In the past few weeks, Congress has made notable progress towards passage of legislation to address the sharing of cybersecurity threat information. On March 18, the Senate Select Committee on Intelligence approved the Cybersecurity Information Sharing Act (S. 754). The bill creates incentives to increase the sharing of cybersecurity threat information, without compelling the sharing of data, and offers liability protection to companies that share their threat information. The legislation was introduced by Chairman Richard Burr (R-NC) and received approval from all but one of the Committee's fifteen members.
Under the bill, the sharing of threat information would be voluntary, but companies would be held to certain requirements in order to protect the personally identifiable information of their customers. The liability protection contained within the bill would not apply to activities that fail to meet these privacy requirements. To centralize the flow of information, a “portal” would be created within the Department of Homeland Security to receive the cyber threat information. The bill requires the attorney general to develop guidelines for how the government protects and shares the data it receives
Chairman Burr stated that he was “proud of the Committee’s work and the quality of this bill.” Ranking Member Dianne Feinstein (D-CA) stressed that the bill improves upon the version introduced in the last Congress by addressing many of the privacy concerns that had previously been raised. She called the privacy provisions in the current version “substantial.”
On the House side, the Select Committee on Intelligence passed its cyber threat information sharing bill unanimously on March 26. Like the Senate bill, the Protecting Cyber Networks Act (H.R. 1560) prohibits the government from forcing private sector entities to provide cyber threat information and requires companies to remove personally identifiable information before sharing data.
In addition to cyber threat information sharing legislation, bipartisan efforts to address data breaches and student data privacy are also underway. The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade passed the Data Security and Breach Notification Act on March 26, and legislators in the House and Senate are expected to introduce legislation to limit the way technology companies can use data collected from students.
Senate Majority Leader Mitch McConnell (R-KY) stated recently that Republicans see cybersecurity as one of the few areas of possible agreement with the Administration, a statement that is supported by the continued progress on measures to address the issue.