CD106: CISA and Friends

CISA - the Cybersecurity Information Sharing Act - has officially passed the Senate. While Congress is busy merging CISA with two other so-called cybersecurity bills that passed the House of Representatives, in this episode, by taking an in-depth look at the contents of all three bills, we discover that these bills are not what you're being lead to believe. Please support Congressional Dish: to contribute with PayPal or Bitcoin; click the PayPal "Make it Monthly" checkbox to create a monthly subscription to support Congressional Dish for each episode via Patreon Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL 32536 Thank you for supporting truly independent media! : Cybersecurity Information Sharing Act of 2015 Passed the Senate on October 27, 2015. Sponsored by Sen. Richard Burr of North Carolina Outline of the Bill Definitions: = "Any executive department, military department, Government corporation, Government controlled corporation, or other (including the Executive Office of the President), or any independent regulatory agency, but does not include — The Government Accountability Office Federal Election Commission The governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities = An action "not protected by the First Amendment to the Constitution" that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system." A "cybersecurity threat" does not include "any action that soley involves a violation of a consumer term of service or a consumer licensing agreement. = Information that is needed to identify - , including strange patterns of communications that appear to be collecting technical information Security breaches Security vulnerabilities A legitimate user being used to defeat a security system The harm caused by a cybersecurity incident, including the information taken as a result "Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law" = "Any , non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof) Does not include "a "foreign power", a foreign government or a foreign based political organization. Sharing of Information by the Federal Government will write procedures for sharing and "cyber threat indicators" and that would help the "entities" to prevent cybersecurity threats. The officials writing the rules will be the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General. The rules they write have to: Ensure "cyber threat indicators" can be Include notification procedures for false alarms Include requirements for the Federal government agencies to to the information Requires a Federal entity sharing information to Include for people whose personal information is shared by the government. Their procedures 60 days after CISA becomes law. Monitoring Authorizations Private companies their own information systems, other private information systems or Federal information systems with permission, and monitor "information that is stored on, processed by, or transiting these information systems" Entities can share with and receive information from . Before sharing information, it and information known to be personal information "at the time of the sharing" must be removed. With the written consent of the sharing entity, information shared with a State, tribal, or local government may be used for ...* , , , , The information shared with the government as a "cyber threat indicator" will be . for sharing information with each other "for cybersecurity purposes" Sharing of Information by "Entities" with the Federal Government The Attorney General and Secretary of Homeland Security governing receipt of information from private entities and local governments. The policies must include... for sharing information with "all of the appropriate Federal entities" Rules governing of the information received by the Federal Government. for Federal employees who break the law The Attorney General and Secretary of Homeland will explaining what qualifies as a cyber threat indicator The Attorney General, with help from "private entities", will have 180 days that will govern how the Federal Government uses the information it receives The privacy guidelines will be reviewed every two years The Attorney General will determine how long the information will be kept by the government The shared with the government. Information shared under the Freedom of Information Act and all State, tribal, and local laws. In addition to the items of the list of allowed uses of information by State, tribal, and local governments (see Monitoring Authorizations section), the Federal Government can also use the information to... Protection from Liability for sharing information with the government under CISA regulations. The only way a private entity can be sued is in the cast of "gross negligence or willful misconduct" Oversight of Government Activities Federal Inspectors General will complete a . The report may include recommendations for improvement Other Rules , attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning. Intrusion Assessment Plan The Secretary of Homeland Security will to identify and remove intruders on agency information systems. The plan will not apply to the Department of Defense, a national security system or an element of the intelligence community. The deployment and operation of the new monitoring system The private contractor would not be allowed to disclose any of the information they access The private contractor will have Internet service providers with a customer without their customer's consent The activities carried out in this new monitoring plan need to be to protect agency information systems from cybersecurity risks Federal Cybersecurity Requirements Agencies will have to information that is stored or transmitted by their information systems, create a single sign-in method for individuals accessing their websites, and implement identity management systems for remote access for each user account. This to the Department of Defense, a national security system, or elements of the intelligence community. Emergencies The Secretary of Homeland Security in the case of an "imminent threat" Study on Mobile Device Security The Secretary of Homeland Security in the Federal Government Health Care Industry Sharing to create a plan for sharing with private health care entities specifically Strategy for Protecting Critical Infrastructure ensuring that cyber security incidents would probably not be catastrophic for public health or safety, economic security, or national security. The strategy must include... An assessment of whether each entity should be required to report cyber security incidents A description of security gaps Additional power needed Some of this report can be classified. Sunset The provisions of this bill would : National Cybersecurity Protection Advancement Act of 2015 For reference, here's the of the Homeland Security Act, which is amended by this bill. This bill: to the that will be part of the National Cybersecurity and Communications Integration Center, which coordinates information sharing between the Federal government and other entities. Adds new groups to the list of who will be included in the National Cybersecurity and Communications Integration Center who . that the National Cybersecurity and Communications Integration Center will share between the Federal government, local governments, and private sector. Authorizes the National Cybersecurity and Communications Integration Center to . Requires the government and businesses to use existing technology between the National Cybersecurity and Communications Integration Center and Federal agencies. Participation by non-Federal entities . Agreements that exist before this bill is signed into law with this law. All participating entities need to take . There's no listed punishments if they don't. for governing the use of information shared with the National Cybersecurity and Communications Integration Center . He/she will also be responsible for for government employees who disregard his/her privacy policies. entities that share information , if they share information according to this law. If the Federal government breaks this law, it will have to pay the person . There is a two year statute of limitations. This law that limit information sharing. The law would after enactment. Passed Sponsored by Rep. Michael McCaul of Texas : Protecting Cyber Networks Act Contains the text of H.R. 1731: National Cybersecurity Protection Advancement Act Within of enactment, the for sharing classified "cyber threat indicators" with "non-Federal entities" Allows cybersecurity monitoring of government systems Allows "non-Federal entities" to other than the Defense Department. The entity sharing information must to remove personally identifiable information on people "not directly related" to the cybersecurity threat. governing what happens to information received by the Federal Government, of the bill becoming law. relating to privacy and civil liberties, within of the bill becoming law. A new branch, with , will be created within the Office of the Director of National Intelligence called the Cyber Threat Intelligence Integration Center, which will Information shared with the government is . Information given to the government to investigate, prosecute, prevent or mitigate a threat of "death or serious bodily harm or an offense arising out of such a threat" and to investigate, prosecute, prevent or mitigate a threat to a minor. to prevent, investigation, disrupt, or prosecute , , including murder, manslaughter, assault, sexual abuse, kidnapping, robbery, carjacking, extortion, firearms use, firearms possession, or attempt to commit any of these crimes, including photographing or sketching defense installations, and . Passed Sponsored by Rep. Devin Nunes of California Audio Sources CISA debate, October 27, 2015 () : Hearing about HR 1731 and HR 1560, the House cybersecurity bills, April 21, 2015 Additional Information Article: by Eric Geller, The Daily Dot, October 28, 2015. Webpage: , Department of Homeland Security. Music Presented in This Episode Intro & Exit: by (found on by mevio)