Cybersecurity or surveillance? What does the language attached at the last minute to the 2,009 page omnibus government funding bill actually authorize? In this episode, we take a close look at what just became law. Please support Congressional Dish: to contribute with PayPal or Bitcoin; click the PayPal "Make it Monthly" checkbox to create a monthly subscription to support Congressional Dish for each episode via Patreon Mail Contributions to: 5753 Hwy 85 North #4576 Crestview, FL 32536 Thank you for supporting truly independent media! The Cybersecurity Act of 2015 was attached at the last minute to the "omnibus" government funding bill, which was 2,009 pages long and available to read for less than three days before it became law. This is and outline of what became law: "": "Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of Government" Does NOT include the Government Accountability Office, Federal Election Commission, or Government-owned contractor-operated facilities "": An action that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system". "": "Information that is necessary to describe or identify"... Spying, including strange patterns of communications that appear to be collecting technical information Security breaches Security vulnerabilities A legitimate user being used to defeat a security system Malicious cyber command and control "The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat" "Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law" "": "Any , non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)" Does not include a foreign power, Procedures for sharing information both within and outside the Federal government will be created by: Director of National Intelligence Secretary of Homeland Security Secretary of Defense Attorney General ... Allow real time sharing of information Include requirements for the government to protect the information from unauthorized access Require Federal entities to review cyber threat indicators for information not directly related to the threat that contains information that identifies a specific individual and remove the information Include procedures for notifying "any United States person" whose information has been shared by the Federal government Non-Federal entities sharing information mush "review" the information for "personal information of a specific individual" and "remove such information" OR have a technical way of removing the information it "knows at the time of sharing" to be personal information. and can use the information they receive for... Cybersecurity Preventing a specific threat of death, serious bodily harm, or specific threat of serious economic harm Investigating, prosecuting, and preventing serious threats to minors, including sexual exploitation and threats to physical safety ... , , , , Information shared will be Policies will be written by... Attorney General Secretary of Homeland Security Policies must create a way to share information "" Dept. of Commerce Dept. of Defense Dept. of Energy Dept. of Homeland Security Dept. of Justice Dept. of Treasury Office of the Director of National Intelligence Information ... Attorney General Secretary of Homeland Security In consultation with the "Private entities with industry expertise as the Attorney General and the Secretary consider relevant" Information shared with the Federal government The courts must dismiss any lawsuits against "any private entity" for monitoring information systems or sharing/receiving "cyber threat indicators" Heads of "appropriate Federal entities" will submit a report Inspectors General of the "appropriate Federal entities" will submit reports every two years The Comptroller General of the United States will submit a report on actions taken by the Federal Government to remove personal information. Report will be due in three years. Unclassified portions of the reports will be available to the public. Lists what this bill is not intended to do Report will be submitted by the Director of National Intelligence NEW Specifically allows the Secretary of Defense to share information These provisions expire on September 30, 2015. The will for sharing information that are created by Title I (view this mark-up of the Homeland Security Act of 2002 to see changes made by this provision) including... "Engaging with international partners... to collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents" "Sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities... and with State and major urban area fusion centers" Participating in national exercises run by DHS Evaluating cyber threats to public safety communication systems to the list of entities that will have representatives in the National Cybersecurity and Communications Integration Center Adds protection from information to list of the Center's Orders the Center to work with the to make sure the Center follows the policies and procedures created by the Attorney General and Secretary of Homeland Security. The Center will be in charge of for information sharing. The Center for the purpose of sharing "cyber threat indicators" Orders the Center to with the Center within 60 days of enactment : Reports that will Subtitle B: Federal Cybersecurity Enhancement Act of 2015 Requires the Secretary of Homeland Security and the Director of the Office of Management and Budget to to proactively detect, identify, and remove intruders in agency information systems. The plan will not apply to the Department of Defense, a "national security system" or an element of the intelligence community In implementing the plan, the Secretary of Homeland Security The operation of the technology needed to implement the plan The actions taken need to be It is for the private entity operating the system to use the information for anything other than protecting the system but the The Secretary of Homeland Security will issue binding operational directives for agencies to secure their networks within a year. Agencies will have to... Identify sensitive and mission critical data stored by the agency Assess the need to store that data and determine which individuals need access to it Encrypt the data Implement a single sign-on platform for people using the agency website that requires user authentication Require multi-factor authentication for remote access Agencies will not have to comply if they say it's "overly burdensome to implement" or that it's not necessary. These binding operational directives to the Defense Department, a "national security system", or the intelligence community. The directives and reports on them will expire in 7 years, December 2022. The Secretary of Homeland Security can order the head of other agencies to take "lawful actions" in response to security threats. Requires an assessment of all Federal positions that have cyber-related functions Orders a study on the security of mobile devices of the Federal Government Orders a State Department report on threats from foreign sources and cooperation strategies within 90 days. The Secretary of State must consult with government officials in countries where we don't have an extradition treaty to determine what actions they've taken to catch "cyber criminals" with arrest warrant issued by US judges or Interpol. Orders the National Cybersecurity and Communications Integration Center to create a process for information sharing with Statewide Interoperability Coordinators Requires a report that will so that "the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures" Additional Reading Article: by Steve Horn, DeSmogBlog, December 16, 2015. Article: by Tom Cahill, U.S. Uncut, December 19, 2015. Article: by Eric Lipton and Liz Moyer, New York Times, December 20, 2015. Article: by Mike Gault, Wired, December 20, 2015. Music Presented in This Episode Intro & Exit: by (found on by mevio) Cover Art Design by