Obama Signs Cyberthreat Information Sharing BillLegislation Requires Scrubbing of PII Before It's Shared
President Obama has signed legislation to incentivize businesses to share cyberthreat information with the federal government.
On Dec. 18, both houses of Congress enacted the Cybersecurity Information Sharing Act, which is part of a 2,009-page $1.1 trillion omnibus spending bill (see page 1,729). CISA will establish a process for the government to share cyberthreat information with businesses that voluntarily agree to participate in the program.
The legislation is an important tool to help protect the nation's critical infrastructure, says Daniel Gerstein, former Homeland Security acting undersecretary and a cybersecurity expert at the think tank Rand Corp. "Sharing information between industry and the federal government will allow for development of countermeasure signatures that can be incorporated into networks," Gerstein says. "In the absence of such sharing, protecting networks becomes much more challenging. ... CISA is not intended to be a comprehensive bill for cybersecurity. Rather, it focuses on the exchange of information between industry and the federal government. "
Larry Clinton, president of the industry group Internet Security Alliance, says the approval of the bill by large, bipartisan majorities in both the House and Senate demonstrates the growing realization that the nation faces a major cybersecurity problem. "It speaks to the need to come together in a way rarely evidenced lately in D.C. and begin to attack this problem together," Clinton says. " It's a rare instance of our government system actually working in a bipartisan fashion for the public good."
Passage of CISA is seen as a victory for big business and a defeat for privacy and civil liberties advocates.
Consumer advocates say the new law provides limited privacy protections to Americans. They object to the lack of transparency in drafting the measure's provisions in secrecy and then inserting it into a spending bill that keeps the government operational. "This shows disrespect for the people whose privacy is at stake in this process, and who deserve real cybersecurity, not more surveillance," says Drew Mitnick, policy counsel for the advocacy group Access Now. "Simply put, we expect more from our elected leadership."
But business groups generally supported the legislation. "This legislation is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks," says U.S. Chamber of Commerce President Thomas Donohue. "Government and businesses alike are the target of these criminal efforts, and CISA will allow industry to voluntarily work with government entities to better prevent, detect and mitigate threats."
At CISA's core are provisions designed to get businesses to voluntarily share cyberthreat information with the government. The main incentive is furnishing businesses with liability protections from lawsuits when they share cyberthreat information, such as malicious code, suspected reconnaissance, security vulnerabilities and anomalous activities, and identify signatures and techniques that could pose harm to an IT system. The new law also will provide antitrust exemption for sharing threat data among businesses.
The liability protections alone won't get many businesses to share threat information. "A bill is not going to prompt an organization to change," says Chris Pierson, chief security officer at invoicing and payments provider Viewpost. "What it will do is help the internal teams that want to share have better ammunition for their legal counterparts and compliance people to understand that sharing of threat data and indicators is being done in a coordinated fashion. The true win here will be the communication around what to share, how to share and the business benefit for companies that share."
CISA designates the Department of Homeland Security to act as the cyberthreat information-sharing hub between government and business. Civil liberties activists wanted a civilian agency, not a military or intelligence entity such as the National Security Agency, to shepherd the flow of cyberthreat information between government and business. But the legislation will not prevent the NSA and other intelligence agencies from getting hold of the cyberthreat information.
One provision of the law will require DHS to establish an automated system to share cyberthreat information in real time with other government agencies. The law also will allow the president, after notifying Congress, to set up a second information-sharing center if needed.
CISA will require the removal of personally identifiable information from data before it is shared. However, the vagueness of the law's language could result in "more private information [being] shared than the privacy community would prefer," says Paul Rosenzweig, a former Homeland Security deputy assistant secretary for policy, who analyzed the measure's language.
Healthcare Industry Study
The omnibus bill also includes language to require the Department of Health and Human Services to convene a task force 90 days after enactment of the legislation to address the cybersecurity threats facing the healthcare sector. This task force would:
- Analyze how other industries have implemented cybersecurity strategies;
- Evaluate challenges and barriers facing private healthcare organizations in defending against cyberattacks;
- Review challenges the industry confronts in securing networked security devices; and
- Develop a plan to share cyberthreat information among healthcare stakeholders.
The task force would report its findings and recommendations to appropriate congressional oversight committees.