On Wednesday, April 22, 2015, the House passed H.R. 1560, the Protecting Cyber Networks Act, sponsored by House Intelligence Committee Chairman Devin Nunes (R-CA), with Ranking Member Adam Schiff (D-CA) as lead cosponsor. The bill passed by a wide margin of 307-116, and was followed a day later by passage of H.R. 1731, the National Cybersecurity Protection Advancement (NCPA) Act of 2015, by a vote of 355-63. That bill is sponsored by Homeland Security Committee Chairman Michael McCaul (R-TX).
Chairman Nunes’ bill amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to develop and promulgate procedures to facilitate the sharing of classified and declassified cyber threat indicators in the possession of the federal government with private entities. It also authorizes private entities to conduct information system monitoring activities and operate defensive measures for cybersecurity purposes, and to share or receive any cyber threat indicators with/from other private entities or an “appropriate federal entity” (defined as Commerce, DOE, DHS, DOJ, DNI or Treasury). The bill requires that federal and non-federal entities that share cyber threat indicators scrub such indicators of all personally identifiable information before sharing.
Section 6 of the bill contains liability protections, stating that “No cause of action shall lie or be maintained in any court against any private entity … for the monitoring of an information system and information under section 3(a) that is conducted in good faith in accordance with this Act and … for the sharing or receipt of a cyber threat indicator or defensive measure under section 3(c), or a good faith failure to act based on such sharing or receipt, if such sharing or receipt is conducted in good faith in accordance with this Act and the amendments made by this Act.” However, that section contains a willful misconduct provision that would negate the liability protection for actions in accordance with the bill’s provisions, and defines “willful misconduct” as “an act or omission that is taken— (A) intentionally to achieve a wrongful purpose; (B) knowingly without legal or factual justification; and (C) in disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.”
H.R. 1731 amends the Homeland Security Act of 2002 to provide liability protections for private companies sharing cyber threat information within the private sector and with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). As with H.R. 1560, personally identifiable information would be required to be scrubbed before a threat indicator is shared.
Both bills now head to the Senate, which is still considering its own version of cybersecurity threat information sharing legislation (the Cybersecurity Information Sharing Act (CISA), S. 754), which was reported by the Senate Intelligence Committee on March 13, 2015. A third information sharing bill, H.R. 234, remains in the offing in the House and may receive a vote later this week. Before passage of H.R. 1560, the White House issued a public statement of support for H.R. 1560 and H.R. 234, while expressing reservations that the liability protection provisions were too broad.