Jump to content

Protecting Cyber Networks Act

From Wikipedia, the free encyclopedia
Protecting Cyber Networks Act
Great Seal of the United States
Long titleTo improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections, and for other purposes.
Acronyms (colloquial)PCNA
Announced inthe 114th United States Congress
Sponsored byDevin Nunes
Number of co-sponsors8
Codification
Acts affectedNational Security Act of 1947, Intelligence Reform and Terrorism Prevention Act of 2004, Homeland Security Act of 2002
Titles affected50 U.S.C. § 3021, 5 U.S.C. § 552, 42 U.S.C. §2000ee, 6 U.S.C. § 148
Agencies affectedOffice of the Director of National Intelligence, United States Attorney General, Inspector General of the Department of Homeland Security, Inspector General of the Intelligence Community, Inspector General of the Department of Justice, Inspector General of the Department of Defense, Council of Inspectors General on Financial Oversight, Under Secretary for Cybersecurity and Infrastructure Protection
Legislative history

The Protecting Cyber Networks Act (H.R. 1560) is a bill introduced in the 114th Congress by Rep. Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence.[1] The legislation would allow companies and the government to share information concerning cyber threats. To overcome privacy concerns, the bill expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).[2]

Background

[edit]

A number of major hacking events occurred in 2014 and 2015:[3]

  • In April 2014, Home Depot's computer systems were breached by hackers who stole the credit card accounts and email addresses of tens of millions of people.
  • In November 2014, hackers infiltrated Sony Pictures' systems and were able to get access to confidential employee and corporate information.
  • In January 2015, Anthem was hacked.
  • In April 2015, Premera Blue Cross had its system compromised. A threat existed that hackers might have accessed the medical and financial information of 11 million people.

Additionally, major U.S. businesses including Target[4] and JPMorganChase[5] have been victims of large-scale cyberattacks resulting in the theft of customer identity information.

The legislation was introduced as response to threats posed by these and other cyberattacks. On April 22, 2015, The Hill newspaper wrote, "Congress has contemplated some form of this law for nearly five years. But catastrophic data breaches within the last year have laid bare hundreds of millions of Americans' credit card data and Social Security numbers, raising public awareness and putting the onus on Capitol Hill to act."[6]

Legislative history

[edit]

On March 19, 2015, the House Permanent Select Committee on Intelligence held a hearing called "Growing Cyber Threat and its Impact on American Business." In his opening remarks as the committee's chairman, Nunes stated that U.S. companies and American consumers must feel confident that their confidential information stored on IT systems is secure. He said that in light of the major cyber attacks in 2014 and 2015, there is little assurance that personal and corporate information is safe. He said that because of those reasons, Congress needs to strengthen the security of the country's digital infrastructure by creating better methods for businesses and the government to share information on cyber threats.[3]

Five days later, Nunes introduced H.R. 1560: Protecting Cyber Networks Act. On April 13, the House Permanent Select Committee on Intelligence passed an amended version of the bill. On April 22, the House passed the bill by a vote of 307-116. Before final passage of the bill, the House passed an amendment from Rep. Andre Carson (D-Ind.) that would require the inspector general to report on how agencies remove personal information with information they receive. The amendment was proposed in response to concerns from privacy advocates including many Democratic House members.[6]

After passage in the House, the bill was sent to the Senate. As of June 28, 2016, the Senate had not taken action on the bill.[7] However, a companion bill exists in the Senate: the Cybersecurity Information Sharing Act (CISA, S. 754).[8] On October 27, 2015, the Senate approved S. 754 by a vote of 74-21.[9]

Major provisions

[edit]

Information sharing

[edit]

The Protecting Cyber Networks Act (PCNA) would allow companies to share certain information with other companies and the government. They would be allowed to share only cybersecurity information; that is, information concerning the protection of their own systems.[2]

PCNA would require the Director of National Intelligence to create regulations that would allow sharing the following types of information:[10]

  • classified cyber threat indicators with representatives of the private sector with appropriate security clearances;
  • classified cyber threat indicators that may be declassified and shared at an unclassified level; and
  • any information in the possession of the Federal Government about imminent or ongoing cyber threats that may allow private companies to prevent or mitigate those threats.

The bill requires the President to submit to Congress policies and procedures on how the government should receive threat indicators when submitted by the private sector, as well as how to develop defensive measures within the federal government. It would require that agencies that receive threat information share it in real time with other relevant agencies.[10]

Defensive protection

[edit]

The legislation gives private companies the authority to go on the counter-offensive against hackers, meaning a company that was hacked could perform more assertive defensive measures than are currently allowed under the law. However, companies would not be allowed to hack back into other systems or manipulate systems for which they do not have consent to control.[2]

According to the official legislative summary of the bill, the bill "Permits private entities to monitor or operate defensive measures to prevent or mitigate cybersecurity threats or security vulnerabilities, or to identify the source of a threat, on: (1) their own information systems; and (2) with written authorization, the information systems of other private or government entities."[11]

Privacy

[edit]

PCNA includes safeguards that support privacy. For example, the bill includes requires that companies scrub "unrelated" data of personally identifying information they send the information to the government. Once government agencies receive the information, the agencies must examine the information to ensure that no personally identifiable information is included.[12]

Liability

[edit]

The bill offers protection from liability for companies who share cybersecurity information and do so lawfully under the bill's provisions.[10]

Support

[edit]

The White House supports the legislation.[12]

