The Senate has passed the Cybersecurity Information Sharing Act (S.754, CISA), sponsored by Sens. Richard Burr (R-NC) and Dianne Feinstein (D-CA), the chair and vice-chair of the Senate Intelligence Committee, by a margin of 74 to  21. The final vote came after a series of votes on high-profile amendments concerning personal privacy, civil liberties and other issues. The bill still faces a challenging path through a conference committee (or, alternately, a series of additional votes in the House and Senate) in order to conform its provisions to those of two previously passed House bills.

Background

CISA is intended to foster voluntary cybersecurity information-sharing on a real-time or near-real-time basis, both among companies and between companies and the government. Such legislation has been called for by the president and some relevant leaders of both parties in recent years as the frequency and severity of cybersecurity incidents and attacks has increased. To accomplish that, the bill seeks to give liability protection and certain confidentiality protections to businesses for sharing cybersecurity threat information, generally stripped of sensitive privacy information. The idea behind the bill is that businesses own much of the infrastructure and data being attacked; the government also has relevant information and insights; and voluntary sharing, incentivized through liability protection, can help identify and defend against threats and limit the period of time and number of instances for which a particular attack can be repeated and work effectively.

Conference Committee Ahead

With passage in the Senate, CISA now moves to the final legislative phase–it will be conferenced with two previously passed House cybersecurity bills. On April 22, 2015, the House passed H.R. 1560, the Protecting Cyber Networks Act, sponsored by House Intelligence Committee Chairman Devin Nunes        (R-CA), with Ranking Member Adam Schiff (D-CA) as lead co-sponsor. The bill passed by a wide margin of 307-116 and was followed a day later by passage of H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015, by a vote of 355-63. That bill is sponsored by Homeland Security Committee Chairman Michael McCaul (R-TX).

Chairman Nunes’ bill amends the National Security Act of 1947 to require the Director of National Intelligence (DNI) to develop and promulgate procedures to facilitate the sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities. It also authorizes private entities to conduct information system monitoring activities and operate defensive measures for cybersecurity purposes, and to share or receive any cyber threat indicators with/from other private entities or an “appropriate federal entity” (defined as Commerce, DOE, DHS, DOJ, DNI or Treasury). H.R. 1731 amends the Homeland Security Act of 2002 to provide liability protections for private companies sharing cyber threat information within the private sector and with the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center. As with H.R. 1560, personally identifiable information would be required to be scrubbed before a threat indicator is shared.

One major difference between the House and Senate bills that must be resolved is the question of whether to funnel all shared data through a single agency (DHS) or permit sharing with multiple agencies. The White House threw its support behind CISA last week, issuing a Statement of Administration Policy in favor of the bill, so long as it included the changes made by Sens. Burr and Feinstein during committee markup and in the manager’s amendment. In the statement, the White House noted that it would prefer all private-sector data to be shared through DHS before being shared with other federal agencies, and it expressed concern over several limited exceptions, despite being generally supportive of the bill. The White House stated that DHS was best suited to preserve privacy and civil liberties protections before sharing threat information with other agencies.

A conference committee schedule and conferees have yet to be agreed upon, and it is unclear at this time what path and timing may ultimately lead to the president’s desk and passage into law. Despite the challenges facing the conferees, all three bills passed with strong support from both sides of the aisle, as well as from the White House; thus, partisan issues are not likely to derail negotiations at this stage.