Cybersecurity Information Sharing Act
Passed as Part of Budget Deal
When President Obama signed the $1.1 trillion Consolidated Appropriations Act, 2016 into law, it contained a number of substantive amendments including the Cybersecurity Information Sharing Act (“CISA”).
Cybersecurity Threat Indicators
The Act establishes a portal with the National Cybersecurity & Communications Integration Center to facilitate private-public sharing of “cybersecurity threat indicators” which includes information necessary to describe or identify:
- malicious reconnaissance;
- a method of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability;
- malicious cyber command and control; and
- any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law or any combination thereof.
CISA authorizes the Department of Homeland Security (DHS) to share cyberthreat information it has received through the portal to other agencies or to the private sector. Information shared is subject to privacy protections that require removal of personal data prior to disclosure to or by the government.
The law makes clear that no party shall be liable for activity relating to the sharing or receipt of cyberthreat information, decisions made to enhance cybersecurity based on such information and authorized network monitoring. Advocates claim that fear of liability has kept entities from sharing this data in the past.
Disclosure does not waive any intellectual property and proprietary rights in the information shared. The government may not use the information shared to regulate or enforce an action against a private sector entity for its lawful activities under other laws based on the information they share.
While private sector participation in information sharing is voluntary and may not be required as a condition of any government benefit, it is likely that private sector entities may require their vendors to participate in the program.
CISA authorizes the taking of “defensive measures” which is defined as an action
applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability
Defensive measures, however, excludes actions that “destroys, renders unusable, provides unauthorized access to, or substantially harms an information system”.
The final version of CISA did not include a provision calling for the development of cyber mitigation strategies for critical infrastructure, as industry feared this could lead to regulation. Instead, Congress merely directed the Department of Transportation to identify the 10 U.S. ports at greatest risk of cyber attack and “provide recommendations to mitigate such vulnerabilities; and for DHS to study
the feasibility of producing a risk-informed plan to address the risk of multiple simultaneous cyber incidents affecting critical infrastructure, including cyber incidents that may have a cascading effect on other critical infrastructure.
At the same time, however, Congress made clear that CISA may not
be construed to grant the Secretary any [new] authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities.
Of course, this comes despite reports that foreign hackers have increasingly accessed our critical infrastucture.
Critics of the bill, like the Open Technology Institute, contend that:
Despite increasing doubts about whether information-sharing legislation could have prevented an Anthem, Sony or Home Depot-style hack, CISA’s proponents insist that passing cybersecurity legislation is the single most important way to enhance cybersecurity. However, the bill’s primary effect will be to increase cyber-surveillance.
Other Provisions and Additional Reports
Also tucked into the bill are the following relevant cyber issues:
- A prohibition on the National Telecommunications and Information Administration transferring any domain management function to ICANN during fiscal 2016;
- A one-year extension of the moratorium on taxing internet access
- The Secretary of State is directed to develop a report to Congress on international cyberspace policy strategy and a separate report on the prosecution of international cyber criminals;
The Director of National Intelligence is directed to report on appropriate standards to measuring and quantifying damage from cyber incidents for the purposes of determining the response to such incidents; and
- The Secretary of the Department of Health and Human Services is directed to report on “the preparedness of the Department of Health and Human Services and health care industry stakeholders in responding to cybersecurity threats.”