The legislation also received public support from the following organizations:[13]

  • Agricultural Retailers Association (ARA)
  • Airlines for America (A4A)
  • Alliance of Automobile Manufacturers
  • American Bankers Association (ABA)
  • American Cable Association (ACA)
  • American Council of Life Insurers (ACLI)
  • American Fuel & Petrochemical Manufacturers (AFPM) American Gaming Association
  • American Gas Association (AGA)
  • American Insurance Association (AIA) American Petroleum Institute (API)
  • American Public Power Association (APPA) American Water Works Association (AWWA) ASIS International
  • Association of American Railroads (AAR)
  • BITS–Financial Services Roundtable
  • College of Healthcare Information Management Executives (CHIME) CompTIA–The Computing Technology Industry Association CTIA–The Wireless Association
  • Edison Electric Institute (EEI)
  • Federation of American Hospitals (FAH)
  • Food Marketing Institute (FMI)
  • GridWise Alliance
  • HIMSS–Healthcare Information and Management Systems Society HITRUST–Health Information Trust Alliance
  • Large Public Power Council (LPPC)
  • National Association of Chemical Distributors (NACD)
  • National Association of Manufacturers (NAM)
  • National Association of Mutual Insurance Companies (NAMIC) National Association of Water Companies (NAWC)
  • National Business Coalition on e-Commerce & Privacy
  • National Cable & Telecommunications Association (NCTA)
  • National Rural Electric Cooperative Association (NRECA) NTCA–The Rural Broadband Association
  • Property Casualty Insurers Association of America (PCI)
  • The Real Estate Roundtable
  • Securities Industry and Financial Markets Association (SIFMA) Society of Chemical Manufacturers & Affiliates (SOCMA) Telecommunications Industry Association (TIA)
  • Transmission Access Policy Study Group (TAPS)
  • United States Telecom Association (USTelecom)
  • U.S. Chamber of Commerce
  • Utilities Telecom Council (UTC)

Opposition

[edit]

Fifty-five civil liberties groups and security experts publicly opposed the legislation in a signed letter to Congress. "PCNA would significantly increase the National Security Agency's (NSA's) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity," the letter stated.[12]

According to the House Permanent Select Committee on Intelligence, the PCNA expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).[2]

A group called Access along with the ACLU and several other groups launched a website called StopCyberspying.com. The site has a petition to the President to reconsider a veto of PCNA or the Senate version of the bill.[12]

The civil liberties groups that oppose the bill are:[12]

  • Access
  • Advocacy for Principled Action in Government American-Arab Anti-Discrimination Committee American Civil Liberties Union
  • American Library Association
  • Association of Research LibrariesBill of Rights Defense CommitteeBrennan Center for JusticeCenter for Democracy & TechnologyCenter for National Security Studies Constitutional AllianceThe Constitution ProjectCouncil on American-Islamic Relations
  • Cyber Privacy Project
  • Defending Dissent Foundation
  • Demand Progress
  • DownSizeDC.org
  • Electronic Frontier Foundation
  • Fight for the Future
  • Freedom of the Press Foundation
  • FreedomWorks
  • Free Press Action Fund
  • Government Accountability Project Hackers/Founders
  • Human Rights Watch
  • Liberty Coalition
  • Media Alliance
  • National Association of Criminal Defense Lawyers New America's Open Technology Institute OpenTheGovernment.org
  • PEN American Center
  • Restore the Fourth
  • R Street
  • Student Net Alliance
  • Venture Politics
  • X-Lab

References

[edit]
  1. ^ Nunes, Devin (July 14, 2016). "H.R.1560 - 114th Congress (2015-2016): Protecting Cyber Networks Act". www.congress.gov.
  2. ^ a b c d "Archived copy" (PDF). Archived from the original (PDF) on 2016-09-07. Retrieved 2016-06-28.{{cite web}}: CS1 maint: archived copy as title (link)
  3. ^ a b "Archived copy" (PDF). Archived from the original (PDF) on 2016-09-07. Retrieved 2016-06-28.{{cite web}}: CS1 maint: archived copy as title (link)
  4. ^ "Cyberattack that hit Target affecting 1,000 US businesses". The Boston Globe. Retrieved 2016-06-28.
  5. ^ "What lies behind the JPMorgan Chase cyber-attack". The Economist. ISSN 0013-0613. Retrieved 2016-06-28.
  6. ^ a b Marcos, Cristina (2015-04-22). "House passes cybersecurity bill". The Hill. Retrieved 2016-06-28.
  7. ^ "H.R. 1560 - Bill Actions". Congress.gov. Retrieved 2016-06-28.
  8. ^ "Coalition Letter from 55 Civil Society Groups and Security Experts and Academics Opposing PCNA" (PDF). Newsamerica.org. Retrieved 2016-06-28.
  9. ^ "S. 754 - Bill Actions". Congress.gov. Retrieved 2016-06-28.
  10. ^ a b c "Archived copy" (PDF). Archived from the original (PDF) on 2016-09-07. Retrieved 2016-06-28.{{cite web}}: CS1 maint: archived copy as title (link)
  11. ^ "H.R. 1560". Congress.gov. Retrieved 2016-06-28.
  12. ^ a b c d e "House Passes Cybersecurity Bill Despite Privacy Protests". Wired Magazine. Retrieved 2016-06-28.
  13. ^ "Senate Cybersecurity Information Sharing" (PDF). Edison Electric Institute. Retrieved 2016-06-28.
[edit]