Bill Status Update – Rogers-Ruppersberger Cybersecurity Bill (H.R. 3523)
Please see below the significant changes made to the bill since it was introduced last year – this list includes both amendments adopted at the Committee’s mark-up on Dec 1, 2011, as well as new proposed amendments that would be considered when the bill reaches the House floor. These adopted and proposed changes incorporate input from a wide variety of interested parties.
Issue: Concerns about the breadth of the definition of "cyber threat information" and the reference to intellectual property contained in the definition. (CDT)
Addressed: The bill is intended to defend against advanced cyber threats, such as threats from advanced nation-state actors like China. The definition has therefore been narrowed to remove the term “intellectual property” from all definitions in the bill. This change was made to avoid any misunderstanding and to clarify that the bill is intended to defend against efforts to gain unauthorized access to systems or networks, including efforts to gain such unauthorized access to steal private or government information. The definitions remain technology-neutral in order to be flexible enough to address the rapidly changing cyber threat spectrum; the definitions also remain limited only to information that directly pertains to threats or vulnerabilities of networks or systems. (new proposed amendment)
Issue: Concerns that the bill would authorize the blocking of accounts or block access to websites believed to carry content infringing on intellectual property rights. (CDT/ACLU).
Addressed: The Rogers-Ruppersberger bill does not provide any authority or levy any requirements to block access to accounts or websites, or to remove content. The bill’s authority is limited to the identification, obtaining, and sharing of cyber threat information.
Moreover, as noted above, the term “intellectual property” was removed from all the key definitions in the bill. Relevant provisions were also clarified to focus on the fact that the bill is designed to protect against unauthorized access to networks or systems, including unauthorized access aimed at stealing private or government information. This change was made to avoid any misunderstanding and to clarify that it is intended to defend against advanced cyber threats, such as threats from advanced nation-state actors like China.
Issue: Concerns about the need to make the government accountable for any abuses or misuse of private sector cyber threat information received under the bill’s authorities. (CDT/ACLU)
Addressed: A new provision has been added to permit federal lawsuits against the government for any violation of restrictions placed on the government’s use of voluntarily shared information, including the important privacy and civil liberties protections contained in the bill. Through such a lawsuit, individuals could obtain actual damages, costs, and attorney's fees. (new proposed amendment)
Also, the bill requires an annual review by an independent Inspector General to be submitted to Congress with recommendations for statutory changes to address any privacy and civil liberties concerns. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that DHS should be in charge of all sharing by and with the federal government and that the bill should be clarified to ensure civilian control over cybersecurity (CDT/ACLU)
Addressed: The bill will be amended to require DHS, with limited exceptions, to receive a copy of all information provided to the government and make DHS a hub for cyber threat information sharing within the government. The bill will also require the Secretary of DHS to be consulted by the DNI in developing intelligence sharing guidelines and security clearance procedures to ensure that critical infrastructure owners and operators can have access to all appropriate information. (new proposed amendments)
The bill has also been amended to make clear that no new authorities are provided to the Department of Defense or the Intelligence Community, including the National Security Agency, to direct, require, or control any private or public sector cybersecurity efforts. (new proposed amendment)
Issue: Concerns that the bill’s authorities may be abused by the government to conduct surveillance. (CDT/ACLU)
Addressed: The Rogers-Ruppersberger bill was amended at mark-up in December to include an anti-tasking provision similar to Center for Democracy and Technology's own legislative proposal. In fact, the anti-tasking provision added to the Rogers-Ruppersberger bill is stronger than the CDT proposal because it explicitly prohibits the government from conditioning its sharing of cyber threat intelligence on the sharing of private sector information with the government. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns about the level of oversight of the government’s use of private sector cyber threat information received under the bill’s authorities. (The Constitution Project)
Addressed: The Rogers-Ruppersberger bill was amended at mark-up in December to replace the annual report by the Privacy and Civil Oversight Board (which currently lacks any confirmed members) with an annual report to be submitted to Congress by an independent Inspector General. The new provision also goes further to specifically identify multiple areas of focus for the report with respect to the government’s use of voluntarily shared information and includes a requirement that the independent Inspector General provide recommendations to Congress for changes to the legislation to better protect privacy and civil liberties. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that the bill was not clear that utilities—particularly public or quasi-public utilities like the Tennessee Valley Authority and others—could obtain and protect classified cyber threat intelligence. (utility companies).
Addressed: The term “utilities” has been added to the types of entities that can receive classified cyber threat intelligence and provisions added to ensure that such classified cyber threat intelligence can still be protected. (new proposed amendment)
Issue: Concerns that the government’s use of voluntarily shared information was too broad and suggestions that the government's use of shared information should be limited to only cybersecurity purposes or the prosecution of cybersecurity crimes (CDT/ACLU).
Addressed: The Rogers-Ruppersberger bill limits the government's use of information by preventing the government from using the information for any other lawful purpose unless the government already has a significant cybersecurity or national security purpose in using the information. To create a more aggressive, strict limitation would force the government to ignore significant information, such as a threat to the safety of a child, that it finds in otherwise appropriately shared cyber threat information. (Amendment at HPSCI markup on Dec 1, 2011)
In addition, under the legislation, the government is prohibited from affirmatively searching any information it receives for other than cybersecurity or national security purposes. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that the bill doesn’t force the private sector to strip off any personally identifiable information before sharing with the government. (CDT)
Addressed: The bill permits the private sector to choose what it shares and permits and encourages the private sector to anonymize and minimize shared information. Because the bill is completely voluntary, it does not mandate anything from the private sector, including mandatory stripping of information. Requiring minimization in all circumstances would impose a significant unfunded mandate on the private sector and would also likely prevent the private sector from sharing critically important cyber threat information including information about how a particular attack is being carried out.
The executive branch may, of course, still develop reasonable procedures to protect any such information voluntarily shared with the government.