Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Cybersec Chart

Cybersec Chart

Ratings: (0)|Views: 211 |Likes:
Published by bgkelley

More info:

Published by: bgkelley on Apr 18, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/20/2014

pdf

text

original

 
 
April 4, 2012
Comparison of Information Sharing, Monitoring and Countermeasures Provisionsin the Cybersecurity Bills
The chart below compares on civil liberties grounds four bills that seek to promote cybersecurity . The PRECISE Act, H.R. 3674 (“Lungren” bill) isscheduled for mark-up the week of April 16 at the House Homeland Security Committee. The Cyber Intelligence Sharing and Protection Act, H.R.3523 (“Rogers” bill) was marked up in December by the House Permanent Select Committee on Intelligence. The Cybersecurity Act, S. 2105(“Lieberman” bill) was introduced on February 14. The SECURE IT Act, S. 2151 (“McCain” bill) was introduced on March 1. The Lieberman,McCain and Lungren bills all include cybersecurity measures unrelated to information sharing that are not reflected in this chart. For moreinformation, please contact CDT
ʼ
s Gregory T. Nojeim (gnojeim@cdt.org) or Kendall C. Burman (kburman@cdt.org), 202/637-9800.
Lungren, H.R. 3674 Rogers, H.R. 3523 Lieberman, S. 2105 McCain, S. 2151Does the bill protectprivacy by narrowlydefining the cyberthreat informationthat can be shared?
(Bill language definingthe info that can beshared is so criticallyimportant we set itforth for each bill in theappendix.)
 
Yes. Authorizes thesharing only ofinformation that is“necessary to identify ordescribe” one of sixcarefully definedcategories of informationrelated to cyber attacks,and requires reasonableefforts to strip irrelevantinformation on specificpersons. Sec. 248No. Very broadly definesthe information that canbe shared as “informationdirectly pertaining to avulnerability of, or threatto a system or network,”including informationpertaining to protecting asystem or network froman attack or theft ofinformation, with norequirement to strippersonal information.Sec. 1104(b)(f)(6)Somewhat. Like theLungren bill, authorizesentities to disclose eightspecific categories ofinformation called “cyberthreat indicators,”although informationneed only “indicative of”those categories in orderto be shared. Alsorequires reasonableefforts to strip irrelevantinformation on specificpersons. Secs. 702, 704No. “Cyber threatinformation” includesinformation that is“indicative of ordescribes” ninecategories of information,including that which “maysignify malicious intent” or“fosters situationalawareness of USsecurity.” Does notrequire any effort to strippersonal information.Sec. 101(4)
 

1
The McCain bill defines “cybersecurity center” as the Department of Defense Cyber Crime Center, the Intelligence Community IncidentResponse Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the NationalSecurity Agency/Central Security Service Threat Operations Center, [and] the National Cybersecurity and Communications Integration Center, andany successor center.” Sec. 101(5)
Lungren, H.R. 3674 Rogers, H.R. 3523 Lieberman, S. 2105 McCain, S. 2151Method of sharing?
Establishes a non-profit,quasi-governmental entity – the National InformationSharing Organization(NISO) -- that wouldserve as a clearinghousefor the exchange of cyberthreat information. NISO
ʼ
sboard of directors wouldbe dominated by industry,with government andprivacy interests also atthe table. Sec. 241Allows for privatecompanies andgovernment agencies toexchange informationdirectly for anycybersecurity purpose.Companies would choosethe agency or agencieswith which they wouldshare information andcould also shareinformation directly witheach other. The billcreates no clearinghouse.Sec. 1104(b)(1)Cyber threat indicatorsmay be shared throughDHS-designated federalor non-federal exchangesor directly amongcompanies. Since liabilityprotection for privatecompanies only appliesfor information sharedwith an exchange,companies will bedisinclined to sharestrictly with each other.Secs. 702, 703Allows for privatecompanies to exchangeinformation with eachother and with existingcybersecurity centers.
1
 Sec. 102(a)(2). Federalcontractors providingcertain IT services to thegovernment would be
required 
to discloseinformation. Sec. 102(b)
Does the billpromote transfer ofcybersecurityauthority fromcivilian to militarycontrol by permittingprivate civilianentities to sharecommunications infowith NSA?
No. Wisely cements DHS,a civilian agency, as thelead federal agency forcybersecurity.Information sharingauthorized in the billwould go through aprimarily private entity.Yes. The bill creates areal possibility that amilitary agency, such asNSA or DOD
ʼ
s CyberCommand, would takethe lead. Informationsharing is authorizedthrough amendment toTitle 50 of NationalSecurity Act, rather thanthrough amendment ofcivilian homeland securityauthorities.Unclear. The bill requiresDHS, the AG, ODNI, andDOD create a process fordesignating cyberexchanges. The leadfederal cyber exchangecould be NSA, CyberCommand, or a DHSentity, but DHS is the leadexchange for up to 60days until thisdesignation. Other federalexchanges could becivilian or military. Sec.703(c) and (d)Yes. Goes beyond evenRogers by allowing cyberinformation to be sharedby civilian private entitieswith a host of governmentcybersecurity centers, themajority of which aremilitary.
 
Lungren, H.R. 3674 Rogers, H.R. 3523 Lieberman, S. 2105 McCain, S. 2151Does the bill protectprivacy by requiringthat informationshared with a privatecompany forcybersecuritypurposes be usedonly forcybersecuritypurposes?
 Yes. Private companiescan only use informationfor a cybersecuritypurpose. Sec. 248(b)(5).No. No use restrictionprotects consumers.Other than a prohibitionagainst using informationto gain an unfaircompetitive advantage,bill leaves all restrictionson use up to thecompanies who sharethis information. Alsoexempts companies fromliability for abuses ofsharing information if theyact in good faith. Sec.1104 (b)(2) and (3)Yes. Companies thatreceive information canuse it only forcybersecurity. Secs.702(b)(4) and 704(c)(4).Companies must agree toany lawful restrictionsplaced on the disclosureof the info by thedisclosing entity orexchange. Secs.702(b)(2), 704(c)(2),704(g)(1)(B). They arealso prohibited from usinginfo to gain an unfaircompetitive advantage.Sec. 702(b); 704(c).While there is noimmunity for breach ofinfo sharing rules,companies have a goodfaith defense in any civilor criminal action. Sec.706(b)No. No use restrictionprotects consumers.Private entities to placerestrictions on the use orfurther sharing ofinformation by thereceiving entity. Sec.102(e). Provides civil andcriminal liability protectionfor the use or disclosureof information under theAct, undermining eventhis use restriction. Sec.102(g)

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->