On October 27, 2015, the U.S. Senate passed the Cybersecurity Information Sharing Act, S. 754, 114th Cong. (2015), by a 7421 vote.' The bill, sponsored by Senate Select Committee on Intelligence Chairman Richard Burr (R-NC) and Vice Chairman Dianne Feinstein (D-CA), would codify certain mechanisms for voluntary cybersecurity information sharing among private entities and the federal government. The bill also would provide liability protections to entities that monitor information systems or share or receive cyber-threat indicators or defense measures, provided that it is done consistently with procedures and exceptions set forth by the Department of Homeland Security.
CISA would require the Director of National Intelligence, the Department of Homeland Security, the Department of Defense, and the Department of Justice to establish procedures to encourage the following: (1) timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.
Members of Congress are now considering whether, and how, to reconcile S. 754 with a House cybersecurity bill, H.R. 1560. The House bill, in turn, combines two cybersecurity measures passed in April entitled the "Protecting Cyber Networks Act"2 and the "National Cybersecurity Protection Advancement Act of 2015."3 Unlike the House bill, S. 754 would not provide immunity against "good faith" inaction on sharing of cyber threat indicators and defensive measures and applies only to the sharing and receipt of authorized cyber threat information.4
On privacy, S. 754 would require private entities to remove any personal information unrelated to a threat prior to sharing, whereas the House bill would require private entities to take "reasonable efforts" to remove personally identifiable information that is "reasonably believed" to be unrelated to a cyber-threat.5 S. 754 would limit government use of information for law enforcement purposes involving imminent threats and does not address direct sharing with the National Security Agency ("NSA"). The House bill would not provide for sharing with the NSA and other surveillance authorities.
Details regarding House-Senate conference negotiations to finalize S. 754 have not been announced, but it is expected that a conference committee consisting of Members of both parties, chambers, and all relevant committees will be appointed.