[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[S. 2588 Placed on Calendar Senate (PCS)]

                                                       Calendar No. 462
113th CONGRESS
  2d Session
                                S. 2588

To improve cybersecurity in the United States through enhanced sharing 
  of information about cybersecurity threats, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 10, 2014

Mrs. Feinstein, from the Select Committee on Intelligence, reported the 
    following original bill; which was read twice and placed on the 
                                calendar

_______________________________________________________________________

                                 A BILL


 
To improve cybersecurity in the United States through enhanced sharing 
  of information about cybersecurity threats, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Cybersecurity 
Information Sharing Act of 2014''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Sharing of information by the Federal Government.
Sec. 4. Authorizations for preventing, detecting, analyzing, and 
                            mitigating cybersecurity threats.
Sec. 5. Sharing of cyber threat indicators and countermeasures with the 
                            Federal Government.
Sec. 6. Protection from liability.
Sec. 7. Oversight of Government activities.
Sec. 8. Construction and preemption.
Sec. 9. Report on cybersecurity threats.
Sec. 10. Conforming amendments.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given the 
        term in section 3502 of title 44, United States Code.
            (2) Antitrust laws.--The term ``antitrust laws''--
                    (A) has the meaning given the term in section 1(a) 
                of the Clayton Act (15 U.S.C. 12(a));
                    (B) includes section 5 of the Federal Trade 
                Commission Act (15 U.S.C. 45) to the extent that 
                section 5 of that Act applies to unfair methods of 
                competition; and
                    (C) includes any State law that has the same intent 
                and effect as the laws under subparagraphs (A) and (B).
            (3) Appropriate federal entities.--The term ``appropriate 
        Federal entities'' means the following:
                    (A) The Department of Commerce.
                    (B) The Department of Defense.
                    (C) The Department of Energy.
                    (D) The Department of Homeland Security.
                    (E) The Department of Justice.
                    (F) The Department of the Treasury.
                    (G) The Office of the Director of National 
                Intelligence.
            (4) Countermeasure.--The term ``countermeasure'' means an 
        action, device, procedure, technique, or other measure applied 
        to an information system or information that is stored on, 
        processed by, or transiting an information system that prevents 
        or mitigates a known or suspected cybersecurity threat or 
        security vulnerability.
            (5) Cybersecurity purpose.--The term ``cybersecurity 
        purpose'' means the purpose of protecting an information system 
        or information that is stored on, processed by, or transiting 
        an information system from a cybersecurity threat or security 
        vulnerability.
            (6) Cybersecurity threat.--The term ``cybersecurity 
        threat'' means an action, not protected by the First Amendment 
        to the Constitution of the United States, on or through an 
        information system that may result in an unauthorized effort to 
        adversely impact the security, availability, confidentiality, 
        or integrity of an information system or information that is 
        stored on, processed by, or transiting an information system.
            (7) Cyber threat indicator.--The term ``cyber threat 
        indicator'' means information that is necessary to indicate, 
        describe, or identify--
                    (A) malicious reconnaissance, including anomalous 
                patterns of communications that appear to be 
                transmitted for the purpose of gathering technical 
                information related to a cybersecurity threat or 
                security vulnerability;
                    (B) a method of defeating a security control or 
                exploitation of a security vulnerability;
                    (C) a security vulnerability;
                    (D) a method of causing a user with legitimate 
                access to an information system or information that is 
                stored on, processed by, or transiting an information 
                system to unwittingly enable the defeat of a security 
                control or exploitation of a security vulnerability;
                    (E) malicious cyber command and control;
                    (F) the actual or potential harm caused by an 
                incident, including information exfiltrated when it is 
                necessary in order to describe a cybersecurity threat;
                    (G) any other attribute of a cybersecurity threat, 
                if disclosure of such attribute is not otherwise 
                prohibited by law; or
                    (H) any combination thereof.
            (8) Electronic format.--
                    (A) In general.--Except as provided in subparagraph 
                (B), the term ``electronic format'' means information 
                that is shared through electronic mail, an interactive 
                form on an Internet website, or a real time, automated 
                process between information systems.
                    (B) Exclusion.--The term ``electronic format'' does 
                not include voice or video communication.
            (9) Entity.--
                    (A) In general.--The term ``entity'' means any 
                private entity, non-Federal government agency or 
                department, or State, tribal, or local government 
                agency or department (including a political 
                subdivision, officer, employee, or agent thereof).
                    (B) Inclusions.--The term ``entity'' includes a 
                government agency or department (including an officer, 
                employee, or agent thereof) of the District of 
                Columbia, the Commonwealth of Puerto Rico, the Virgin 
                Islands, Guam, American Samoa, the Northern Mariana 
                Islands, and any other territory or possession of the 
                United States.
                    (C) Exclusion.--The term ``entity'' does not 
                include a foreign power as defined in section 101(a) of 
                the Foreign Intelligence Surveillance Act of 1978 (50 
                U.S.C. 1801).
            (10) Federal entity.--The term ``Federal entity'' means a 
        department or agency of the United States, or any component, 
        officer, employee, or agent of such a department or agency.
            (11) Information system.--The term ``information system''--
                    (A) has the meaning given the term in section 3502 
                of title 44, United States Code; and
                    (B) includes industrial control systems, such as 
                supervisory control and data acquisition systems, 
                distributed control systems, and programmable logic 
                controllers.
            (12) Local government.--The term ``local government'' means 
        any borough, city, county, parish, town, township, village, or 
        other political subdivision of a State.
            (13) Malicious cyber command and control.--The term 
        ``malicious cyber command and control'' means a method for 
        unauthorized remote identification of, access to, or use of, an 
        information system or information that is stored on, processed 
        by, or transiting an information system.
            (14) Malicious reconnaissance.--The term ``malicious 
        reconnaissance'' means a method for actively probing or 
        passively monitoring an information system for the purpose of 
        discerning security vulnerabilities of the information system, 
        if such method is associated with a known or suspected 
        cybersecurity threat.
            (15) Monitor.--The term ``monitor'' means to obtain, 
        identify, or otherwise possess information that is stored on, 
        processed by, or transiting an information system.
            (16) Private entity.--
                    (A) In general.--The term ``private entity'' means 
                any individual or private group, organization, 
                proprietorship, partnership, trust, cooperative, 
                corporation, or other commercial or nonprofit entity, 
                including an officer, employee, or agent thereof.
                    (B) Exclusion.--The term ``private entity'' does 
                not include a foreign power as defined in section 
                101(a) of the Foreign Intelligence Surveillance Act of 
                1978 (50 U.S.C. 1801).
            (17) Security control.--The term ``security control'' means 
        the management, operational, and technical controls used to 
        protect the confidentiality, integrity, and availability of an 
        information system or its information.
            (18) Security vulnerability.--The term ``security 
        vulnerability'' means any attribute of hardware, software, 
        process, or procedure that could enable or facilitate the 
        defeat of a security control.
            (19) Tribal.--The term ``tribal'' has the meaning given the 
        term ``Indian tribe'' in section 4 of the Indian Self-
        Determination and Education Assistance Act (25 U.S.C. 450b).

