To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
"Other Purposes" is not defined or addressed in the bill. This is a HUGE hole.
‘(1) IN GENERAL-
‘(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--
‘(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and
‘(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.
‘(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--
Same as (i) and (ii) above
If this is signed into law, it empowers any company to "use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property" of the company. "Notwithstanding any other provision of law" is the operative term in this and other subsections of the bill - Essentially it allows entities to ignore individuals' right to privacy in everything from email and private online storage to search queries and remotely stored photos, ignoring any relevant privacy protection laws in effect. This means that companies providing cybersecurity services to other companies, or companies utilizing cybersecurity to protect their own systems - can use those cybersecurity systems to mine the data passing through or stored by their system - This means internet providers and/or website operators and hosts monitoring your email, monitoring website or forum posts, even medical records and so on, ad infinitum.
...
‘(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--
‘(A) for using cybersecurity systems or sharing information in accordance with this section; or
‘(B) for not acting on information obtained or shared in accordance with this section.
This section is obvious in its intent: to protect those who would inspect and share our data from criminal or civil litigation. It allows the sharing of private information WITHOUT JUDICIAL OVERSIGHT OR WARRANT. It amounts to a violation of the 4th Amendment right to protection from unreasonable search or seizure.
‘(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION- The submission of information under this subsection to the Federal Government shall not satisfy or affect any requirement under any other provision of law for a person or entity to provide information to the Federal Government.
This section further isolates information from protections under any other provision of law.
‘(c) Federal Government Use of Information-
‘(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if--
‘(A) the use of such information is not for a regulatory purpose; and
‘(B) at least one significant purpose of the use of such information is--
‘(i) a cybersecurity purpose; or
‘(ii) the protection of the national security of the United States.
...
‘(g) Definitions- In this section:
‘(1) CERTIFIED ENTITY- The term ‘certified entity’ means a protected entity, self-protected entity, or cybersecurity provider that--
‘(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and
‘(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.
‘(2) CYBER THREAT INFORMATION- The term ‘cyber threat information’ means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
‘(A) efforts to degrade, disrupt, or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
‘(3) CYBER THREAT INTELLIGENCE- The term ‘cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--
(same as (A) and (B) above)
‘(4) CYBERSECURITY PROVIDER- The term ‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.
‘(5) CYBERSECURITY PURPOSE- The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--
(same as (A) and (B) above)
‘(6) CYBERSECURITY SYSTEM- The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from--
(same as (A) and (B) above)
‘(7) PROTECTED ENTITY- The term ‘protected entity’ means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.
‘(8) SELF-PROTECTED ENTITY- The term ‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.’.