On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time.
However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration” requirement in CISA would not permit them to scrub personal information contained in the data. As a result, the government would have access to information that it would not normally have access to without a warrant. Several senators introduced amendments to address this and other concerns. However, no amendments passed.
S.754 requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat.
It also permits state or local agencies to use shared indicators (with the consent of the entity sharing the indicators) to prevent, investigate, or prosecute offenses relating to: (1) an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; or (2) crimes involving serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets.
The bill also exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats while making such exemption inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.
The House of Representatives passed a similar version of the bill in April 2015 which the White House generally supports. The White House also supports S.754. CISA now goes to a conference committee and is widely expected to become law.
If you have any questions on how this could impact your business, please contact a member of the GS Cybersecurity and Data Privacy team.