The Senate Intelligence Committee on March 13 took Congress’ first step in what could be a lengthy process to enact cybersecurity legislation this year. The committee approved a draft version of S. 754, the “Cybersecurity Information Sharing Act” (CISA), by a vote of 14 -1. Sponsored by Sen. Richard Burr (R-N.C.), the bill would encourage private companies to share sensitive cyber threat information, and is now on track for consideration on the Senate floor – perhaps as part of a package of several cyber-related proposals.
As approved by the Intelligence Committee, CISA would encourage both the private sector and the federal government to boost their cooperative information sharing about cyber threat. Specifically, the bill would:
- Authorize private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies would be authorized to share cyber threat indicators or defensive measures with each other or the government.
- Require DHS to establish a cyber portal that would serve as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.
- Provide liability protection for companies’ appropriate use of additional cybersecurity measures. The monitoring of networks for cybersecurity threats would be protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.
- Require reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.
The bill also seeks to address concerns raised by privacy advocates, who have raised fears the bill could allow the sensitive information of private individuals to be traded among private corporations in the name of cybersecurity. To prevent this, the bill would make all information sharing voluntary, narrowly define the type of “cyber threat indicator” information that may be shared under the act, and limit the use of such cyber threat indicators to one of several defined purposes, such as the prevention of cybersecurity threats and “serious crimes.”
S. 754 is the first major cybersecurity legislation to advance through committee this year, although other House and Senate panels have spent a good deal of time studying the issue. Earlier this year Sen. Tom Carper (D-Del.) introduced another critical-infrastructure-focused cyber information sharing bill based on a White House proposal, and last year Congress approved narrower legislation that formally authorized the National Cybersecurity and Communications Integration Center (NCCIC) as DHS’ federal civilian information sharing interface responsible for sharing real-time cyber threat information among critical infrastructure stakeholders and government representatives.