SEC. 3. SHARING OF INFORMATION BY THE FEDERAL GOVERNMENT.

    (a) In General.--Consistent with the protection of intelligence 
sources and methods and the protection of privacy and civil liberties, 
the Director of National Intelligence, the Secretary of Homeland 
Security, the Secretary of Defense, and the Attorney General, in 
consultation with the heads of the appropriate Federal entities, shall 
develop and promulgate procedures to facilitate and promote--
            (1) the timely sharing of classified cyber threat 
        indicators in the possession of the Federal Government with 
        cleared representatives of appropriate entities;
            (2) the timely sharing with appropriate entities of cyber 
        threat indicators or information in the possession of the 
        Federal Government that may be declassified and shared at an 
        unclassified level; and
            (3) the sharing with appropriate entities, or, if 
        appropriate, public availability, of unclassified, including 
        controlled unclassified, cyber threat indicators in the 
        possession of the Federal Government.
    (b) Development of Procedures.--
            (1) In general.--The procedures developed and promulgated 
        under subsection (a) shall--
                    (A) ensure the Federal Government has and maintains 
                the capability to share cyber threat indicators in real 
                time consistent with the protection of classified 
                information; and
                    (B) incorporate, to the greatest extent possible, 
                existing processes and existing roles and 
                responsibilities of Federal and non-Federal entities 
                for information sharing by the Federal Government, 
                including sector specific information sharing and 
                analysis centers.
            (2) Coordination.--In developing the procedures required 
        under this section, the Director of National Intelligence, the 
        Secretary of Homeland Security, and the Attorney General shall 
        coordinate with appropriate Federal entities, including the 
        National Laboratories (as defined in section 2 of the Energy 
        Policy Act of 2005 (42 U.S.C. 15801)), to ensure that effective 
        protocols are implemented that will facilitate and promote the 
        sharing of cyber threat indicators by the Federal Government in 
        a timely manner.
    (c) Submittal to Congress.--Not later than 60 days after the date 
of the enactment of this Act, the Director of National Intelligence, in 
consultation with the heads of the appropriate Federal entities, shall 
submit to Congress the procedures required by subsection (a).

SEC. 4. AUTHORIZATIONS FOR PREVENTING, DETECTING, ANALYZING, AND 
              MITIGATING CYBERSECURITY THREATS.

