Senate committee passes cybersecurity bill

The Cybersecurity Information Sharing Act (CISA) of 2015 passed the Senate Select Committee on Intelligence (SSCI) on a vote of 14 to 1. This original legislation, which is co-sponsored by SSCI Chairman Richard Burr (R-NC) and Vice Chairman Dianne Feinstein (D-CA), creates additional incentives to increase sharing of cybersecurity threat information while protecting individual privacy and civil liberties interests and offering liability protection to the private sector.

“This bipartisan legislation is critical to securing our nation against escalating cyber threats,” said Burr. “I’m pleased CISA will advance to the Senate floor where it will enjoy support from both sides of the aisle.  The bill we passed today is overdue and will enable our agencies and institutions to share information about cyber threats while also providing strong privacy protection for our citizens. With risks are growing every day, we are finally better prepared to combat cyber attackers with this bill. ”

“In just the last year, hundreds of millions of Americans have had their data compromised, a number of major American companies have been attacked, intellectual property has been stolen, and there have even been attempts to hack our critical infrastructure," said Feinstein. "This bill would help defend against cyberattacks by allowing purely voluntary information sharing—limited to specific information about cyber threats—to better help the private sector and government understand and respond to these threats. The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly.”

The Cybersecurity Information Sharing Act of 2015 offers the following:

• Directs increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence as appropriate.
• Authorizes private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyber threat indicators or defensive measures with each other or the government.
• Requires the establishment of a capability at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.
• Provides liability protection for companies’ appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.
• Requires reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.

Privacy protections include the following:

• Does not require any private sector entity to share cyber threat information. Sharing is strictly voluntary.
• Narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.
• Limits the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.
• Requires the removal of personal information prior to the sharing of cyber threat indicators.