Late yesterday, the House sponsors of the CISPA cybersecurity legislation (to be considered tomorrow) announced a series of amendments to the bill intended to address some of the concerns advanced by privacy and civil liberties groups. To quote from their press release:
Minimization, Retention, and Notification Amendment: An amendment will be filed today that would:
- Provide clear authority to the Federal Government to undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the government, consistent with the need of the government to protect federal systems and cybersecurity.
- Prohibit the Federal Government from retaining or using information other than for the purposes specified in the legislation.
- Require the Federal Government to notify an entity voluntarily sharing cyber threat information with the government if the government determines that the shared information is not in fact cyber threat information.
Use Amendment: An amendment will be filed today that would significantly tighten the bill’s current limitation on the Federal Government’s use of cyber threat information that is voluntarily provided by the private sector. The amendment strictly limits the Federal Government’s use of voluntarily shared cyber threat information to the following five purposes:
- Cybersecurity purposes;
- Investigation and prosecution of cybersecurity crimes;
- Protection of individuals from the danger of death or serious bodily harm, including the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
- Protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking, including the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking , and any crime referred to in 18 USC 2258A(a)(2); and
- Protection of the national security of the United States.
Definitions Amendment: An amendment will be filed today that would tighten the bill’s definitions to narrow what cyber threat information may be identified, obtained, and shared, as well as the purposes for which such information may be identified, obtained and shared. The new definitions are limited to information that directly pertains to:
- A vulnerability of a system or network of a government or private entity;
- A threat to the integrity, confidentiality or availability of such system or network or any information stored on, processed on, or transiting such system or network;
- Efforts to degrade, disrupt or destroy such system or network; and
- Efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting such system or network, but not including efforts to gain such unauthorized access solely involving violations of consumer terms of service or consumer licensing agreements.
Amendments to Limit Federal Government Use of Cybersecurity Systems: Two amendments will be filed today that would make clear (1) that nothing in this bill would alter existing authorities or provide new authority to any entity to use a federal government owned or operated cybersecurity system on a private sector system or network to protect such system or network; and (2) that the liability provision of the bill extends only to the authorities granted in the legislation. These amendments are designed to clear up any misunderstandings regarding private sector use of cybersecurity systems under the bill.
Links to the text of the several amendments can be found here.