    (a) Authorization for Monitoring.--
            (1) In general.--Notwithstanding any other provision of 
        law, a private entity may, for cybersecurity purposes, 
        monitor--
                    (A) the information systems of such private entity;
                    (B) the information systems of another entity, upon 
                written consent of such other entity;
                    (C) the information systems of a Federal entity, 
                upon written consent of an authorized representative of 
                the Federal entity; and
                    (D) information that is stored on, processed by, or 
                transiting the information systems monitored by the 
                private entity under this paragraph.
            (2) Construction.--Nothing in this subsection shall be 
        construed to authorize the monitoring of information systems 
        other than as provided in this subsection or to limit otherwise 
        lawful activity.
    (b) Authorization for Operation of Countermeasures.--
            (1) In general.--Notwithstanding any other provision of 
        law, a private entity may, for cybersecurity purposes, operate 
        countermeasures that are applied to--
                    (A) the information systems of such private entity 
                in order to protect the rights or property of the 
                private entity;
                    (B) the information systems of another entity upon 
                written consent of such entity to protect the rights or 
                property of such entity; and
                    (C) the information systems of a Federal entity 
                upon written consent of an authorized representative of 
                such Federal entity to protect the rights or property 
                of the Federal Government.
            (2) Construction.--Nothing in this subsection shall be 
        construed to authorize the use of countermeasures other than as 
        provided in this subsection or to limit otherwise lawful 
        activity.
    (c) Authorization for Sharing or Receiving Cyber Threat Indicators 
or Countermeasures.--
            (1) In general.--Notwithstanding any other provision of 
        law, and for the purposes permitted under this Act, an entity 
        may, consistent with the protection of classified information, 
        share with, or receive from, any other entity or the Federal 
        Government cyber threat indicators and countermeasures.
            (2) Construction.--Nothing in this subsection shall be 
        construed to authorize the sharing or receiving of cyber threat 
        indicators or countermeasures other than as provided in this 
        subsection or to limit otherwise lawful activity.
    (d) Protection and Use of Information.--
            (1) Security of information.--An entity or Federal entity 
        monitoring information systems, operating countermeasures, or 
        providing or receiving cyber threat indicators or 
        countermeasures under this section shall implement and utilize 
        security controls to protect against unauthorized access to or 
        acquisition of such cyber threat indicators or countermeasures.
            (2) Removal of certain personal information.--An entity or 
        Federal entity sharing cyber threat indicators pursuant to this 
        Act shall, prior to such sharing, remove any information 
        contained within such indicators that the entity or Federal 
        entity knows at the time of sharing to be personal information 
        of or identifying a specific person not directly related to a 
        cybersecurity threat.
            (3) Use of cyber threat indicators and countermeasures by 
        entities.--
                    (A) In general.--Consistent with this Act, cyber 
                threat indicators or countermeasures shared or received 
                under this section may, for cybersecurity purposes--
                            (i) be used by an entity to monitor or 
                        operate countermeasures on its information 
                        systems, or the information systems of another 
                        entity or a Federal entity upon the written 
                        consent of that other entity or that Federal 
                        entity; and
                            (ii) be otherwise used, retained, and 
                        further shared by an entity.
                    (B) Construction.--Nothing in this paragraph shall 
                be construed to authorize the use of cyber threat 
                indicators or countermeasures other than as provided in 
                this section.
            (4) Use of cyber threat indicators by state, tribal, or 
        local departments or agencies.--
                    (A) Law enforcement use.--
                            (i) Prior written consent.--Except as 
                        provided in clause (ii), cyber threat 
                        indicators shared with a State, tribal, or 
                        local department or agency under this section 
                        may, with the prior written consent of the 
                        entity sharing such indicators, be used by a 
                        State, tribal, or local department or agency 
                        for the purpose of preventing, investigating, 
                        or prosecuting a computer crime.
                            (ii) Oral consent.--If the need for 
                        immediate use prevents obtaining written 
                        consent, such consent may be provided orally 
                        with subsequent documentation of the consent.
                    (B) Exemption from disclosure.--Cyber threat 
                indicators shared with a State, tribal, or local 
                department or agency under this section shall be--
                            (i) deemed voluntarily shared information; 
                        and
                            (ii) exempt from disclosure under any 
                        State, tribal, or local law requiring 
                        disclosure of information or records.
                    (C) State, tribal, and local regulatory 
                authority.--
                            (i) Authorization.--Cyber threat indicators 
                        shared with a State, tribal, or local 
                        department or agency under this section may, 
                        consistent with State regulatory authority 
                        specifically relating to the prevention or 
                        mitigation of cybersecurity threats to 
                        information systems, inform the development or 
                        implementation of regulations relating to such 
                        information systems.
                            (ii) Limitation.--Such cyber threat 
                        indicators shall not otherwise be directly used 
                        by any State, tribal, or local department or 
                        agency to regulate the lawful activities of an 
                        entity.
    (e) Antitrust Exemption.--
            (1) In general.--Except as provided in section 8(e), it 
        shall not be considered a violation of any provision of 
        antitrust laws for two or more private entities to exchange or 
        provide cyber threat indicators, or assistance relating to the 
        prevention, investigation, or mitigation of cybersecurity 
        threats, for cybersecurity purposes under this Act.
            (2) Applicability.--Paragraph (1) shall apply only to 
        information that is exchanged or assistance provided in order 
        to assist with--
                    (A) facilitating the prevention, investigation, or 
                mitigation of cybersecurity threats to information 
                systems or information that is stored on, processed by, 
                or transiting an information system; or
                    (B) communicating or disclosing cyber threat 
                indicators to help prevent, investigate, or mitigate 
                the effects of cybersecurity threats to information 
                systems or information that is stored on, processed by, 
                or transiting an information system.
    (f) No Right or Benefit.--The sharing of cyber threat indicators 
with an entity under this Act shall not create a right or benefit to 
similar information by such entity or any other entity.

