BAG14503 Discussion Draft S.L.C. 113TH CONGRESS 2D SESSION S. ll To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. IN THE SENATE OF THE UNITED STATES llllllllll llllllllll introduced the following bill; which was read twice and referred to the Committee on llllllllll A BILL To improve cybersecurity in the United States through en- hanced sharing of information about cybersecurity threats, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. 3 (a) SHORT TITLE.—This Act may be cited as the 4 ‘‘Cybersecurity Information Sharing Act of 2014’’. 5 (b) TABLE OF CONTENTS.—The table of contents of 6 this Act is as follows: 7 Sec. 1. Short title; table of contents. Sec. 2. Definitions. Sec. 3. Sharing of information by the Federal Government. Sec. 4. Authorizations for preventing, detecting, analyzing, and mitigating cy- bersecurity threats.
39
Embed
Cybersecurity Information Sharing Act - Senate · PDF file5 ‘‘Cybersecurity Information Sharing Act of 2014’’. 6 (b) TABLE OF CONTENTS.—The table of contents of 7.....
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BAG14503 Discussion Draft S.L.C.
113TH CONGRESS 2D SESSION S. ll
To improve cybersecurity in the United States through enhanced sharing
of information about cybersecurity threats, and for other purposes.
IN THE SENATE OF THE UNITED STATES
llllllllll
llllllllll introduced the following bill; which was read twice
and referred to the Committee on llllllllll
A BILL To improve cybersecurity in the United States through en-
hanced sharing of information about cybersecurity
threats, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE; TABLE OF CONTENTS. 3
(a) SHORT TITLE.—This Act may be cited as the 4
‘‘Cybersecurity Information Sharing Act of 2014’’. 5
(b) TABLE OF CONTENTS.—The table of contents of 6
this Act is as follows: 7
Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Sharing of information by the Federal Government.
Sec. 4. Authorizations for preventing, detecting, analyzing, and mitigating cy-
bersecurity threats.
2
BAG14503 Discussion Draft S.L.C.
Sec. 5. Sharing of cyber threat indicators and countermeasures with the Fed-
eral Government.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Construction and preemption.
Sec. 9. Conforming amendments.
SEC. 2. DEFINITIONS. 1
In this Act: 2
(1) AGENCY.—The term ‘‘agency’’ has the 3
meaning given the term in section 3502 of title 44, 4
United States Code. 5
(2) ANTITRUST LAWS.—The term ‘‘antitrust 6
laws’’— 7
(A) has the meaning given the term in sec-8
tion 1(a) of the Clayton Act (15 U.S.C. 12(a)); 9
(B) includes section 5 of the Federal 10
Trade Commission Act (15 U.S.C. 45) to the 11
extent that section 5 of that Act applies to un-12
fair methods of competition; and 13
(C) includes any State law that has the 14
same intent and effect as the laws under sub-15
paragraphs (A) and (B). 16
(3) APPROPRIATE FEDERAL ENTITIES.—The 17
term ‘‘appropriate Federal entities’’ means the fol-18
lowing: 19
(A) The Department of Commerce. 20
(B) The Department of Defense. 21
(C) The Department of Energy. 22
3
BAG14503 Discussion Draft S.L.C.
(D) The Department of Homeland Secu-1
rity. 2
(E) The Department of Justice. 3
(F) The Department of the Treasury. 4
(G) The Office of the Director of National 5
Intelligence. 6
(4) COUNTERINTELLIGENCE.—The term ‘‘coun-7
terintelligence’’ has the meaning given the term in 8
section 3 of the National Security Act of 1947 (50 9
U.S.C. 3003). 10
(5) COUNTERMEASURE.—The term ‘‘counter-11
measure’’ means an action, device, procedure, tech-12
nique, or other measure applied to an information 13
system or information that is stored on, processed 14
by, or transiting an information system that pre-15
vents or mitigates a cybersecurity threat or security 16
vulnerability. 17
(6) CYBERSECURITY PURPOSE.—The term ‘‘cy-18
bersecurity purpose’’ means the purpose of pro-19
tecting an information system or information that is 20
stored on, processed by, or transiting an information 21
system from a cybersecurity threat or security vul-22
nerability. 23
(7) CYBERSECURITY THREAT.—The term ‘‘cy-24
bersecurity threat’’ means an action, not protected 25
4
BAG14503 Discussion Draft S.L.C.
by the First Amendment to the Constitution of the 1
United States, on or through an information system 2
that may result in an unauthorized effort to ad-3
versely impact the security, availability, confiden-4
tiality, or integrity of an information system or in-5
formation that is stored on, processed by, or 6
transiting an information system. 7
(8) CYBER THREAT INDICATOR.—The term 8
‘‘cyber threat indicator’’ means information that in-9
dicates, describes, or is necessary to identify— 10
(A) malicious reconnaissance, including 11
anomalous patterns of communications that ap-12
pear to be transmitted for the purpose of gath-13
ering technical information related to a cyberse-14
curity threat or security vulnerability; 15
(B) a method of defeating a security con-16
trol or exploitation of a security vulnerability; 17
(C) a security vulnerability; 18
(D) a method of causing a user with legiti-19
mate access to an information system or infor-20
mation that is stored on, processed by, or 21
transiting an information system to unwittingly 22
enable the defeat of a security control or exploi-23
tation of a security vulnerability; 24
(E) malicious cyber command and control; 25
5
BAG14503 Discussion Draft S.L.C.
