Summary: S.2588 — 113th Congress (2013-2014)All Information (Except Text)

Bill summaries are authored by CRS.

Shown Here:
Reported to Senate without amendment (07/10/2014)

(This measure has not been amended since it was introduced. The summary has been expanded because action occurred on the measure.)

Cybersecurity Information Sharing Act of 2014 - (Sec. 3) Requires the Director of National Intelligence (DNI), the Secretary of Homeland Security (DHS), the Secretary of Defense (DOD), and the Attorney General (DOJ) to develop and promulgate procedures for classified and declassified cyber threat indicators in possession of the federal government to be shared in real time with private entities; non-federal government agencies; or state, tribal, or local governments. Provides for the public availability of unclassified indicators.

Directs the DNI to submit such procedures to Congress within 60 days after enactment of this Act.

(Sec. 4) Permits private entities to monitor and operate countermeasures to prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems and, with written consent, the information systems of other entities and federal entities. Authorizes such entities to monitor information that is stored on, processed by, or transiting such monitored systems.

Allows entities to share and receive indicators and countermeasures with other entities or the federal government.

Permits state, tribal, or local agencies to use shared indicators (with the consent of the agency sharing the indicators) to prevent, investigate, or prosecute computer crimes.

Exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats. Makes such exemption inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

(Sec. 5) Directs the Attorney General to promulgate procedures relating to the receipt of indicators and countermeasures by the federal government. Requires such procedures to include an audit capability and appropriate sanctions for federal officers, employees, or agents who conduct unauthorized activities.

Requires the Attorney General to develop, and periodically review, privacy and civil liberties guidelines to limit receipt, retention, use, and dissemination of personal or identifying information.

Directs the DHS Secretary to develop a process for the federal government to: (1) accept cyber threat indicators and countermeasures from entities in an electronic format; and (2) distribute such indicators and countermeasures to appropriate federal entities in real time, simultaneous with receipt. Requires the DHS Secretary to certify to Congress that such capability is fully operational before the process is implemented.

Directs the DHS Secretary to ensure that there is public notice of, and access to, such sharing procedures.

Requires the Federal Bureau of Investigation (FBI) and the DHS Secretary to report to Congress regarding implementation of an automated malware analysis capability, including an assessment of the advisability of transferring the operation of such capability to DHS.

Requires cyber threat indicators and countermeasures shared with the federal government and threat indicators shared with state, tribal, or local agencies to be: (1) deemed voluntarily shared information, and (2) exempt from disclosure and withheld from the public under any laws of such jurisdictions requiring disclosure of information or records.

Authorizes indicators and countermeasures to be disclosed to, retained by, and used by, consistent with otherwise applicable federal law, any federal agency or federal government agent solely for: (1) protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability; (2) responding to, or otherwise preventing or mitigating, an imminent threat of death or serious bodily harm or threat to a minor; or (3) investigating or prosecuting an offense arising out of a threat of death or serious bodily harm, as well as offenses relating to fraud and identity theft, espionage and censorship, and trade secrets.

Prohibits government agencies from using indicators and countermeasures provided to the federal government to regulate the lawful activities of an entity.

(Sec. 6) Provides liability protections to entities acting in accordance with this Act that: (1) monitor information systems, and (2) share and receive indicators and countermeasures. Makes an entity's good faith reliance that conduct was permitted under this Act a complete defense to a cause of action based on such monitoring and sharing activities.

(Sec. 7) Directs appropriate federal entities, at least every two years, to report to Congress concerning the implementation of this Act. Requires such reports to include: (1) an assessment of the impact on privacy and civil liberties; (2) a review of actions taken by the federal government based on shared cyber threat indicators, including the appropriateness of any federal entity's subsequent use or dissemination of such cyber threat indicators; and (3) a description of any significant violations by the federal government.

Requires reports to Congress, at least every two years, by: (1) the Privacy and Civil Liberties Oversight Board; and (2) the DHS, Intelligence Community, DOJ, and DOD Inspectors General regarding shared indicators and countermeasures.

(Sec. 8) Prohibits this Act from requiring an entity to provide information to the federal government.

(Sec. 9) Directs the DNI to report to Congress regarding cybersecurity threats, including cyber attacks, theft, and data breaches. Requires such report to include: (1) an assessment of current U.S. intelligence sharing and cooperation relationships with other countries regarding cybersecurity threats that threaten the U.S. national security interests, economy, and intellectual property; (2) a list countries and non-state actors that are primary threats; (3) a description of the U.S. government's response and prevention capabilities; and (4) an assessment of additional technologies that would enhance U.S. capabilities, including private sector technologies that could be rapidly fielded to assist the intelligence community.

(Sec. 10) Amends the National Defense Authorization Act for Fiscal Year 2013 to authorize the DOD Secretary to share with other federal entities information reported by a cleared defense contractor regarding a penetration of network or information systems.