In the rush of holidays and storms around the country (and weirdly warm weather here in D.C.), it was easy to miss that Congress finally approved the Cybersecurity Information Sharing Act (CISA). The bill was included in the middle of its omnibus spending package, the Consolidated Appropriations Act, 2016, Pub. L. 114–113 (Dec. 18, 2015), which Congress approved just before shutting down for the break.
The law encourages companies to share cyberthreat information with the federal government and each other. They are explicitly authorized to monitor their own information systems, those of other non-federal entities (with authorization and written consent), and to share information about “cyber threat indicators” and defensive measures. The Department of Homeland Security (DHS) is the designated portal through which information can be shared, and through which companies can receive liability protections for sharing cyberthreat information with the government. Companies are obligated to review and remove any personally identifiable information “known at the time of sharing” and unrelated to cyber threats before sharing information with DHS. DHS is similarly directed to implement privacy protections before sharing with other agencies.
These privacy protections were adopted partially in response to criticisms from non-governmental organizations (NGOs) such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), who argued that the privacy protections were inadequate and worrisome in light of liability limitations. These opponents remained opposed to the legislation even with these protections.
Many businesses, on the other hand, have favored legislation that offers an appropriate incentive structure to motivate companies to share information that could help them combat cyberthreats from private groups and state actors, while protecting them from liability. Notably, however, the tech industry itself has vacillated on support for CISA. One software trade association has variously supported, been neutral toward, and finally opposed the version of CISA passed last month.
The broader business community’s support has only grown in the wake of cyberattacks and subsequent public recriminations. The logic of CISA is relatively simple: The information sharing will give companies the incentive to share the information that will redound to their benefit and benefit other companies as well. In the absence of legal authorization and protections, they assert that businesses have been reluctant to share information. In turn, malicious actors have exploited weaknesses that might have been known had information been shared. At the same time, when breaches occur, companies have faced both regulatory investigations and class action lawsuits for allegedly failing to implement appropriate and adequate security measures necessary to protect the information of their proprietary information, and the information of their customers and employees. The business community hopes that CISA will facilitate cyberthreat-sharing while limiting liability exposure.
Some critics continue to assert that the bill does not accomplish enough to promote better cybersecurity while offering too little in the way of privacy protections for consumers. Only time will tell if CISA will both improve the cybersecurity environment and strike the right balance of protecting privacy once it is implemented.