Thursday, December 1, 2011

HR 3523 Introduced – Cybersecurity Intelligence Sharing

Yesterday Rep. Rogers (R,MI) introduced HR 3523, the Cyber Intelligence Sharing and Protection Act of 2011 (Note: the text of the bill is not yet available on the GPO site, but it is available on but there are no permanent links on that site) [Here is the link to the bill text -; Thanks to Chris Jager for info on how to get permanent link on; Updated 07:57 CST]. The bill would require the Director of National Intelligence (DNI) to “establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence” {§1104(a)(1)}.

New Class of Disclosure

Current law already allows sharing of intelligence information, at the discretion of the intel community, with people in the private sector with the appropriate Need-To-Know and the proper security clearance. This bill would expand that discretion and allow for sharing with ‘certified entities’ even if they currently have no security clearances. It still would require the protection of the shared “cyber threat intelligence from unauthorized disclosure” {§1104(a)(2)(C)}

A ‘certified entity’ is a cybersecurity provider, protected entity (someone who has hired a cybersecurity provider to provide protect their system), or a self-protected entity (someone who has cybersecurity providers in-house). There are two important caveats to this definition; the certified entity {§1104(f)(1)}:

“[P]ossesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

“[I]s able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.”

The difference between ‘possesses’ and ‘is eligible to obtain’ is an important quibble. There are long delays in getting security clearances approved and they are not handed out to the private sector unless there is a need for them. This would allow an intel agency to disclose actionable intelligence to a cyber-target with a minimal security check.

Would Cover ICS

The definition of cybersecurity system included in this bill is very broad and contains none of the code words that would restrict it to information systems. Theft or misappropriation of information is included as one of things to be protected against, but only after “efforts to degrade, disrupt or destroy” {§1104(f)(5)(A)} the system is listed.

Sharing is a Two-Way Street

This bill recognizes that sharing information would also include cybersecurity intelligence information flowing back to the intelligence community. It specifically includes three very important protections for covered entities that provide that intelligence; the information shall {§1104(b)(2)(C)}:

“[B]e exempt from disclosure under section 552 of title 5, United States Code [Freedom of Information Act];

“[B]e considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and

“[N]ot be used by the Federal Government for regulatory purposes.”

It does not, however, include such disclosures in any of the recognized categories of protected information. Specifically, it does not protect the information under classified information rules or any one of a number of Sensitive But Unclassified categories that are currently undergoing review. This would potentially leave the shared information open to disclosure in court cases, for instance.

The bill was referred to the House Select Committee on Intelligence for consideration and review; that likely means that at least some Committee hearings on this bill would take place behind closed doors.

No comments:

/* Use this with templates/template-twocol.html */