The U.S. House of Representatives’ Intelligence Committee passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act on December 1, 2011, in an effort to protect the intellectual property of U.S. businesses from cyber attacks. The bill was introduced by committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) and passed by a 17-1 vote.
The bill would direct the Director of National Intelligence to establish procedures to allow the intelligence community to share cyber threat intelligence with certified entities within the private sector and for granting security clearances to organizations that wish to receive this information. Private sector cybersecurity providers would be limited to using the information they receive to protect themselves or their customers. Entities that “self-protect” from cybersecurity threats may use threat information to protect their own rights and property while also having the right to share it with other entities, including the federal government. The bill would exempt from liability the sharing of cyber threat information in good faith pursuant to the procedures established by authority of the bill or the failure to act on cyber threat information. The bill also would allow private sector entities to share cyber threat information anonymously through an undefined process or restrict with whom they share threat information.
Two amendments to the bill were also passed—the first to improve the privacy protections for cyber threat information by prohibiting the government from using the information for regulatory purposes. The government would also be prohibited even from searching the information, unless for a cybersecurity or national security purpose. The second amendment would require an annual report to Congress outlining the information that the private sector shares voluntarily with the government.