In hopes of bolstering the nation's cyber security, this bill attempts to woo private sector companies into sharing computer data with the federal government by offering those companies expanded liability protections when they give up data.
The participation of private entities — typically businesses — would be completely voluntary, and they would face no liability for non-participation. Private entities also would have limited liability for monitoring their consenting consumers networks — and they could share cyber threat information that has personal consumer information removed first.
All monitoring of a private entity’s network and cyber threats against that network must be done with the user’s consent.
On the federal government's end, this bill would require the Director of National Intelligence (DNI), the Secretary of Homeland Security (DHS), the Secretary of Defense (DOD), and the Attorney General (DOJ) to work together to develop new cybersecurity procedures.
Information about threats would be sent to the Department of Homeland Security (DHS), which could then be shared in real-time with other federal agencies as needed. These procedures would promote more seamless sharing of classified and unclassified cyber threat indicators across federal agencies. For those of you who don't know, Cyber threat indicators are the measures that help spot the malicious gathering (active or passive) of data, security vulnerabilities that exist or are being exploited and defeated, and the exfiltration of information.
Interim policies and procedures must be created within 60 days of this bill’s enactment, and final policies and procedures need to be established within 180 days. Once both the interim and final policies are developed, they would be submitted to Congress for review and made public.
The final guidelines would have to limit the impact on privacy and civil liberties for activities conducted by the federal government. In addition to preventing the inclusion of personal information when cyber threat indicators are shared, the final guidelines must create a process for destroying such information that is inadvertently shared. Limitations on how long cyber threat indicators may be kept would also be included.