Protecting Cyber Networks Act

The Protecting Cyber Networks Act (H.R. 1560) is a bill introduced in the 114th Congress by Rep. Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence. The legislation would allow companies and the government to share information concerning cyber threats. To overcome privacy concerns, the bill expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

Background
A number of major hacking events occurred in 2014 and 2015: Additionally, major U.S. businesses including Target and JPMorganChase have been victims of large-scale cyberattacks resulting in the theft of customer identity information.
 * In April 2014, Home Depot's computer systems were breached by hackers who stole the credit card accounts and email addresses of tens of millions of people.
 * In November 2014, hackers infiltrated Sony Pictures' systems and were able to get access to confidential employee and corporate information.
 * In January 2015, Anthem was hacked.
 * In April 2015, Premera Blue Cross had its system compromised. A threat existed that hackers might have accessed the medical and financial information of 11 million people.

The legislation was introduced as response to threats posed by these and other cyberattacks. On April 22, 2015, The Hill newspaper wrote, "Congress has contemplated some form of this law for nearly five years. But catastrophic data breaches within the last year have laid bare hundreds of millions of Americans' credit card data and Social Security numbers, raising public awareness and putting the onus on Capitol Hill to act."

Legislative history
On March 19, 2015, the House Permanent Select Committee on Intelligence held a hearing called "Growing Cyber Threat and its Impact on American Business." In his opening remarks as the committee's chairman, Nunes stated that U.S. companies and American consumers must feel confident that their confidential information stored on IT systems is secure. He said that in light of the major cyber attacks in 2014 and 2015, there is little assurance that personal and corporate information is safe. He said that because of those reasons, Congress needs to strengthen the security of the country's digital infrastructure by creating better methods for businesses and the government to share information on cyber threats.

Five days later, Nunes introduced H.R. 1560: Protecting Cyber Networks Act. On April 13, the House Permanent Select Committee on Intelligence passed an amended version of the bill. On April 22, the House passed the bill by a vote of 307-116. Before final passage of the bill, the House passed an amendment from Rep. Andre Carson (D-Ind.) that would require the inspector general to report on how agencies remove personal information with information they receive. The amendment was proposed in response to concerns from privacy advocates including many Democratic House members.

After passage in the House, the bill was sent to the Senate. As of June 28, 2016, the Senate had not taken action on the bill. However, a companion bill exists in the Senate: the Cybersecurity Information Sharing Act (CISA, S. 754). On October 27, 2015, the Senate approved S. 754 by a vote of 74-21.

Information sharing
The Protecting Cyber Networks Act (PCNA) would allow companies to share certain information with other companies and the government. They would be allowed to share only cybersecurity information; that is, information concerning the protection of their own systems.

PCNA would require the Director of National Intelligence to create regulations that would allow sharing the following types of information: The bill requires the President to submit to Congress policies and procedures on how the government should receive threat indicators when submitted by the private sector, as well as how to develop defensive measures within the federal government. It would require that agencies that receive threat information share it in real time with other relevant agencies.
 * classified cyber threat indicators with representatives of the private sector with appropriate security clearances;
 * classified cyber threat indicators that may be declassified and shared at an unclassified level; and
 * any information in the possession of the Federal Government about imminent or ongoing cyber threats that may allow private companies to prevent or mitigate those threats.

Defensive protection
The legislation gives private companies the authority to go on the counter-offensive against hackers, meaning a company that was hacked could perform more assertive defensive measures than are currently allowed under the law. However, companies would not be allowed to hack back into other systems or manipulate systems for which they do not have consent to control.

According to the official legislative summary of the bill, the bill "Permits private entities to monitor or operate defensive measures to prevent or mitigate cybersecurity threats or security vulnerabilities, or to identify the source of a threat, on: (1) their own information systems; and (2) with written authorization, the information systems of other private or government entities."

Privacy
PCNA includes safeguards that support privacy. For example, the bill includes requires that companies scrub "unrelated" data of personally identifying information they send the information to the government. Once government agencies receive the information, the agencies must examine the information to ensure that no personally identifiable information is included.

Liability
The bill offers protection from liability for companies who share cybersecurity information and do so lawfully under the bill's provisions.

Support
The White House supports the legislation.

The legislation also received public support from the following organizations:
 * Agricultural Retailers Association (ARA)
 * Airlines for America (A4A)
 * Alliance of Automobile Manufacturers
 * American Bankers Association (ABA)
 * American Cable Association (ACA)
 * American Council of Life Insurers (ACLI)
 * American Fuel & Petrochemical Manufacturers (AFPM) American Gaming Association
 * American Gas Association (AGA)
 * American Insurance Association (AIA) American Petroleum Institute (API)
 * American Public Power Association (APPA) American Water Works Association (AWWA) ASIS International
 * Association of American Railroads (AAR)
 * BITS–Financial Services Roundtable
 * College of Healthcare Information Management Executives (CHIME) CompTIA–The Computing Technology Industry Association CTIA–The Wireless Association
 * Edison Electric Institute (EEI)
 * Federation of American Hospitals (FAH)
 * Food Marketing Institute (FMI)
 * GridWise Alliance
 * HIMSS–Healthcare Information and Management Systems Society HITRUST–Health Information Trust Alliance
 * Large Public Power Council (LPPC)
 * National Association of Chemical Distributors (NACD)
 * National Association of Manufacturers (NAM)
 * National Association of Mutual Insurance Companies (NAMIC) National Association of Water Companies (NAWC)
 * National Business Coalition on e-Commerce & Privacy
 * National Cable & Telecommunications Association (NCTA)
 * National Rural Electric Cooperative Association (NRECA) NTCA–The Rural Broadband Association
 * Property Casualty Insurers Association of America (PCI)
 * The Real Estate Roundtable
 * Securities Industry and Financial Markets Association (SIFMA) Society of Chemical Manufacturers & Affiliates (SOCMA) Telecommunications Industry Association (TIA)
 * Transmission Access Policy Study Group (TAPS)
 * United States Telecom Association (USTelecom)
 * U.S. Chamber of Commerce
 * Utilities Telecom Council (UTC)

Opposition
Fifty-five civil liberties groups and security experts publicly opposed the legislation in a signed letter to Congress. "PCNA would significantly increase the National Security Agency's (NSA's) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity," the letter stated.

According to the House Permanent Select Committee on Intelligence, the PCNA expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

A group called Access along with the ACLU and several other groups launched a website called StopCyberspying.com. The site has a petition to the President to reconsider a veto of PCNA or the Senate version of the bill.

The civil liberties groups that oppose the bill are:
 * Access
 * Advocacy for Principled Action in Government American-Arab Anti-Discrimination Committee American Civil Liberties Union
 * American Library Association
 * Association of Research LibrariesBill of Rights Defense CommitteeBrennan Center for JusticeCenter for Democracy & TechnologyCenter for National Security Studies Constitutional AllianceThe Constitution ProjectCouncil on American-Islamic Relations
 * Cyber Privacy Project
 * Defending Dissent Foundation
 * Demand Progress
 * DownSizeDC.org
 * Electronic Frontier Foundation
 * Fight for the Future
 * Freedom of the Press Foundation
 * FreedomWorks
 * Free Press Action Fund
 * Government Accountability Project Hackers/Founders
 * Human Rights Watch
 * Liberty Coalition
 * Media Alliance
 * National Association of Criminal Defense Lawyers New America's Open Technology Institute OpenTheGovernment.org
 * PEN American Center
 * Restore the Fourth
 * R Street
 * Student Net Alliance
 * Venture Politics
 * X-Lab