The December 16, 2015, version of the Consolidated Appropriations Act of 2015, which is expected to pass soon, includes an ammended version of the Senate bill known as the Cybersecurity Information Sharing Act (CISA). Titled “Cybersecurity Act of 2015,” this legislation can be found in Division N of the Appropriations Act (pages 1728 – 1863).

The official summary of the Act is as follows:

The Cybersecurity Act of 2015 (Division N) creates a voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information, without legal barriers and the threat of unfounded litigation—while protecting private information. It also includes provisions to improve federal network and information system security, provide assessments on the federal cybersecurity workforce, and provide reporting and strategies on cybersecurity industry-­related and criminal-­related matters.

The Act and its predecessors have been hotly debated in the four years that versions of CISA and related legislation have been pending, creating some unusual alliances. For example, CISA’s main cosponsors in the Senate are Dianne Feinstein (D-CA) and Richard Burr (R-NC). Vocal opponents include Ron Wyden (D-OR), Rand Paul (R-KY), and Bernie Sanders (I-VT). The business community is largely split. Some trade groups have expressed support for CISA in prior forms, including the United States Chamber of Commerce, National Cable and Telecommunications Association, and the Financial Services Roundtable. Opponents include the Computer and Communications Industry Association and the Business Software Alliance, which initially expressed support but changed its position in response to criticism from consumer and privacy advocacy groups.

Proponents have long sought legislation that would create a more conducive environment for public-private information sharing on the tactics, techniques and procedures used by cybercriminals in the hopes of reducing the number and magnitude of damaging cyber attacks. While early versions of similar legislation, such as was proposed in 2012, would have included mandatory disclosure requirements for business in return for broad legal immunities, the current Act is voluntary and provides relatively more limited protections for cooperating businesses. Although somewhat narrower than in predecessor legislation, the protections from private lawsuits and antitrust violations are still very meaningful for business and, as proponents argue, are necessary to securing their voluntary cooperation.

A central issue of opponents is the perceived weakness in the Act with respect to protecting individual privacy.  In particular, privacy advocates point to the breadth of the information shared – “cyber threat indicators” – and perceived weaknesses in the bill with respect to the protection of personal information that may be included in this shared information.  Compounding these concerns in the minds of privacy advocates are new provisions in the Act that would allow businesses to share information directly with agencies other than the Department of Homeland Security and the fact that receiving agencies can use this information for purposes other than cybersecurity, for example, to investigate non-cyber related crime.    

For many companies, especially those outside of Silicon Valley, the passage of the Act in its present form is seen as a very constructive first step. While the potential privacy and liberty issues must be acknowledged, many of those in the trenches who are dealing with the very real threat facing their business on a daily basis are holding out hope that this Act will spur the development of a more effective system to get timely and actionable intelligence.   

In addition to the the Cybersecurity Act of 2015, which again is found in Division N, the remainder of the Consolidated Appropriations Act of 2015 contains numerous other provisions that bear upon the issue of cybersecurity. These include agency appropriations for addressing cyber security as well as various initiatives and requirements, including, conducting studies, defining standards, workforce training and scholarships.

A searchable copy of the full text of the Consolidated Appropriations Act of 2015 can be downloaded here.