Bipartisan legislation to ensure cybersecurity information sharing includes numerous privacy protections
Mar 12 2015
Washington—The Senate Intelligence Committee today advanced the Cybersecurity Information Sharing Act by a vote of 14 to 1. This legislation, co-sponsored by Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Dianne Feinstein (D-Calif.) provides additional incentives to increase sharing of cybersecurity threat information, including liability protection for appropriate sharing by the private sector, while protecting individual privacy and civil liberties interests
“The bill approved today by the Intelligence Committee on a strong bipartisan vote is a critical step to confront one of the most dire national and economic threats we face: cyber attacks,” said Feinstein. “In just the last year, hundreds of millions of Americans have had their data compromised, a number of major American companies have been attacked, intellectual property has been stolen, and there have even been attempts to hack our critical infrastructure. This bill would help defend against cyber attacks by allowing purely voluntary information sharing—limited to specific information about cyber threats—to better help the private sector and government understand and respond to these threats. The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly.”
“This bipartisan legislation is critical to securing our nation against escalating cyber threats,” said Burr. “I’m pleased CISA will advance to the Senate floor where it will enjoy support from both sides of the aisle. The bill we passed today is overdue and will enable our agencies and institutions to share information about cyber threats while also providing strong privacy protection for our citizens. With risks are growing every day, we are finally better prepared to combat cyber attackers with this bill.”
The Cybersecurity Information Sharing Act of 2015:
- Directs increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence as appropriate.
- Authorizes private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyber threat indicators or defensive measures with each other or the government.
- Requires the establishment of a capability (sometimes referred to as a “portal”) at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.
- Provides liability protection for companies’ appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.
- Requires reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.
Privacy protections include:
- Does not require any private sector entity to share cyber threat information. Sharing is strictly voluntary.
- Narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.
- Limits the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.
- Requires the removal of personal information prior to the sharing of cyber threat indicators.