28 October 2015
A broad consensus has emerged in the last few years regarding the need to enhance sharing of cybersecurity threat information within the private sector and between the private sector and the government, subject to appropriate privacy safeguards. On Tuesday, October 27, the US Senate passed significant legislation on that topic—the Cybersecurity Information Sharing Act (CISA, S.754)—by a vote of 74-21.
CISA seeks to encourage private-sector companies to voluntarily share information about cybersecurity threats with other private entities and with the federal government, and to take defensive measures against such threats. Tuesday’s vote represents the first time that the Senate—after three-and-a-half years of trying—has passed cybersecurity information sharing legislation. Key stakeholders in the House and Senate now expect the bill to go to conference with similar House legislation, and the prospects of passage of information sharing legislation into law this Congress appear to be strong. Companies engaged in, or contemplating, cybersecurity information sharing should continue to monitor this important legislation as it moves toward enactment into law.
CISA authorizes private entities to monitor their information systems “for cybersecurity purposes,” to take defensive measures on such systems for such purposes and to share information about cybersecurity threats and defensive measures with the federal government. It provides several incentives to private entities in order to encourage them to take these steps. Most notably, the bill would provide private entities certain liability protections for actions taken in monitoring their systems for cybersecurity threats or in sharing cyber threat information. It also would protect private entities from antitrust liability for sharing information about cybersecurity threats with other private entities.
The legislation directs the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD) and the Department of Justice (DOJ) to lead the development of procedures to facilitate and promote the federal government’s sharing of information about cybersecurity threats. It requires DHS to build a capability for accepting information about cybersecurity threats from private entities in the first instance and sharing that information with other federal agencies in a timely manner. (In a key concession to address privacy concerns, a private-sector entity must share information with DHS if it wishes to receive the liability protections CISA provides.) The bill would also protect cyber threat indicators and defensive measures provided to the government from disclosure under FOIA.
The Senate debate largely focused on the bill’s protections for personal privacy. For example, the bill would require private entities to take certain steps to remove individuals’ personal information from information that they share with the government and within the private sector. In addition, the bill would direct DOJ to promulgate privacy guidelines that would apply to information sharing with the government, including by requiring the destruction of individuals’ personal information that is unrelated to cybersecurity threats. The bill also would require the Privacy and Civil Liberties Oversight Board to provide biennial reports describing the effect of the Act on privacy and civil liberties, and the sufficiency of the privacy guidelines established by DOJ.
CISA also includes a range of provisions that are unrelated to cybersecurity information sharing. These include titles intended to enhance federal cybersecurity, especially in the wake of the Office of Personnel Management’s data breach, and to assess the federal cybersecurity workforce. In addition, among other provisions, CISA would require the creation of a new voluntary cybersecurity framework for healthcare cybersecurity, require a study on the cybersecurity of mobile devices used by the federal government and require the development of mitigation strategies for “critical infrastructure at greatest risk” from a cyber incident.
The House and Senate are expected to go to conference to reconcile CISA with two similar bills passed by the House earlier this year: The Protecting Cyber Networks Act (H.R.1560), and The National Cybersecurity Protection Advancement Act (H.R. 1731). Key issues in the conference negotiations likely will include which agency will operate the portal for information sharing by private entities, and the steps private entities must take to remove individuals’ personal data from the information they share with other entities and the government.
President Obama has taken executive action to expand cybersecurity information sharing and has pressed for information sharing legislation. For example, in the recent Statement of Administration Policy regarding CISA, the administration reiterated that “[a]n important building block for improving the Nation’s cybersecurity is ensuring that private entities can collaborate to share timely cyber threat information with each other and the Federal Government.” There consequently appear to be strong odds both that the administration will continue to remain engaged on this issue and that President Obama will sign any legislation that emerges from the conference and passes both houses of Congress.