Senate consideration of cybersecurity information sharing legislation, the Cybersecurity Information Sharing Act (CISA), S. 754, has again been delayed this time until the Senate returns from August recess. The delay is attributable to the lengthy debate required on the highway bill rather than opposition to the bill from within the Senate.
The bill creates a voluntary program for private sector sharing of cyber threat information with other private entities and the government through a portal at the US Department of Homeland Security. The bill also establishes processes for government sharing of cyber threat information with the private sector. The bill authorizes private sector entities to take defensive measures to protect data or one’s own network or that of a customer. Finally, the bill provides liability protection for private sector entities sharing cyber threat information or taking defensive measures. The House passed similar legislation in April, which must be conferenced with the eventual Senate passed version in order to resolve differences.
The largest question surrounding the enactment of information sharing legislation is the scope of changes including to the liability protections and defensive measures language that will be necessary to satisfy the White House. Currently the White House is asking that the authorization to conduct defensive measures of an entity’s network and the associated liability protection be struck. This language is an essential component of the legislation and such a momentous change could be a deal killer for industry. We are monitoring the legislation during Senate consideration, the House-Senate conference, and the interplay with the White House. Stay tuned for an update once the Senate acts and an eventual comprehensive analysis if the legislation is signed into law.