Protecting Cyber Networks Act

Updated on Nov 22, 2023

Edit

Comment

Acronym PCNA Sponsored by Devin Nunes		Introduced on March 24, 2015 Number of co-sponsors 8

Full title To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections, and for other purposes. Introduced in 114th United States Congress

The Protecting Cyber Networks Act (H.R. 1560) is a bill introduced in the 114th Congress by Rep. Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence. The legislation would allow companies and the government to share information concerning cyber threats. To overcome privacy concerns, the bill expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

Background

A number of major hacking events occurred in 2014 and 2015:

In April 2014, Home Depot’s computer systems were breached by hackers who stole the credit card accounts and email addresses of tens of millions of people.

In November 2014, hackers infiltrated Sony Pictures’ systems and were able to get access to confidential employee and corporate information.

In January 2015, Anthem was hacked.

In April 2015, Premera Blue Cross had its system compromised. A threat existed that hackers might have accessed the medical and financial information of 11 million people.

Additionally, major U.S. businesses including Target and JPMorganChase have been victims of large-scale cyberattacks resulting in the theft of customer identity information.

The legislation was introduced as response to threats posed by these and other cyberattacks. On April 22, 2015, The Hill newspaper wrote, “Congress has contemplated some form of this law for nearly five years. But catastrophic data breaches within the last year have laid bare hundreds of millions of Americans’ credit card data and Social Security numbers, raising public awareness and putting the onus on Capitol Hill to act.”

Legislative history

On March 19, 2015, the House Permanent Select Committee on Intelligence held a hearing called “Growing Cyber Threat and its Impact on American Business.” In his opening remarks as the committee’s chairman, Nunes stated that U.S. companies and American consumers must feel confident that their confidential information stored on IT systems is secure. He said that in light of the major cyber attacks in 2014 and 2015, there is little assurance that personal and corporate information is safe. He said that because of those reasons, Congress needs to strengthen the security of the country’s digital infrastructure by creating better methods for businesses and the government to share information on cyber threats.

Five days later, Nunes introduced H.R. 1560: Protecting Cyber Networks Act. On April 13, the House Permanent Select Committee on Intelligence passed an amended version of the bill. On April 22, the House passed the bill by a vote of 307-116. Before final passage of the bill, the House passed an amendment from Rep. Andre Carson (D-Ind.) that would require the inspector general to report on how agencies remove personal information with information they receive. The amendment was proposed in response to concerns from privacy advocates including many Democratic House members.

After passage in the House, the bill was sent to the Senate. As of June 28, 2016, the Senate had not taken action on the bill. However, a companion bill exists in the Senate: the Cybersecurity Information Sharing Act (CISA, S. 754). On October 27, 2015, the Senate approved S. 754 by a vote of 74-21.

The Protecting Cyber Networks Act (PCNA) would allow companies to share certain information with other companies and the government. They would be allowed to share only cybersecurity information; that is, information concerning the protection of their own systems.

PCNA would require the Director of National Intelligence to create regulations that would allow sharing the following types of information:

classified cyber threat indicators with representatives of the private sector with appropriate security clearances;

classified cyber threat indicators that may be declassified and shared at an unclassified level; and

any information in the possession of the Federal Government about imminent or ongoing cyber threats that may allow private companies to prevent or mitigate those threats.

The bill requires the President to submit to Congress policies and procedures on how the government should receive threat indicators when submitted by the private sector, as well as how to develop defensive measures within the federal government. It would require that agencies that receive threat information share it in real time with other relevant agencies.

Defensive protection

The legislation gives private companies the authority to go on the counter-offensive against hackers, meaning a company that was hacked could perform more assertive defensive measures than are currently allowed under the law. However, companies would not be allowed to hack back into other systems or manipulate systems for which they do not have consent to control.

According to the official legislative summary of the bill, the bill “Permits private entities to monitor or operate defensive measures to prevent or mitigate cybersecurity threats or security vulnerabilities, or to identify the source of a threat, on: (1) their own information systems; and (2) with written authorization, the information systems of other private or government entities.”

Privacy

PCNA includes safeguards that support privacy. For example, the bill includes requires that companies scrub “unrelated” data of personally identifying information they send the information to the government. Once government agencies receive the information, the agencies must examine the information to ensure that no personally identifiable information is included.

Liability

The bill offers protection from liability for companies who share cybersecurity information and do so lawfully under the bill’s provisions.

Support

The White House supports the legislation.

The legislation also received public support from the following organizations:

Agricultural Retailers Association (ARA)

Airlines for America (A4A)

Alliance of Automobile Manufacturers

American Bankers Association (ABA)

American Cable Association (ACA)

American Council of Life Insurers (ACLI)

American Fuel & Petrochemical Manufacturers (AFPM) American Gaming Association

American Gas Association (AGA)

American Insurance Association (AIA) American Petroleum Institute (API)

American Public Power Association (APPA) American Water Works Association (AWWA) ASIS International

Association of American Railroads (AAR)

BITS–Financial Services Roundtable

College of Healthcare Information Management Executives (CHIME) CompTIA–The Computing Technology Industry Association CTIA–The Wireless Association

Edison Electric Institute (EEI)

Federation of American Hospitals (FAH)

Food Marketing Institute (FMI)

GridWise Alliance

HIMSS–Healthcare Information and Management Systems Society HITRUST–Health Information Trust Alliance

Large Public Power Council (LPPC)

National Association of Chemical Distributors (NACD)

National Association of Manufacturers (NAM)

National Association of Mutual Insurance Companies (NAMIC) National Association of Water Companies (NAWC)

National Business Coalition on e-Commerce & Privacy

National Cable & Telecommunications Association (NCTA)

National Rural Electric Cooperative Association (NRECA) NTCA–The Rural Broadband Association

Property Casualty Insurers Association of America (PCI)

The Real Estate Roundtable

Securities Industry and Financial Markets Association (SIFMA) Society of Chemical Manufacturers & Affiliates (SOCMA) Telecommunications Industry Association (TIA)

Transmission Access Policy Study Group (TAPS)

United States Telecom Association (USTelecom)

U.S. Chamber of Commerce

Utilities Telecom Council (UTC)

Opposition

Fifty-five civil liberties groups and security experts publicly opposed the legislation in a signed letter to Congress. “PCNA would significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” the letter stated.

According to the House Permanent Select Committee on Intelligence, the PCNA expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

A group called Access along with the ACLU and several other groups launched a website called StopCyberspying.com. The site has a petition to the President to reconsider a veto of PCNA or the Senate version of the bill.

The civil liberties groups that oppose the bill are:

Access

Advocacy for Principled Action in Government American-Arab Anti-Discrimination Committee American Civil Liberties Union

American Library Association

Association of Research LibrariesBill of Rights Defense CommitteeBrennan Center for JusticeCenter for Democracy & TechnologyCenter for National Security Studies Constitutional AllianceThe Constitution ProjectCouncil on American-Islamic Relations

Cyber Privacy Project

Defending Dissent Foundation

Demand Progress

DownSizeDC.org

Electronic Frontier Foundation

Fight for the Future

Freedom of the Press Foundation

FreedomWorks

Free Press Action Fund

Government Accountability Project Hackers/Founders

Human Rights Watch

Liberty Coalition

Media Alliance

National Association of Criminal Defense Lawyers New America’s Open Technology Institute OpenTheGovernment.org

PEN American Center

Restore the Fourth

R Street

Student Net Alliance

Venture Politics

X-Lab

References

Protecting Cyber Networks Act Wikipedia

(Text) CC BY-SA

Contents