The U.S. Senate passed S. 754, the Cybersecurity Information Sharing Act (CISA), today by a vote of 74-21. The House has already passed two cybersecurity information sharing bills that are similar, but not identical, to CISA. H.R. 1560, the Protecting Cyber Networks Act, passed the House on April 22, 2015 and H.R. 1731, the National Cybersecurity Protection Advancement Act, passed the House on April 23, 2015. The White House has offered qualified support for S. 754, H.R. 1560 and H.R. 1731. The House and Senate will now establish a conference committee to resolve differences between the three bills. While the outcome of House, Senate, and White House negotiations is uncertain, Congress appears to be on the verge of enacting meaningful cybersecurity legislation in the next few months.
CISA creates a voluntary program designed to promote better government-to-industry and industry-to-industry sharing of cyber threat indicators. CISA provides certain legal protections to private entities that share cyber threat information as well as safeguards intended to protect civil liberties. Prior to sharing information with the government, the private sector must identify and remove any personal information not required to identify the threat and the federal government must perform an additional scrub. The Attorney General and Secretary of Homeland Security will draft and issue guidelines regarding the process for removal of personal information from cyber threat indicators. The Attorney General is also required to develop guidelines relating to privacy and civil liberties to govern the receipt, retention, use, and dissemination of cyber threat indicators obtained by the federal government under CISA.
The agencies involved in the CISA process include the Departments of Homeland Security (DHS), Justice, and Defense, and the Office of the Director of National Intelligence. Privacy groups have raised concerns regarding the role of defense and intelligence agencies in the CISA process and a provision was included that requires DHS to notify individuals if their personal information was not properly removed.
DHS will serve as the single information sharing portal under CISA. DHS must develop a process to accept cyber threat indicators and defensive measures in real time from any entity and share this information with appropriate federal entities in an automated manner in real-time. Currently, DHS operates the National Cybersecurity and Communications Integration Center (NCICC), a fusion center that shares information among public and private sector partners.
All three cyber information sharing bills—S. 754, H.R. 1560 and H.R. 1731—have similar components, however key differences will need to be worked out before a bill can be sent to President Obama's desk.