Bill Status Update - H.R. 3523
Bill Status Update – Rogers-Ruppersberger Cybersecurity Bill (H.R. 3523)
Please see below the significant changes made to the bill since it was introduced last year – this list includes both amendments adopted at the Committee’s mark-up on Dec 1, 2011, as well as new proposed amendments that would be considered when the bill reaches the House floor. These adopted and proposed changes incorporate input from a wide variety of interested parties.
Issue: Concerns about the breadth of the definition of "cyber threat information" and the reference to intellectual property contained in the definition. (CDT)
Issue: Concerns that the bill would authorize the blocking of accounts or block access to websites believed to carry content infringing on intellectual property rights. (CDT/ACLU).
Addressed: The Rogers-Ruppersberger bill does not provide any authority or levy any requirements to block access to accounts or websites, or to remove content. The bill’s authority is limited to the identification, obtaining, and sharing of cyber threat information.
Moreover, as noted above, the term “intellectual property” was removed from all the key definitions in the bill. Relevant provisions were also clarified to focus on the fact that the bill is designed to protect against unauthorized access to networks or systems, including unauthorized access aimed at stealing private or government information. This change was made to avoid any misunderstanding and to clarify that it is intended to defend against advanced cyber threats, such as threats from advanced nation-state actors like China.
Also, the bill requires an annual review by an independent Inspector General to be submitted to Congress with recommendations for statutory changes to address any privacy and civil liberties concerns. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that DHS should be in charge of all sharing by and with the federal government and that the bill should be clarified to ensure civilian control over cybersecurity (CDT/ACLU)
Addressed: The bill will be amended to require DHS, with limited exceptions, to receive a copy of all information provided to the government and make DHS a hub for cyber threat information sharing within the government. The bill will also require the Secretary of DHS to be consulted by the DNI in developing intelligence sharing guidelines and security clearance procedures to ensure that critical infrastructure owners and operators can have access to all appropriate information. (new proposed amendments)
The bill has also been amended to make clear that no new authorities are provided to the Department of Defense or the Intelligence Community, including the National Security Agency, to direct, require, or control any private or public sector cybersecurity efforts. (new proposed amendment)
Issue: Concerns that the bill’s authorities may be abused by the government to conduct surveillance. (CDT/ACLU)
Issue: Concerns about the level of oversight of the government’s use of private sector cyber threat information received under the bill’s authorities. (The Constitution Project)
Addressed: The Rogers-Ruppersberger bill was amended at mark-up in December to replace the annual report by the Privacy and Civil Oversight Board (which currently lacks any confirmed members) with an annual report to be submitted to Congress by an independent Inspector General. The new provision also goes further to specifically identify multiple areas of focus for the report with respect to the government’s use of voluntarily shared information and includes a requirement that the independent Inspector General provide recommendations to Congress for changes to the legislation to better protect privacy and civil liberties. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that the bill was not clear that utilities—particularly public or quasi-public utilities like the Tennessee Valley Authority and others—could obtain and protect classified cyber threat intelligence. (utility companies).
Addressed: The term “utilities” has been added to the types of entities that can receive classified cyber threat intelligence and provisions added to ensure that such classified cyber threat intelligence can still be protected. (new proposed amendment)
Issue: Concerns that the government’s use of voluntarily shared information was too broad and suggestions that the government's use of shared information should be limited to only cybersecurity purposes or the prosecution of cybersecurity crimes (CDT/ACLU).
Addressed: The Rogers-Ruppersberger bill limits the government's use of information by preventing the government from using the information for any other lawful purpose unless the government already has a significant cybersecurity or national security purpose in using the information. To create a more aggressive, strict limitation would force the government to ignore significant information, such as a threat to the safety of a child, that it finds in otherwise appropriately shared cyber threat information. (Amendment at HPSCI markup on Dec 1, 2011)
In addition, under the legislation, the government is prohibited from affirmatively searching any information it receives for other than cybersecurity or national security purposes. (Amendment at HPSCI markup on Dec 1, 2011)
Issue: Concerns that the bill doesn’t force the private sector to strip off any personally identifiable information before sharing with the government. (CDT)
Addressed: The bill permits the private sector to choose what it shares and permits and encourages the private sector to anonymize and minimize shared information. Because the bill is completely voluntary, it does not mandate anything from the private sector, including mandatory stripping of information. Requiring minimization in all circumstances would impose a significant unfunded mandate on the private sector and would also likely prevent the private sector from sharing critically important cyber threat information including information about how a particular attack is being carried out.
The executive branch may, of course, still develop reasonable procedures to protect any such information voluntarily shared with the government.