SEC. 5. SHARING OF CYBER THREAT INDICATORS AND COUNTERMEASURES WITH THE 
              FEDERAL GOVERNMENT.

    (a) Requirement for Policies and Procedures.--
            (1) Interim policies and procedures.--Not later than 60 
        days after the date of the enactment of this Act, the Attorney 
        General, in coordination with the heads of the appropriate 
        Federal entities, shall develop, and submit to Congress, 
        interim policies and procedures relating to the receipt of 
        cyber threat indicators and countermeasures by the Federal 
        Government.
            (2) Final policies and procedures.--Not later than 180 days 
        after the date of the enactment of this Act, the Attorney 
        General, in coordination with the heads of the appropriate 
        Federal entities, shall promulgate final policies and 
        procedures relating to the receipt of cyber threat indicators 
        and countermeasures by the Federal Government.
            (3) Requirements concerning policies and procedures.--The 
        policies and procedures developed and promulgated under this 
        subsection shall--
                    (A) ensure that cyber threat indicators shared with 
                the Federal Government by any entity pursuant to 
                section 4, and that are received through the process 
                described in subsection (c)--
                            (i) are shared in real time and 
                        simultaneous with such receipt with all of the 
                        appropriate Federal entities;
                            (ii) are not subject to any delay, 
                        interference, or any other action that could 
                        impede real-time receipt by all of the 
                        appropriate Federal entities; and
                            (iii) may be provided to other Federal 
                        entities;
                    (B) ensure that cyber threat indicators shared with 
                the Federal Government by any entity pursuant to 
                section 4 in a manner other than the process described 
                in subsection (c)--
                            (i) are shared immediately with all of the 
                        appropriate Federal entities;
                            (ii) are not subject to any unreasonable 
                        delay, interference, or any other action that 
                        could impede receipt by all of the appropriate 
                        Federal entities; and
                            (iii) may be provided to other Federal 
                        entities;
                    (C) govern, consistent with this Act, any other 
                applicable laws, and the fair information practice 
                principles set forth in appendix A of the document 
                entitled ``National Strategy for Trusted Identities in 
                Cyberspace'' and published by the President in April, 
                2011, the retention, use, and dissemination by the 
                Federal Government of cyber threat indicators shared 
                with the Federal Government under this Act, including 
                the extent, if any, to which such cyber threat 
                indicators may be used by the Federal Government; and
                    (D) ensure there is an audit capability and 
                appropriate sanctions in place for officers, employees, 
                or agents of a Federal entity who knowingly and 
                willfully conduct activities under this Act in an 
                unauthorized manner.
    (b) Privacy and Civil Liberties.--
            (1) Guidelines of attorney general.--The Attorney General 
        shall, in coordination with the heads of the appropriate 
        Federal agencies and in consultation with officers designated 
        under section 1062 of the National Security Intelligence Reform 
        Act of 2004 (42 U.S.C. 2000ee-1), develop and periodically 
        review guidelines relating to privacy and civil liberties which 
        shall govern the receipt, retention, use, and dissemination of 
        cyber threat indicators by a Federal entity obtained in 
        connection with activities authorized in this Act.
            (2) Content.--The guidelines developed and reviewed under 
        paragraph (1) shall, consistent with the need to protect 
        information systems from cybersecurity threats and mitigate 
        cybersecurity threats--
                    (A) limit the impact on privacy and civil liberties 
                of activities by the Federal Government under this Act;
                    (B) limit the receipt, retention, use, and 
                dissemination of cyber threat indicators containing 
                personal information of or identifying specific 
                persons, including establishing--
                            (i) a process for the timely destruction of 
                        information that is known not to be directly 
                        related to uses authorized under this Act; and
                            (ii) specific limitations on the length of 
                        any period in which a cyber threat indicator 
                        may be retained;
                    (C) include requirements to safeguard cyber threat 
                indicators containing personal information of or 
                identifying specific persons from unauthorized access 
                or acquisition, including appropriate sanctions for 
                activities by officers, employees, or agents of the 
                Federal Government in contravention of such guidelines;
                    (D) include procedures for notifying entities if 
                information received pursuant to this section is known 
                by a Federal entity receiving the information not to 
                constitute a cyber threat indicator; and
                    (E) protect the confidentiality of cyber threat 
                indicators containing personal information of or 
                identifying specific persons to the greatest extent 
                practicable and require recipients to be informed that 
                such indicators may only be used for purposes 
                authorized under this Act.
    (c) Capability and Process Within the Department of Homeland 
Security.--
            (1) In general.--Not later than 90 days after the date of 
        the enactment of this Act, the Secretary of Homeland Security, 
        in coordination with the heads of the appropriate Federal 
        entities, shall develop and implement a capability and process 
        within the Department of Homeland Security that--
                    (A) shall accept from any entity in real time cyber 
                threat indicators and countermeasures in an electronic 
                format, pursuant to this section;
                    (B) shall, upon submittal of the certification 
                under paragraph (2) that such capability and process 
                fully and effectively operates as described in such 
                paragraph, be the process by which the Federal 
                Government receives cyber threat indicators and 
                countermeasures under this Act in an electronic format 
                that are shared by a private entity with the Federal 
                Government except--
                            (i) communications between a Federal entity 
                        and a private entity regarding a previously 
                        shared cyber threat indicator;
                            (ii) voluntary or legally compelled 
                        participation in an open Federal investigation;
                            (iii) information received through an 
                        automated malware analysis capability operated 
                        by the Federal Bureau of Investigation that is 
                        designed to ensure that information received 
                        through and analysis produced by such 
                        capability is also immediately shared through 
                        the capability and process developed by the 
                        Secretary of Homeland Security under this 
                        paragraph;
                            (iv) communications with a Federal 
                        regulatory authority by regulated entities 
                        regarding a cybersecurity threat; and
                            (v) cyber threat indicators or 
                        countermeasures shared with a Federal entity as 
                        part of a contractual or statutory requirement;
                    (C) ensures that all of the appropriate Federal 
                entities receive such cyber threat indicators in real 
                time and simultaneous with receipt through the process 
                within the Department of Homeland Security; and
                    (D) is in compliance with the policies, procedures, 
                and guidelines required by this section.
            (2) Certification.--Not later than 10 days prior to the 
        implementation of the capability and process required by 
        paragraph (1), the Secretary of Homeland Security shall, in 
        consultation with the heads of the appropriate Federal 
