The Congressional Research Service (CRS) recently released a report, titled “Cybersecurity: Legislation, Hearings, and Executive Branch Documents,” examining governmental polices since 2011 that address the issue of cybersecurity. Thus far in the 114th Congress (January 3, 2015 - January 3, 2017), more than 20 bills that deal directly with cybersecurity have been introduced. Of particular interest are H.R. 1560 and H.R. 1731, passed by the House in April 2015, and S. 754, passed by the Senate in October 2015.
H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), were combined as separate titles in H.R. 1560. The PCNA provides liability protection to companies that share cyber threat information with the government and other companies, so long as personal information is removed before such information is shared. Likewise, the NCPAA encourages information sharing with the Department of Homeland Security by protecting entities from civil liabilities. The Senate companion legislation to H.R. 1560 is S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA). CISA also attempts to encourage communication between industry and federal agencies by offering legal immunity to companies that share data with the government.
While the PCNA, NCPAA and CISA all focus on information sharing among private entities and with the federal government, they have many significant differences, including how they define some terms, the roles they provide for federal agencies, the processes for protecting privacy and civil liberties, the uses permitted for shared information and reporting requirements.
These bills address the barriers that many believe hinder protection of information systems. For example, concerns have been raised about potential adverse impacts of information sharing, especially on privacy and civil liberties, and potential misuse of information. The bills address these concerns by limiting the use of shared information to cybersecurity and law enforcement purposes only and by limiting government use, especially for regulatory purposes. All three bills include provisions to shield information shared with the federal government from public disclosure and to protect privacy and civil liberties with respect to shared information that is not needed for cybersecurity purposes.
Presumably, any inconsistencies between CISA, PCNA and NCPAA could be reconciled during the process for resolving differences between the House and Senate bills. Therefore, these cybersecurity measures are on track to reach President Obama’s desk and be signed into law once a conference report is negotiated.
For information and background on CISA, PCNA and NCPAA, see CRS’s “Cybersecurity and Information Sharing: Comparison of H.R. 1560 (PCNA and NCPAA) and S. 754 (CISA).”