On December 18, 2015, President Barack Obama signed the much reported omnibus spending bill, which keeps the government running for another year. The controversial Cybersecurity Information Sharing Act of 2015 (“CISA”) was included as a rider to the omnibus spending bill.
CISA seeks to create a voluntary cyber threat information sharing process between industry and the federal government. CISA requires that the Department of Homeland Security (“DHS”) develop a process for the federal government to accept cyber threat information from any entity and ensure that appropriate federal entities (i.e., the FBI or the NSA) thereafter receive that information. Participation in the soon-to-be created sharing program is voluntary. But, participation comes with certain perks, namely liability protections from consumer lawsuits and certain antitrust violations.
Opinions on the necessity and desirability of CISA are varied and sharply divided. Privacy advocates have decried CISA as a surveillance bill – a second Patriot Act – that diminishes important privacy rights. For example, Senator Ron Wyden (D-Oregon) tweeted that “CISA harms security & liberty.” By contrast, supporters counter that the CISA protects private information, requiring, among other things, that both companies and federal entities remove personal information, or information that identifies a specific person not directly related to a cybersecurity threat, before sharing. After the Senate passed CISA in October 2015, U.S. Chamber of Commerce President and CEO Thomas J. Donohue stated:
CISA is badly needed and long-overdue cybersecurity legislation that would enable government and businesses to work together to better prevent, detect, and mitigate threats. While there is no silver-bullet solution to stopping cyberattacks, this legislation is a positive step toward enhancing our nation’s cybersecurity, and addresses this economic and national security priority in a constructive and meaningful way.
In like vein, the Securities Industry and Financial Markets Association previously touted “[e]hanced information sharing” as an essential way to mitigate cyber threats, which it labelled as one of “the most serious threats facing the financial services industry and our nation’s economic prosperity.”
No one disputes that cyber security is a top priority for business and government alike. But, what to do to curb cyber threats and data breaches is a matter of considerable debate. Time will tell whether CISA will help mitigate threats – both to industry and national security – or whether it is just more unwanted surveillance.