        entities, certify to Congress whether such capability and 
        process fully and effectively operates--
                    (A) as the process by which the Federal Government 
                receives from any entity cyber threat indicators and 
                countermeasures in an electronic format under this Act; 
                and
                    (B) in accordance with the policies, procedures, 
                and guidelines developed under this section.
            (3) Public notice and access.--The Secretary of Homeland 
        Security shall ensure there is public notice of, and access to, 
        the capability and process developed and implemented under 
        paragraph (1) so that any entity may share cyber threat 
        indicators and countermeasures through such process with the 
        Federal Government and that all of the appropriate Federal 
        entities receive such cyber threat indicators and 
        countermeasures in real time and simultaneous with receipt 
        through the process within the Department of Homeland Security.
            (4) Other federal entities.--The process developed and 
        implemented under paragraph (1) shall ensure that other Federal 
        entities receive in a timely manner any cyber threat indicators 
        and countermeasures shared with the Federal Government through 
        the process created in this subsection.
            (5) Reports.--
                    (A)  Report on development and implementation.--
                            (i) In general.--Not later than 60 days 
                        after the date of the enactment of this Act, 
                        the Secretary of Homeland Security shall submit 
                        to Congress a report on the development and 
                        implementation of the capability and process 
                        required by paragraph (1), including a 
                        description of such capability and process and 
                        the public notice of, and access to, such 
                        process.
                            (ii) Classified annex.--The report required 
                        by clause (i) shall be submitted in 
                        unclassified form, but may include a classified 
                        annex.
                    (B) Report on automated malware analysis 
                capability.--Not later than 1 year after the date of 
                the enactment of this Act, the Director of the Federal 
                Bureau of Investigation and the Secretary of Homeland 
                Security shall submit to Congress a report on the 
                implementation of the automated malware analysis 
                capability described in paragraph (1)(B)(iii), 
                including an assessment of the feasibility and 
                advisability of transferring the administration and 
                operation of such capability to the Department of 
                Homeland Security.
    (d) Information Shared With or Provided to the Federal 
Government.--
            (1) No waiver of privilege or protection.--The provision of 
        cyber threat indicators and countermeasures to the Federal 
        Government under this Act shall not constitute a waiver of any 
        applicable privilege or protection provided by law, including 
        trade secret protection.
            (2) Proprietary information.--A cyber threat indicator or 
        countermeasure provided by an entity to the Federal Government 
        under this Act shall be considered the commercial, financial, 
        and proprietary information of such entity when so designated 
        by such entity.
            (3) Exemption from disclosure.--Cyber threat indicators and 
        countermeasures provided to the Federal Government under this 
        Act shall be--
                    (A) deemed voluntarily shared information and 
                exempt from disclosure under section 552 of title 5, 
                United States Code, and any State, tribal, or local law 
                requiring disclosure of information or records; and
                    (B) withheld, without discretion, from the public 
                under section 552(b)(3)(B) of title 5, United States 
                Code, and any State, tribal, or local provision of law 
                requiring disclosure of information or records.
            (4) Ex parte communications.--The provision of cyber threat 
        indicators and countermeasures to the Federal Government under 
        this Act shall not be subject to the rules of any Federal 
        agency or department or any judicial doctrine regarding ex 
        parte communications with a decisionmaking official.
            (5) Disclosure, retention, and use.--
                    (A) Authorized activities.--Cyber threat indicators 
                and countermeasures provided to the Federal Government 
                under this Act may be disclosed to, retained by, and 
                used by, consistent with otherwise applicable Federal 
                law, any Federal agency or department, component, 
                officer, employee, or agent of the Federal Government 
                solely for--
                            (i) a cybersecurity purpose;
                            (ii) the purpose of responding to, or 
                        otherwise preventing or mitigating, an imminent 
                        threat of death or serious bodily harm;
                            (iii) the purpose of responding to, or 
                        otherwise preventing or mitigating, a serious 
                        threat to a minor, including sexual 
                        exploitation and threats to physical safety; or
                            (iv) the purpose of preventing, 
                        investigating, or prosecuting an offense 
                        arising out of a threat described in clause 
                        (ii) or any of the offenses listed in--
                                    (I) sections 1028 through 1030 of 
                                title 18, United States Code (relating 
                                to fraud and identity theft);
                                    (II) chapter 37 of such title 
                                (relating to espionage and censorship); 
                                and
                                    (III) chapter 90 of such title 
                                (relating to protection of trade 
                                secrets).
                    (B) Prohibited activities.--Cyber threat indicators 
                and countermeasures provided to the Federal Government 
                under this Act shall not be disclosed to, retained by, 
                or used by any Federal agency or department for any use 
                not permitted under subparagraph (A).
                    (C) Privacy and civil liberties.--Cyber threat 
                indicators and countermeasures provided to the Federal 
                Government under this Act shall be retained, used, and 
                disseminated by the Federal Government--
                            (i) in accordance with the policies, 
                        procedures, and guidelines required by 
                        subsections (a) and (b);
                            (ii) in a manner that protects from 
                        unauthorized use or disclosure any cyber threat 
                        indicators that may contain personal 
                        information of or identifying specific persons; 
                        and
                            (iii) in a manner that protects the 
                        confidentiality of cyber threat indicators 
                        containing information of, or that identifies, 
                        a specific person.
                    (D) Federal regulatory authority.--
                            (i) In general.--Cyber threat indicators 
                        and countermeasures provided to the Federal 
                        Government under this Act may, consistent with 
                        Federal or State regulatory authority 
                        specifically relating to the prevention or 
                        mitigation of cybersecurity threats to 
                        information systems, inform the development or 
                        implementation of regulations relating to such 
                        information systems.
                            (ii) Limitation.--Cyber threat indicators 
                        and countermeasures provided to the Federal 
                        Government under this Act shall not be directly 
                        used by any Federal, State, tribal, or local 
                        government department or agency to regulate the 
                        lawful activities of an entity, including 
                        activities relating to monitoring, operation of 
                        countermeasures, or sharing of cyber threat 
                        indicators.
                            (iii) Exception.--Procedures developed and 
                        implemented under this Act shall not be 
                        considered regulations within the meaning of 
                        this subparagraph.

