On October 27, 2015 the U.S Senate passed by a vote of 74-21 the Cyber Information Sharing Act of 2015 (CISA). The bill allows government agencies and businesses to share information about cybersecurity threats with one another. The shared information is supposed to consist of “threat indicators” such as technical information about the type of malware used or how hackers cover their tracks once they penetrate a system. Bill sponsors say that shared information will help organizations better understand the source and type of attacks and therefore be better able to anticipate and defend against cyber attacks.
Companies are encouraged but not required to share information on cyber threats with the Department of Homeland Security, which then shares information with other companies and government agencies. The House approach could permit businesses to directly share information with other government agencies. The Senate bill requires companies and the DHS to scrub individual’s personal information from the shared data. Participating companies are granted immunity for civil lawsuits brought by customers who sue for sharing private data.
The Senate bill was co-sponsored by Senate Intelligence Chair Richard Burr (R-North Carolina) and Vice Chair Sen. Diane Feinstein (D-California). Although supported by the White House and a wide range of business groups, the Senate bill was opposed by some legislators and technology companies such as Facebook, Google, Apple and Yahoo on grounds it provides too much data to government agencies without offering privacy protections for US citizens.
Senate bill 754 must be reconciled with similar legislation passed by the House of Representatives last April. A House-Senate agreement is not expected until after January 1, 2016. Once signed into law by President Obama, the U.S. Attorney General has 180 days to finalize a plan for collecting and disseminating cyber threat data.
A PDF version of the 118-page bill can be found here.