Key Provisions of CISPA
CISPA concentrates entirely on sharing cyberthreat-related information between the government and private entities, and between private entities and other private entities. It makes provisions for government agencies to share both unclassified and classified information with private companies and utilities. For classified information, it specifies that the entities or individuals receiving information must be certified or have security clearance, and makes provisions for granting temporary or permanent security clearance to individuals within these entities.
It also allows for information sharing between private entities and other private entities, including cybersecurity firms hired by those companies to protect them. And it makes provisions for private entities to share information about cyberthreats with the federal government, and specifies that any agency receiving such information is to send it to National Cybersecurity and Communications Integration Center of the DHS.
CISPA exempts shared information from disclosure under the Freedom of Information Act and any similar laws enacted by state, local and tribal governments.The bill exempts companies (and cybersecurity firms hired to protect their systems) from lawsuits for sharing information, for using cybersecurity systems to identify or obtain cyberthreat information or for any decisions they make based on the cyberthreat information, provided they are acting "in good faith." A government agency, however, can be sued if it "intentionally or willfully violates" the information disclosure and use rules spelled out in the bill, with a statute of limitations of two years from the date of violation.
The bill includes limits on how the federal government may use the information shared with it. The five legitimate uses given are: cybersecurity purposes; investigation and prosecution of cybersecurity crimes; protection of individuals from death or serious bodily harm; protection of minors from child pornography, sexual exploitation and other related crimes; and protection of national security. The government is restricted from affirmatively searching the information for any purpose other than investigation and prosecution of cybersecurity crimes, and is restricted from retaining or using the information for any purpose other than the ones listed in the previous sentence. CISPA also specifically restricts the government from using library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, educational records and medical records.
The bill states that if information is shared with the federal government that it determines is not related to cyberthreats, the government must notify the entity that provided the information.
CISPA also dictates procedures and reports that must be developed and released by certain government entities.It makes all information sharing from private entities voluntary, with no penalties for choosing not to participate, and makes a statement that the bill is not an attempt to give any element of the intelligence community the right to dictate the cybersecurity efforts of any private or government agencies.
Cybersecurity purposes as defined within the bill include: efforts to protect against vulnerabilities; threats to integrity, confidentiality or availability; efforts to deny access, degrade, disrupt or destroy; and efforts to gain unauthorized access to systems and networks, as well as any information stored on, processed on or moving through them. This explicitly includes unauthorized access to exfiltrate (or remove) information, but excludes unauthorized access that only involves violations of consumer terms of service or licensing agreements. The definitions of cybersecurity systems and cyberthreat intelligence contain similar language.