Sec. 103. Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats
1,151 words·~5 min read·
/bill/114/hr/1560/eh/section-103A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Notwithstanding any other provision of law, a private entity may, for a cybersecurity purpose, monitor— an information system of such private entity; an information system of a non-Federal entity or a Federal entity, upon the written authorization of such non-Federal entity or such Federal entity; and information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph. Nothing in this subsection shall be construed to— authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this title; authorize the Federal Government to conduct surveillance of any person; or limit otherwise lawful activity.
Except as provided in paragraph
(2)and notwithstanding any other provision of law, a private entity may, for a cybersecurity purpose, operate a defensive measure that is operated on— an information system of such private entity to protect the rights or property of the private entity; and an information system of a non-Federal entity or a Federal entity upon written authorization of such non-Federal entity or such Federal entity for operation of such defensive measure to protect the rights or property of such private entity, such non-Federal entity, or such Federal entity. The authority provided in paragraph
(1)does not include a defensive measure that destroys, renders unusable or inaccessible (in whole or in part), or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by— the private entity operating such defensive measure; or a non-Federal entity or a Federal entity that has provided written authorization to that private entity for operation of such defensive measure on the information system or information of the entity in accordance with this subsection. Nothing in this subsection shall be construed— to authorize the use of a defensive measure other than as provided in this subsection; or to limit otherwise lawful activity. Except as provided in paragraph
(2)and notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose and consistent with the requirement under subsection (d)(2) to remove personal information of or information identifying a specific person not directly related to a cybersecurity threat and the protection of classified information— share a lawfully obtained cyber threat indicator or defensive measure with any other non-Federal entity or an appropriate Federal entity (other than the Department of Defense or any component of the Department, including the National Security Agency); and receive a cyber threat indicator or defensive measure from any other non-Federal entity or an appropriate Federal entity. A non-Federal entity receiving a cyber threat indicator or defensive measure from another non-Federal entity or a Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing non-Federal entity or Federal entity. Nothing in this subsection shall be construed to— authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; authorize the sharing or receiving of classified information by or with any person not authorized to access such classified information; prohibit any Federal entity from engaging in formal or informal technical discussion regarding cyber threat indicators or defensive measures with a non-Federal entity or from providing technical assistance to address vulnerabilities or mitigate threats at the request of such an entity; limit otherwise lawful activity; prohibit otherwise lawful sharing by a non-Federal entity of a cyber threat indicator or defensive measure with the Department of Defense or any component of the Department, including the National Security Agency; or authorize the Federal Government to conduct surveillance of any person. A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement an appropriate security control to protect against unauthorized access to, or acquisition of, such cyber threat indicator or defensive measure. A non-Federal entity sharing a cyber threat indicator pursuant to this title shall, prior to such sharing, take reasonable efforts to— review such cyber threat indicator to assess whether such cyber threat indicator contains any information that the non-Federal entity reasonably believes at the time of sharing to be personal information of or information identifying a specific person not directly related to a cybersecurity threat and remove such information; or implement a technical capability configured to remove any information contained within such indicator that the non-Federal entity reasonably believes at the time of sharing to be personal information of or information identifying a specific person not directly related to a cybersecurity threat. A non-Federal entity may, for a cybersecurity purpose— use a cyber threat indicator or defensive measure shared or received under this section to monitor or operate a defensive measure on— an information system of such non-Federal entity; or an information system of another non-Federal entity or a Federal entity upon the written authorization of that other non-Federal entity or that Federal entity; and otherwise use, retain, and further share such cyber threat indicator or defensive measure subject to— an otherwise lawful restriction placed by the sharing non-Federal entity or Federal entity on such cyber threat indicator or defensive measure; or an otherwise applicable provision of law. A State, tribal, or local government may use a cyber threat indicator shared with such State, tribal, or local government for the purposes described in clauses (i), (ii), and
(iii)of section 104(d)(5)(A). A cyber threat indicator or defensive measure shared with a State, tribal, or local government under this section shall be— deemed voluntarily shared information; and exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records, except as otherwise required by applicable State, tribal, or local law requiring disclosure in any criminal prosecution. The sharing of a cyber threat indicator with a non-Federal entity under this title shall not create a right or benefit to similar information by such non-Federal entity or any other non-Federal entity. The Administrator of the Small Business Administration shall provide assistance to small businesses and small financial institutions to monitor information and information systems, operate defensive measures, and share and receive cyber threat indicators and defensive measures under this section. Not later than 1 year after the date of the enactment of this title, the Administrator of the Small Business Administration shall submit to the President a report on the degree to which small businesses and small financial institutions are able to engage in cyber threat information sharing under this section. Such report shall include the recommendations of the Administrator for improving the ability of such businesses and institutions to engage in cyber threat information sharing and to use shared information to defend their networks. The Federal Government shall conduct outreach to small businesses and small financial institutions to encourage such businesses and institutions to exercise their authority under this section.