SEC. 6. PROTECTION FROM LIABILITY.

    (a) Monitoring of Information Systems.--No cause of action shall 
lie or be maintained in any court against any private entity, and such 
action shall be promptly dismissed, for the monitoring of information 
systems and information under subsection (a) of section 4 that is 
conducted in accordance with this Act.
    (b) Sharing or Receipt of Cyber Threat Indicators.--No cause of 
action shall lie or be maintained in any court against any entity, and 
such action shall be promptly dismissed, for the sharing or receipt of 
cyber threat indicators or countermeasures under subsection (c) of 
section 4 if--
            (1) such sharing or receipt is conducted in accordance with 
        this Act; and
            (2) in a case in which a cyber threat indicator or 
        countermeasure is shared with the Federal Government in an 
        electronic format, the cyber threat indicator or countermeasure 
        is shared in a manner that is consistent with section 5(c).
    (c) Good Faith Defense in Certain Causes of Action.--If a cause of 
action is not otherwise dismissed or precluded under subsection (a) or 
(b), a good faith reliance by an entity that the conduct complained of 
was permitted under this Act shall be a complete defense against any 
action brought in any court against such entity.
    (d) Construction.--Nothing in this section shall be construed to 
require dismissal of a cause of action against an entity that has 
engaged in--
            (1) gross negligence or wilful misconduct in the course of 
        conducting activities authorized by this Act; or
            (2) conduct that is otherwise not in compliance with the 
        requirements of this Act.

SEC. 7. OVERSIGHT OF GOVERNMENT ACTIVITIES.

