On On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act of 2015 (“CISA”), which addresses how companies can share cyber threat information with the federal government. The legislation aims to protect Americans’ personal privacy by taking steps to stop future cyber-attacks before they happen. CISA creates incentives for companies to increase the sharing of cybersecurity threat information and offers liability protection for companies that choose to share their threat information. It is important to note that all sharing under the bill is completely voluntary.
CISA provides clear authority and liability protection for private sector entities to share information about cyber threat indicators with other companies and with the Federal government, on a voluntary basis. The bill also provides authority and liability protection for a private entity to monitor its networks for cybersecurity purposes and to take defensive measures to stop cyber-attacks. Under the bill, CISA’s authorities will sunset after ten years.
CISA was a bipartisan effort introduced by Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Vice Chairman Dianne Feinstein (D-CA). The legislation passed out of committee in March 2015, however, the measure sat dormant for months due to opposition from privacy and civil rights advocates, who argued that the bill would enable more government surveillance of citizens. Despite being a contentious piece of legislation, the full Senate passed the bill by an overwhelming and bipartisan vote of 74 to 21.
Chairman Burr, in a press conference held after the Senate vote, stated that it was “incredible” that they were able to pass the bill with such overwhelming bipartisan support. He lauded the bill’s passage and said that CISA “gives the government and U.S. companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years.” Senator Feinstein called it a “very good bill that reflects consensus on a very complicated issue.”
The Senate-passed bill will have to be reconciled with two information sharing bills passed by the House last April - H.R. 1560, the Protecting Cyber Networks Act of 2015, and H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015. If Congress is able to work out the differences between the bills in conference, a final version of the legislation will then proceed to President Obama’s desk to be signed into law. Importantly, the Obama Administration backs the measure.
The final, enrolled bill text can be found here.