See How Your Politicians Voted
Title: Cyber Intelligence Sharing and Protection Act
Vote Smart's Synopsis:
Vote to pass a bill that authorizes private-sector entities, utilities, and the federal government to share cyber threat information with each other.
- Authorizes an “element of the intelligence community” to share classified cyber threat intelligence with certified private-sector entities and utilities and individuals with a security clearance that authorizes them to receive the cyber threat information if the information is shared as follows (Sec. 3):
- The information is shared for the national security of the United States;
- The information is used in a manner which protects the information from unauthorized disclosure; and
- The information is used, retained, or further disclosed for cybersecurity purposes.
- Requires the Director of National Intelligence to establish procedures for sharing "cyber threat information" with private-sector entities and utilities within 60 days of the enactment of this bill (Sec. 3).
- Defines “cyber threat information” as any government, private entity, or utility’s system or network information regarding the following (Sec. 3):
- A vulnerability of the system or network;
- A threat to the integrity, confidentiality, or availability of the information stored, processed or transiting on the system or network;
- Efforts to deny access to or degrade, disrupt, or destroy the system or network; or
- Efforts to gain unauthorized access to the system or network.
- Prohibits a private-sector entity that receives cyber threat intelligence from disclosing the intelligence to another entity, unless the other entity is authorized to receive the cyber threat information (Sec. 3).
- Authorizes cybersecurity providers, with the express consent of a "protected entity” to identify and obtain cyber threat information and to share the information with any other entity designated by the protected entity, including the Department of Homeland Security and the Department of Justice (Sec. 3).
- Authorizes a “self-protected entity” to identify and obtain cyber threat information and to share the information with any other entity, including the Department of Homeland Security and the Department of Justice (Sec. 3).
- Defines “protected entity” as an entity, other than an individual, that contracts with a cybersecurity provider for cybersecurity goods or services (Sec. 3).
- Defines “self-protected entity” as an entity, other than an individual, that provides cybersecurity goods or services to itself (Sec. 3).
- Prohibits the federal government from using cyber threat information for regulatory purposes (Sec. 3).
- Authorizes the federal government to use cyber threat information for the following purposes (Sec. 3):
- For cybersecurity purposes;
- For the investigation and prosecution of cybersecurity crimes;
- For the protection of individuals from death or serious bodily harm; and
- For the protection of minors from threats including child pornography, sexual exploitation, and kidnapping.
- Prohibits the federal government from using certain information to pursue cyber threats if the information that is shared with the government contains personal identifying information, including the following information (Sec. 3):
- Library circulation records and patron lists;
- Books sales records and customer lists;
- Firearms sales records;
- Tax returns;
- Educational records; or
- Medical records.
- Exempts protected entities, self-protected entities, cybersecurity providers, and their officers, employees, or agents from civil or criminal liability for identifying, obtaining, or sharing cyber threat information in “good faith” (Sec. 3).
- Specifies that a lack of good faith includes any act or omission taken with the intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility (Sec. 3).
- Specifies that the federal government is considered to be liable if a department or agency of the federal government “intentionally or willfully” violates a provision of this bill and requires the government to pay the following penalties (Sec. 3):
- The greater of the actual damages sustained or $1,000; and
- The cost of the action with attorney fees as determined by the court.
- Specifies that nothing in this bill authorizes the Department of Defense, the National Security Agency, or other element of the intelligence community to target a United States citizen for surveillance (Sec. 3).