(F) the actual or potential harm caused by 1
an incident, including information exfiltrated 2
when it is necessary in order to describe a cy-3
bersecurity threat; 4
(G) any other attribute of a cybersecurity 5
threat, if disclosure of such attribute is not oth-6
erwise prohibited by law; or 7
(H) any combination thereof. 8
(9) ELECTRONIC FORMAT.— 9
(A) IN GENERAL.—Except as provided in 10
subparagraph (B), the term ‘‘electronic format’’ 11
means information that is shared through elec-12
tronic mail, an interactive form on an Internet 13
website, or a real time, automated process be-14
tween information systems. 15
(B) EXCLUSION.—The term ‘‘electronic 16
format’’ does not include voice or video commu-17
nication. 18
(10) ENTITY.— 19
(A) IN GENERAL.—The term ‘‘entity’’ 20
means any private entity, non-Federal govern-21
ment agency or department, or State, tribal, or 22
local government agency or department (includ-23
ing a political subdivision, officer, employee, or 24
agent thereof). 25
6
BAG14503 Discussion Draft S.L.C.
(B) INCLUSIONS.—The term ‘‘entity’’ in-1
cludes a government agency or department (in-2
cluding an officer, employee, or agent thereof) 3
of the District of Columbia, the Commonwealth 4
of Puerto Rico, the Virgin Islands, Guam, 5
American Samoa, the Northern Mariana Is-6
lands, and any other territory or possession of 7
the United States. 8
(C) EXCLUSION.—The term ‘‘entity’’ does 9
not include a foreign power as defined in sec-10
tion 101(a) of the Foreign Intelligence Surveil-11
lance Act of 1978 (50 U.S.C. 1801). 12
(11) FEDERAL ENTITY.—The term ‘‘Federal 13
entity’’ means a department or agency of the United 14
States, or any component, officer, employee, or 15
agent of such a department or agency. 16
(12) FOREIGN INTELLIGENCE.—The term ‘‘for-17
eign intelligence’’ has the meaning given the term in 18
section (3) of the National Security Act of 1947 (50 19
U.S.C. 3003). 20
(13) INFORMATION SYSTEM.—The term ‘‘infor-21
mation system’’— 22
(A) has the meaning given the term in sec-23
tion 3502 of title 44, United States Code; and 24
7
BAG14503 Discussion Draft S.L.C.
(B) includes industrial control systems, 1
such as supervisory control and data acquisition 2
systems, distributed control systems, and pro-3
grammable logic controllers. 4
(14) LOCAL GOVERNMENT.—The term ‘‘local 5
government’’ means any borough, city, county, par-6
ish, town, township, village, or other political sub-7
division of a State. 8
(15) MALICIOUS CYBER COMMAND AND CON-9
TROL.—The term ‘‘malicious cyber command and 10
control’’ means a method for unauthorized remote 11
identification of, access to, or use of, an information 12
system or information that is stored on, processed 13
by, or transiting an information system. 14
(16) MALICIOUS RECONNAISSANCE.—The term 15
‘‘malicious reconnaissance’’ means a method for ac-16
tively probing or passively monitoring an information 17
system for the purpose of discerning security 18
vulnerabilities of the information system, if such 19
method is associated with a known or suspected cy-20
bersecurity threat. 21
(17) MONITOR.—The term ‘‘monitor’’ means to 22
obtain, identify, or otherwise possess information 23
that is stored on, processed by, or transiting an in-24
formation system. 25
8
BAG14503 Discussion Draft S.L.C.
(18) PRIVATE ENTITY.— 1
(A) IN GENERAL.—The term ‘‘private enti-2
ty’’ means any individual or private group, or-3
ganization, proprietorship, partnership, trust, 4
cooperative, corporation, or other commercial or 5
nonprofit entity, including an officer, employee, 6
or agent thereof. 7
(B) EXCLUSION.—The term ‘‘private enti-8
ty’’ does not include a foreign power as defined 9
in section 101(a) of the Foreign Intelligence 10
Surveillance Act of 1978 (50 U.S.C. 1801). 11
(19) SECURITY CONTROL.—The term ‘‘security 12
control’’ means the management, operational, and 13
technical controls used to protect the confidentiality, 14
integrity, and availability of an information system 15
or its information. 16
(20) SECURITY VULNERABILITY.—The term 17
‘‘security vulnerability’’ means any attribute of hard-18
ware, software, process, or procedure that could en-19
able or facilitate the defeat of a security control. 20
(21) TRIBAL.—The term ‘‘tribal’’ has the 21
meaning given the term ‘‘Indian tribe’’ in section 4 22
of the Indian Self-Determination and Education As-23
sistance Act (25 U.S.C. 450b). 24
9
BAG14503 Discussion Draft S.L.C.
(22) UNITED STATES PERSON.—The term 1
‘‘United States person’’ has the meaning given the 2
term in section 101(i) of the Foreign Intelligence 3
Surveillance Act of 1978 (50 U.S.C. 1801). 4
SEC. 3. SHARING OF INFORMATION BY THE FEDERAL GOV-5
ERNMENT. 6
(a) IN GENERAL.—Consistent with the protection of 7
intelligence sources and methods and the protection of pri-8
vacy and civil liberties, the Director of National Intel-9
ligence, the Secretary of Homeland Security, the Secretary 10
of Defense, and the Attorney General, in consultation with 11
the heads of the appropriate Federal agencies, shall de-12
velop and promulgate procedures to facilitate and pro-13
mote— 14
(1) the timely sharing of classified cyber threat 15
indicators in the possession of the Federal Govern-16
ment with cleared representatives of appropriate en-17
tities; 18
(2) the timely sharing with appropriate entities 19
of cyber threat indicators or information in the pos-20
session of the Federal Government that may be de-21
classified and shared at an unclassified level; and 22
(3) the sharing with appropriate entities, or, if 23
appropriate, public availability, of unclassified, in-24