Cybersecurity information sharing legislation completed its long road through Congress on December 18 after being passed as part of the year-end budget deal providing government funding for the rest of the 2016 fiscal year.
Enhancing cybersecurity has been on the congressional agenda for much of 2015; the House of Representatives approved a pair of cyber information sharing bills (H.R. 1560 and H.R. 1731) in the spring, while the Senate approved its own version (S. 754) in October. Each of the proposals followed a similar general framework, and congressional leaders were able to negotiate a final bill in time for it to advance as part of the must-pass omnibus appropriations legislation.
Known as the “Cybersecurity Information Sharing Act of 2015,” the final bill accounts for 135 pages within the omnibus legislation (H.R. 2029). The new law directs the Director of National Intelligence, the Attorney General, and the secretaries of Homeland Security and Defense to jointly develop procedures that promote the “timely sharing” of cyber threat information held by the federal government with private network operators and state and local government officials – including classified information when the recipients hold proper security clearances. The new sharing procedures include a role for existing Information Sharing and Analysis Centers (ISACs), as the law requires the incorporation of “existing processes and existing roles and responsibilities … for information sharing by the Federal Government,” including sector ISACs.
The cybersecurity legislation’s voluntary information sharing opportunities are open to network operators across all sectors, but the bill’s definition of eligible entities specifically lists public utilities that provide services such as water, natural gas and electricity. Earlier versions of the bill had excluded water utilities from coverage, so the final legislation leaves no confusion in this regard. Similarly, the final bill establishes that any cyber threat information shared with a state or local government is exempt from disclosure under any public records laws and may not be used to enforce regulatory actions.
The bill provides mechanisms for private sector and public utility officials to voluntarily share cyber threat information with the federal government as well. DHS and the Attorney General are directed to work together to develop policies and procedures to govern how the federal government would handle cyber threat information shared by industry representatives. DHS would develop and implement the capability to accept cyber threat information “in real time,” while also taking steps to safeguard any personally identifying data that is included within the shared information.
In addition to the information sharing component, the bill authorizes, but does not require, companies and utilities to monitor their computer networks (as well as other networks, with consent) for cybersecurity threats, and respond to suspected threats by employing “defensive measures” intended to protect the operator’s rights or property. These provisions would allow a network operator to respond to a cyber attack that is underway, and other sections of the bill provide liability protections against any claims arising out of good-faith cyber actions undertaken pursuant to the law.
Lawmakers removed Section 407 of the original Senate-approved version from the final bill, which would have directed DHS to review the cybersecurity posture of certain individual high-risk critical infrastructure entities. AMWA and other critical infrastructure stakeholders had spoken out against this provision, warning that it could represent the beginnings of a federal regulatory regime targeting critical infrastructure cybersecurity – an outcome that would have run counter to the voluntary nature of the rest of the bill.