While the U.S. Congress has been faulted for failing to find common ground on many issues, one exception seems to be cybersecurity and data sharing. Three bills are in Congress that address the reporting and sharing of private sector cyber issues, shielding private entities from liability arising from cyber mitigation efforts, as well as coordinating efforts between government agencies. The U.S. Department of Justice has also issued its Best Practices for Victim Response and Reporting of Cyber Incidents, which is another example of the importance Congress and the Executive Branch are placing on cyber awareness and information sharing.
Senate bill 754, the Cybersecurity Information Sharing Act of 2015, permits private entities to detect, prevent, mitigate, and employ defensive measures against cyber threats. The bill essentially codifies the current U.S. DOJ antitrust exemption for the sharing of threat data and mitigation techniques amongst private entities. It requires the Director of National Intelligence, the Department of Homeland Security, the Department of Defense, and the Department of Justice to promulgate procedures to share classified and declassified cyber threat indicators with non governmental entities. In addition, it reinforces the need to examine policies to ensure that civil liberties and privacy rights are not abridged. The bill also shields private entities from civil liability for entities acting in accordance with the bill. It has been passed by the Senate Intelligence committee and is awaiting a vote on the Senate floor.
House bill 1560, the Protecting Cyber Networks Act, and House bill 1731, the National Cybersecurity Protection Advancement Act, passed the House overwhelmingly. These two bills are similar to the Senate bill in that they encourage the sharing of threat data while shielding the sharing entities from civil liability. The bills also require changes to federal agency coordination and enact the antitrust-like data sharing exemption as in the Senate bill. H.R. 1751 expands the role of the department of Homeland Security National Cybersecurity and Communications Integration and Intelligence Center (NCCIC) to include private and non-federal governmental entities.
These bills would not require the reporting of cyber threats to any federal agency. They are written to permit the voluntary sharing of threats and mitigation techniques in an attempt to strength U.S. cyber defense. The limitation of liability for information sharing, as well as the codification of the anti-trust exemption, are important for the successful coordination of cyber threat mitigation. Congress and the Administration appear to be in agreement that the coordination and sharing of threat data is paramount to the mitigation of cyber threats.