The Cybersecurity Act of 2015: Sections 104-106

Bill H.R.923 also known as “H.R.923 – To repeal the Cybersecurity Act of 2015” is a bill introduced to the US House. As the name suggests it seeks to repeal the US Cybersecurity Act of 2015, which was passed during of the 114th Congress. There is no given reasoning on the Congress.gov website, as reasoning becomes available a followup article will be written.

What Is the Cybersecurity Act of 2015?
The Cybersecurity Act of 2015 (CA2015) is a bill that was introduced and passed the House and the Senate during the 114th congress in 2015. It covers a variety of topics pertaining to Cybersecurity. The bill requires that Federal and appropriately cleared non-Federal agencies share all relevant information towards cyber threats. It requires that any information or research acquired by these organizations be shared with other groups that could feasibly help prevent a cyberattack. It also states that these agencies and organizations will share their knowledge through publications and targeted outreach programs to small businesses. This includes information such as the NIST Framework, up-to-date data for known malware programs as well as best practices.

Section 104 of the bill requires that Federal and appropriate non-Federal agencies work together to create procedures for handling potential cyberattacks. This includes the

“notifying, in a timely manner, any United States person whose personal information is known or determined to have been shared by a Federal entity in violation of this title.”

This requires that during an investigation into a potential cyberthreat, or during the process of sharing data on a cyberthreat if an individual’s personal data is revealed that they be notified by the agency involved. Section 104 of the bill very firmly states that the allowances it makes for a “private entity” to be monitored all require the written acceptance of said entity and that it shall “not be construed” to make any other form of monitoring legal. This means that if the CIA were to use an infected email of yours as an example, they would be required by law to remove all personal information from it or be required to notify you.

There is an exception to these rulings however. State, Tribal or Local governments and police agencies are not required to disclose their usage of any data in response to a cyberthreat. This is because any the wording of the bill stating that any such usage by those levels of government automatically makes it “deemed voluntarily shared information.” However the bill does require that any such actions taken by said levels of government in response to a cyberthreat may not be used to “regulate the lawful actions of any non-Federal activity.” This means that any devices, programs or other actions used by local governments can not be used to police the law abiding populace.

The bill also creates an exemption to the Anti-Trust act, but only for cases of cybersecurity. It allows to organizations to freely share any data pertaining to a cyberattack or cyberthreat without risk of being deemed a Trust. The bill does require that any such sharing be done freely, without the sharing company gaining any benefit from such an action. This is part of the bill’s overall aim of creating a more secure infrastructure at the Federal and non-Federal levels.

Section 105 states at its end that any sharing of data by any company, organization or private-entity will not violate their legal protections under copyright or trade secret law. This also applies to any actions taken by a Federal or non-Federal organization in response to a cyberthreat or cyberattack. Again this sort of writing is designed to prompt companies and organizations to freely share any relevant data they may have.

Section 106 includes legislation that makes any defensive measure or tracking indicator used to combat, prevent or lessen the impact of a cyberthreat or cyberattack proprietary to the creator. It automatically exempts said measure or tracking indicator from disclosure, at all levels of government from Federal to Local. This disclosure is considered a “withholding, without discretion” meaning that it is automatic and without contest. Only with the consent of the owners could the information be revealed to the public.

The next article on this bill will include Section 107 which pertains to the oversight of government activities, including the monitoring of organizations and entities.