After seeking to pass broad private sector cybersecurity legislation for a number of years, Congress finally passed the Cybersecurity Act of 2015 (Cybersecurity Act) as Division N of the Consolidated Appropriations Act, 2016 (Omnibus). The Cybersecurity Act is the result of a conference between the Senate Intelligence Committee and the House Intelligence and Homeland Security Committees, each of which passed cybersecurity information sharing bills this year:
- Senate Intelligence: S. 754, Cybersecurity Information Sharing Act of 2015
- House Intelligence: H.R. 1560, Protecting Cyber Networks Act
- House Homeland Security: H.R. 1731, National Cybersecurity Protection Advancement Act of 2015
The Cybersecurity Act addresses the three main prongs of the prior bills: (1) explicit authorization to share cyber threat information among private sector entities and between the private sector and government; (2) a safe harbor from liability for sharing in good faith; and (3) authorization of defensive measures.
The Cybersecurity Act permits information sharing of “cyber threat indicators.” These are defined to include:
- information that is necessary to describe or identify malicious reconnaissance;
- methods of defeating a security control or exploiting a security vulnerability;
- security vulnerabilities;
- methods of causing legitimate users to unwittingly enable the defeat of such controls or exploit of a security vulnerability;
- malicious cyber command and control;
- actual or potential harms; and
- any other attribute of a cybersecurity threat not otherwise prohibited.
Private sector entities monitoring information, using defensive measures or sharing the information shall use a security control to protect against unauthorized access to or acquisition of such indicator or defensive measure.
This final bill requires that private sector entities strip out personally identifiable information (PII) not directly related to the cyber threat indicator. The standard for this requirement is what is “known and the time” to the entity, rather than the “reasonable standard” proposed by the House Homeland Security Committee, which some judged as leaving companies exposed to litigation.
The legislation establishes a Department of Homeland Security (DHS) portal as the primary access point to receive private sector data, which may be shared with other government entities and the private sector. The language provides for a process by which the president can establish an additional portal, upon certification to Congress that an additional portal is necessary and would follow the same privacy rules. The legislation charges the Attorney General and the Secretary of the Department of Homeland Security with establishing a process of safeguarding privacy.
GOVERNMENT USE OF DATA
The Cybersecurity Act permits the government to use the cyber information it receives to address cybersecurity threats, security vulnerabilities or a cybersecurity purpose, as well as the following defined list of specific purposes: responding, preventing or mitigating a “specific” threat of death or serious bodily or economic harm; responding, investigating, prosecuting or otherwise preventing or mitigating a serious threat to a minor; or preventing, investigating, disrupting or prosecuting fraud and identity theft, espionage, censorship and violation of trade secrets.
PROTECTION FOR SHARING
The Cybersecurity Act provides liability protection for monitoring of information or information systems, or sharing of cyber threat indicators or defensive measures. While the House Homeland Security Committee's version had extended liability protection for not acting on cyber threat data in order to insulate companies from liability when they are unable to act, the Cybersecurity Act simply clarifies that the bill does not create any new duty for companies to share cyber threat indicators or defensive measures, or warn or act based on receipt of such.
Additionally, the legislation provides an antitrust exemption to private sector entities sharing cyber threat indicators or defensive measures, or assistance pertaining to the prevention, investigation or mitigation of a cybersecurity threat.
Companies preserve their privilege, intellectual property and proprietary rights in the information shared. Federal or state authorities may not use the information shared to regulate or enforce an action against a private sector entity for its lawful activities under other laws based on the information they share. The exception to this protection is that such information can be used to formulate cybersecurity rules or their implementation.
The Cybersecurity Act also exempts the data shared from disclosure under the Freedom of Information Act (FOIA) or comparable state or local freedom of information laws.
The Cybersecurity Act authorizes companies to operate defensive measures on their own information systems, the system of another private entity upon written consent, or a federal entity's information system upon written consent. There is an explicit prohibition on counter-measures or defensive measures that destroy, render unusable, provide unauthorized access to or substantially harm an information system or data on an information system not belonging to the acting entity or pursuant to consent by an entity authorized to grant approval. The prohibition demonstrates that there continues to be a great reluctance to deputize the private sector in protecting itself to such an extent that it can become “offensive."
The Cybersecurity Act authorities expire at the end of FY2025, on Sept. 30, 2025.
The Cybersecurity Act, along with measures instituted by the Department of Homeland Security, the Commerce Department's National Institute of Standards and Technology Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), the Department of Defense (DOD), and others pursuant to the President's Executive Orders (EOs) and Directives (PPDs), is a positive step for addressing cybersecurity. The private sector gains clear authorities for sharing valuable information and protection from liability. The next step to watch is the implementation of a practical, user-friendly portal to support timely cyber threat sharing.