch provider or such entity can appropriately protect classified cyberthreat intelligence.‘‘(2) C
 YBER THREAT INFORMATION
.—The term ‘cyber threat information’ meansinformation directly pertaining to a vulnerability of, or threat to, a system ornetwork of a government or private entity, including information pertaining tothe protection of a system or network from—‘‘(A) efforts to degrade, disrupt, or destroy such system or network; or‘‘(B) theft or misappropriation of private or government information, in-tellectual property, or personally identifiable information.‘‘(3) C
 YBER THREAT INTELLIGENCE
.—The term ‘cyber threat intelligence’ meansinformation in the possession of an element of the intelligence community di-rectly pertaining to a vulnerability of, or threat to, a system or network of agovernment or private entity, including information pertaining to the protectionof a system or network from—‘‘(A) efforts to degrade, disrupt, or destroy such system or network; or
VerDate Mar 15 2010 04:37 Apr 18, 2012Jkt 019006PO 00000Frm 00003Fmt 6659Sfmt 6621E:\HR\OC\HR445.XXXHR445
  r   f  r  e   d  e  r   i  c   k  o  n   D   S   K   6   V   P   T   V   N   1   P   R   O   D  w   i   t   h   H   E   A   R   I   N   G

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->