The US Senate has passed the Cybersecurity Information Sharing Act of 2015 (CISA), S. 754, by a vote of 74-21, despite opposition from privacy and civil liberties groups and a handful of tech companies.
CISA gives the private sector new liability protection for monitoring its own networks or that of a customer, sharing or receiving cyber threat indicators and defensive measures, and operating defensive measures for cybersecurity purposes. Next, the bill heads to conference with the House-passed House Intelligence Committee and Homeland Security Committee bills that were combined into a single bill (H.R. 1560).
Prior to passage, the Senate adopted a Substitute Amendment offered by the bill’s managers, Senate Intelligence Committee Chairman Richard Burr (R-NC) and Ranking Member Dianne Feinstein (D-CA), that included additional concessions to privacy and civil liberties advocates beyond those added during Intelligence Committee consideration of the bill. The Substitute Amendment limits the protection for sharing cyberthreat information provided under the bill to sharing done for “cybersecurity purposes.” It also clarifies that the authorization to employ defensive measures does not allow an entity to gain unauthorized access to a computer network, thereby foreclosing protection for “hack back” responses. Despite these and other concessions, discussed in greater detail below, privacy and civil liberties groups remain opposed to the bill, due to concerns over government surveillance.
In an effort to gain strong bipartisan support for the bill, the managers incorporated second-degree amendments into the Substitute Amendment to 1) require an additional scrub of personal information by DHS prior to sharing the information with other federal agencies; 2) impose a 10-year sunset on the Act (the House previously adopted a 6-year sunset); 3) require notifying individuals whose personal information is shared in violation of the Act; 4) require the Secretary of Health and Human Services to submit a report to Congress on the preparedness of the health care industry to respond to cybersecurity threats; and 5) require the Department of Homeland Security Secretary to identify critical infrastructure entities at the greatest risk of a catastrophic cybersecurity incident, to conduct an assessment and develop a strategy to mitigate those risks and to require DHS to report to Congress on “the extent to which each covered entity reports significant intrusions of information systems” to DHS or the appropriate agency. This last second-degree amendment to the Managers’ Amendment was opposed by industry; it gives DHS “name and shame” authority with regard to critical infrastructure entities deemed to be at risk and imposes what amounts to a cybersecurity breach reporting requirement.
The Senate rejected an amendment offered by Senator Tom Cotton (R-AK) that would have added the FBI and the Secret Service to the list of entities receiving information-sharing data beyond DHS, which is to serve as the primary portal or interface with the private sector. The bill’s managers were concerned that the amendment would prompt even more strident objections to the bill from privacy groups and make final passage impossible. This issue will need to be resolved during the House-Senate conference, in that the House bill, H.R. 1560, contains provisions permitting sharing with appropriate non-DOD agencies.
The Senate also rejected several amendments that were seen as deal killers for industry, including the amendments offered by Senator Rand Paul (R-KY), to limit liability protection for an entity that shares information in violation of its terms of service, even if inadvertent; Senator Al Franken (D-MN), to significantly narrow the definition of cyber threat information to be shared under the bill and subject to the liability protections; Senator Dean Heller (R-NV), that would create uncertainty surrounding the requirement to remove personal information prior to sharing with the DHS information sharing portal; and Senator Patrick Leahy (D-VT), to remove the FOIA exemption for information shared through the portal.
The timing and the details on the House-Senate conference remain murky. The House and Senate bills are different in many respects that will require resolution. First, House and Senate leaders will need to determine which members will serve as conferees and which bill will serve as the base bill to negotiate from. CISA has many provisions similar to Title I of H.R. 1560, the House Intelligence Committee bill, but Title II of the bill, which came from the House Homeland Security Committee, contains many different terms and requirements. There are also differences in liability protections between the House bill and CISA. Further, the large number of changes made to CISA during the amendment process, which for the most part are not addressed in the House bill, will need to be considered during the conference.
Once the conferees have agreed on the final text of the bill, the House and Senate are required to re-pass the conferenced bill, which is unlikely to happen until early 2016. The White House has expressed support for information sharing legislation and it is expected that President Barack Obama will sign the bill into law. However, we anticipate that the Administration will continue to emphasize the importance of strong privacy protections as the conferees work through the final language.