Deep in the trillion dollar federal spending bill that President Obama signed into law on December 18, 2015 was the Cybersecurity Information Sharing Act of 2015 (CISA) which establishes a voluntary cybersecurity information sharing program for the public and private sectors to share information about cyberthreats. This law was, as many are, a compromise version of competing House and Senate versions of the cybersecurity bill.
The sharing of information about cyberattacks, data breaches and hacks by corporations and others with applicable federal agencies is seen by many as a critical step in protecting the public from these types of attacks, however, many companies were hesitant to share information after they had suffered a data breach or other cyberattack for many reasons including concerns about the privacy rights of people whose information would be included in the information provided to the government as well concern about possible liability on the part of the companies.
The new law provides for individuals, companies, groups, state governments and local governments to share with the federal government both cyber threat indicators and defensive measures. The law specifically indicates that personal information of individuals is to be removed from the data before being shared. The law provides for the information to be initially provided to the Department of Homeland Security, which will then, in turn, share the information with other appropriate federal agencies and other entities that have appropriate security clearances. The federal government is specifically prohibited by provisions in CISA from using this information for any purpose other than cybersecurity purposes and the data will not be available to the public through the Freedom of Information Act. As an incentive to private companies to share this type of information, the law specifically protects them from any liability related to the monitoring of their information systems or the sharing of the information.
This law, which is Congress’ first major cybersecurity legislation is indeed a modest start to dealing with a major problem. The program is purely voluntary and many privacy advocates are concerned that the law does not provide enough protection of personal data and its misuse by the federal government. Whether the critics are correct is not immediately apparent from the specific wording of the legislation, but will only become known after the law is fully implemented. However, the importance of Congress finally taking some, albeit small steps toward dealing with a major threat to us all should not be minimized.