Tuesday the Senate passed the Cybersecurity Information Sharing Act of 2015 by a vote of 74 to 21. This bill is similar to a measure passed previously by the House. Reconciliation is likely.
Part of the Congressional Research Service summary:
Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote: (1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects…
Permits private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on: (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities. Authorizes such entities to monitor information that is stored on, processed by, or transiting such monitored systems.
Allows entities to share and receive indicators and defensive measures with other entities or the federal government. Requires recipients to comply with lawful restrictions that sharing entities place on the sharing or use of shared indicators or defensive measures.
Requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat…
Exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats. Makes such exemption inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.
Basically, CISA allows — encourages — owners and operators of cyber-networks to work with each other and the public sector to monitor and defend the networks. The legislation does this by reducing the chance of successful lawsuits involving actions taken for this purpose.
DHS will play a key role brokering private with private and private with public information flows. In fact, according to The Hill — and what was said and done on the Senate floor Tuesday — “funneling the vast majority of CISA data through DHS was a key compromise the bill’s backers struck to win the support of on-the-fence lawmakers.” For some DHS is considered more circumspect than other federal options.
Many in the tech community have resisted the measure. Most privacy advocates have been adamantly opposed. There is evidence that some at DHS do not want the authority being granted to it. But that’s not what Secretary Johnson seemed to say.
The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”
Given the recent spike in hacks, seems the body-politic has decided better the devil you know than the devil not known.