Controversial Cybersecurity Information Sharing Act Passes in Senate

October 30, 2015 | By Lawrence J. Tabas

This week, the Senate passed a cybersecurity bill, called the Cybersecurity Information Sharing Act of 2015 (the “CISA”), by a vote of 74 to 21. With the Senate’s vote, the bill is one step closer to becoming law.

The CISA authorizes the Director of National Intelligence, the Department of Homeland Security, the Department of Defense, and the Department of Justice to develop procedures to promote the following:

  • the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments;
  • the sharing of unclassified indicators with the public; and
  • the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.

In essence, the bill is designed to help companies and the government share information about the latest cybersecurity threats.

Information sharing under the CISA is voluntary. Companies are not required to participate. If they do choose to participate, companies will be exempt from antitrust laws for purposes of sharing cybersecurity threat information with other entities.

However, companies who elect to share their information will be tasked with stripping personally identifiable information from their data. Under the law, companies cannot share data that they know, at the time of sharing, contains personal information or information that identifies a specific person not directly related to a cybersecurity threat.

The CISA is controversial. Privacy advocates argue that the bill encourages companies to collect personal information and share that personal information with the government. They argue that the bill provides a backdoor that allows companies to circumvent warrant requirements. In addition, privacy advocates worry that the bill is too vague and neglects to define how threat information will be shared or managed.

Proponents of the bill claim that CISA will help prevent corporate data breaches by allowing companies to share cybersecurity threat data with security agencies like the Department of Homeland Security, the FBI, and the NSA. Proponents, like the Wall Street Journal, claim that the bill will help combat the escalating and evolving cyber threat by helping companies keep pace with sophisticated hackers.

CISA is expected to head to committee where Congressional leaders will attempt to resolve discrepancies between the Senate’s version of the bill and the House’s versions. Earlier this year, the House passed two bills similar to CISA: the Protecting Cyber Networks Acts and the National Cybersecurity Protection Advancement Act.

If the bill survives committee, it is expected to be signed by President Obama. President Obama has voiced his support for information sharing throughout the duration of his presidency.

To read a summary of the bill, click here.

To read the bill, click here.