    (a) Biennial Report on Implementation.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, and not less frequently than once 
        every 2 years thereafter, the heads of the appropriate Federal 
        entities shall jointly submit to Congress a detailed report 
        concerning the implementation of this Act.
            (2) Contents.--Each report submitted under paragraph (1) 
        shall include the following:
                    (A) An assessment of the sufficiency of the 
                policies, procedures, and guidelines required by 
                section 5 in ensuring that cyber threat indicators are 
                shared effectively and responsibly within the Federal 
                Government.
                    (B) An evaluation of the effectiveness of real-time 
                information sharing through the capability and process 
                developed under section 5(c), including any impediments 
                to such real-time sharing.
                    (C) An assessment of the sufficiency of the 
                procedures developed under section 3 in ensuring that 
                cyber threat indicators in the possession of the 
                Federal Government are shared in a timely and adequate 
                manner with appropriate entities, or, if appropriate, 
                are made publicly available.
                    (D) An assessment of whether cyber threat 
                indicators have been properly classified and an 
                accounting of the number of security clearances 
                authorized by the Federal Government for the purposes 
                of this Act.
                    (E) A review of the type of cyber threat indicators 
                shared with the Federal Government under this Act, 
                including--
                            (i) the degree to which such information 
                        may impact the privacy and civil liberties of 
                        specific persons;
                            (ii) a quantitative and qualitative 
                        assessment of the impact of the sharing of such 
                        cyber threat indicators with the Federal 
                        Government on privacy and civil liberties of 
                        specific persons; and
                            (iii) the adequacy of any steps taken by 
                        the Federal Government to reduce such impact.
                    (F) A review of actions taken by the Federal 
                Government based on cyber threat indicators shared with 
                the Federal Government under this Act, including the 
                appropriateness of any subsequent use or dissemination 
                of such cyber threat indicators by a Federal entity 
                under section 5.
                    (G) A description of any significant violations of 
                the requirements of this Act by the Federal Government.
                    (H) A classified summary of the number and type of 
                entities that received classified cyber threat 
                indicators from the Federal Government under this Act 
                and an evaluation of the risks and benefits of sharing 
                such cyber threat indicators.
            (3) Recommendations.--Each report submitted under paragraph 
        (1) may include such recommendations as the heads of the 
        appropriate Federal entities may have for improvements or 
        modifications to the authorities and processes under this Act.
            (4) Form of report.--Each report required by paragraph (1) 
        shall be submitted in unclassified form, but shall include a 
        classified annex.
    (b) Reports on Privacy and Civil Liberties.--
            (1) Biennial report from privacy and civil liberties 
        oversight board.--Not later than 2 years after the date of the 
        enactment of this Act and not less frequently than once every 2 
        years thereafter, the Privacy and Civil Liberties Oversight 
        Board shall submit to Congress and the President a report 
        providing--
                    (A) an assessment of the privacy and civil 
                liberties impact of the type of activities carried out 
                under this Act; and
                    (B) an assessment of the sufficiency of the 
                policies, procedures, and guidelines established 
                pursuant to section 5 in addressing privacy and civil 
                liberties concerns.
            (2) Biennial report of inspectors general.--
                    (A) In general.--Not later than 2 years after the 
                date of the enactment of this Act and not less 
                frequently than once every 2 years thereafter, the 
                Inspector General of the Department of Homeland 
                Security, the Inspector General of the Intelligence 
                Community, the Inspector General of the Department of 
                Justice, and the Inspector General of the Department of 
                Defense shall jointly submit to Congress a report on 
                the receipt, use, and dissemination of cyber threat 
                indicators and countermeasures that have been shared 
                with Federal entities under this Act.
                    (B) Contents.--Each report submitted under 
                subparagraph (A) shall include the following:
                            (i) A review of the types of cyber threat 
                        indicators shared with Federal entities.
                            (ii) A review of the actions taken by 
                        Federal entities as a result of the receipt of 
                        such cyber threat indicators.
                            (iii) A list of Federal entities receiving 
                        such cyber threat indicators.
                            (iv) A review of the sharing of such cyber 
                        threat indicators among Federal entities to 
                        identify inappropriate barriers to sharing 
                        information.
            (3) Recommendations.--Each report submitted under this 
        subsection may include such recommendations as the Privacy and 
        Civil Liberties Oversight Board, with respect to a report 
        submitted under paragraph (1), or the Inspectors General 
        referred to in paragraph (2)(A), with respect to a report 
        submitted under paragraph (2), may have for improvements or 
        modifications to the authorities under this Act.
            (4) Form.--Each report required under this subsection shall 
        be submitted in unclassified form, but may include a classified 
        annex.

SEC. 8. CONSTRUCTION AND PREEMPTION.

    (a) Otherwise Lawful Disclosures.--Nothing in this Act shall be 
construed to limit or prohibit otherwise lawful disclosures of 
communications, records, or other information, including reporting of 
known or suspected criminal activity, by an entity to any other entity 
or the Federal Government under this Act.
    (b) Whistleblower Protections.--Nothing in this Act shall be 
construed to preempt any employee from exercising rights currently 
provided under any whistleblower law, rule, or regulation.
    (c) Protection of Sources and Methods.--Nothing in this Act shall 
be construed--
            (1) as creating any immunity against, or otherwise 
        affecting, any action brought by the Federal Government, or any 
        agency or department thereof, to enforce any law, executive 
        order, or procedure governing the appropriate handling, 
        disclosure, or use of classified information;
            (2) to impact the conduct of authorized law enforcement or 
        intelligence activities; or
            (3) to modify the authority of a department or agency of 
        the Federal Government to protect sources and methods and the 
        national security of the United States.
    (d) Relationship to Other Laws.--Nothing in this Act shall be 
construed to affect any requirement under any other provision of law 
for an entity to provide information to the Federal Government.
    (e) Prohibited Conduct.--Nothing in this Act shall be construed to 
permit price-fixing, allocating a market between competitors, 
monopolizing or attempting to monopolize a market, boycotting, or 
exchanges of price or cost information, customer lists, or information 
regarding future competitive planning.
    (f) Information Sharing Relationships.--Nothing in this Act shall 
be construed--
            (1) to limit or modify an existing information sharing 
        relationship;
            (2) to prohibit a new information sharing relationship;
            (3) to require a new information sharing relationship 
        between any entity and the Federal Government;
            (4) to require the use of the capability and process within 
        the Department of Homeland Security developed under section 
        5(c); or
            (5) to amend, repeal, or supersede any current or future 
        contractual agreement, terms of service agreement, or other 
        contractual relationship between any entities, or between any 
        entity and the Federal Government.
    (g) Anti-tasking Restriction.--Nothing in this Act shall be 
construed to permit the Federal Government--
            (1) to require an entity to provide information to the 
        Federal Government; or
            (2) to condition the sharing of cyber threat indicators 
        with an entity on such entity's provision of cyber threat 
        indicators to the Federal Government.
    (h) No Liability for Non-participation.--Nothing in this Act shall 
be construed to subject any entity to liability for choosing not to 
engage in the voluntary activities authorized in this Act.
    (i) Use and Retention of Information.--Nothing in this Act shall be 
construed to authorize, or to modify any existing authority of, a 
department or agency of the Federal Government to retain or use any 
information shared under this Act for any use other than permitted in 
this Act.
    (j) Federal Preemption.--
            (1) In general.--This Act supersedes any statute or other 
        law of a State or political subdivision of a State that 
        restricts or otherwise expressly regulates an activity 
        authorized under this Act.
            (2) State law enforcement.--Nothing in this Act shall be 
        construed to supersede any statute or other law of a State or 
        political subdivision of a State concerning the use of 
        authorized law enforcement practices and procedures.
    (k) Regulatory Authority.--Nothing in this Act shall be construed--
            (1) to authorize the promulgation of any regulations not 
        specifically authorized by this Act;
            (2) to establish any regulatory authority not specifically 
        established under Act; or
            (3) to authorize regulatory actions that would duplicate or 
        conflict with regulatory requirements, mandatory standards, or 
        related processes under Federal law.

SEC. 9. REPORT ON CYBERSECURITY THREATS.

    (a) Requirement for Report.--Not later than 180 days after the date 
of the enactment of this Act, the Director of National Intelligence, in 
coordination with the heads of other appropriate elements of the 
intelligence community, shall submit to the Select Committee on 
Intelligence of the Senate and the Permanent Select Committee on 
Intelligence of the House of Representatives a report on cybersecurity 
threats, including cyber attacks, theft, and data breaches. Such report 
shall include the following:
            (1) An assessment of the current intelligence sharing and 
        cooperation relationships of the United States with other 
        countries regarding cybersecurity threats, including cyber 
        attacks, theft, and data breaches, directed against the United 
        States and which threaten the United States national security 
        interests and economy and intellectual property, specifically 
        identifying the relative utility of such relationships, which 
        elements of the intelligence community participate in such 
        relationships, and whether and how such relationships could be 
        improved.
            (2) A list and an assessment of the countries and non-state 
        actors that are the primary threats of carrying out a 
        cybersecurity threat, including a cyber attack, theft, or data 
        breach, against the United States and which threaten the United 
        States national security, economy, and intellectual property.
            (3) A description of the extent to which the capabilities 
        of the United States Government to respond to or prevent 
        cybersecurity threats, including cyber attacks, theft, or data 
        breaches, directed against the United States private sector are 
        degraded by a delay in the prompt notification by private 
        entities of such threats or cyber attacks, theft, and breaches.
            (4) An assessment of additional technologies or 
        capabilities that would enhance the ability of the United 
        States to prevent and to respond to cybersecurity threats, 
        including cyber attacks, theft, and data breaches.
            (5) An assessment of any technologies or practices utilized 
        by the private sector that could be rapidly fielded to assist 
        the intelligence community in preventing and responding to 
        cybersecurity threats.
    (b) Intelligence Community Defined.--In this section, the term 
``intelligence community'' has the meaning given that term in section 
3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)).
    (c) Form of Report.--The report required by subsection (a) shall be 
made available in classified and unclassified forms.

SEC. 10. CONFORMING AMENDMENTS.

    (a) Public Information.--Section 552(b) of title 5, United States 
Code, is amended--
            (1) in paragraph (8), by striking ``or'' at the end;
            (2) in paragraph (9), by striking ``wells.'' and inserting 
        ``wells; or''; and
            (3) by adding at the end the following:
            ``(10) information shared with or provided to the Federal 
        Government pursuant to the Cybersecurity Information Sharing 
        Act of 2014.''.
    (b) Modification of Limitation on Dissemination of Certain 
Information Concerning Penetrations of Defense Contractor Networks.--
Section 941(c)(3) of the National Defense Authorization Act for Fiscal 
Year 2013 (Public Law 112-239) is amended by inserting at the end the 
following: ``The Secretary may share such information with other 
Federal entities if such information consists of cyber threat 
indicators and countermeasures and such information is shared 
consistent with the policies and procedures promulgated by the Attorney 
General under section 5 of the Cybersecurity Information Sharing Act of 
2014.''.
                                                       Calendar No. 462

113th CONGRESS

  2d Session

                                S. 2588

_______________________________________________________________________

                                 A BILL

To improve cybersecurity in the United States through enhanced sharing 
  of information about cybersecurity threats, and for other purposes.

_______________________________________________________________________

                             July 10, 2014

                 Read twice and placed on the calendar