Because October is National Cyber Security Awareness Month, conventional wisdom holds that the US Senate will consider cybersecurity information sharing legislation that was introduced in the spring. The Senate, however, has yet to schedule a formal vote on the Cybersecurity Information Sharing Act (CISA) (S. 754).
The proposed legislation aims to defend against cyberattacks through the creation of a framework for the voluntary sharing of cyberthreat information between private entities and the federal government. Companies may share threat indicators and defensive measures with the government, but they must institute appropriate security controls and remove personal information. Liability protection is available for companies choosing to share information, provided they implement the proper controls.
During his State of the Union address earlier this year, US President Barack Obama urged Congress to pass legislation focused on cybersecurity, including the sharing of information. The US House of Representatives passed two similar bills on information sharing in April: the Protecting Cyber Networks Act (PCNA) (H.R. 1560) and the National Cybersecurity Protection Advancement Act (NCPA) (H.R. 1731). One of the key differences in the House bills is that the NCPA Act only authorizes sharing with the Department of Homeland Security, while the PCNA provides companies the flexibility to choose to share cyber threat indicators or defensive measures with a number of different government agencies.
Before a conference committee can convene and iron out differences between the House and Senate versions, the Senate must act. Media reports that the Senate will likely consider the legislation after they return from a brief recess the second or third week in October, but no firm plans have been announced. According to published media reports, the Senate is working to limit amendments in order to fast-track debate on the proposed legislation.
There is a deep divide on whether the CISA legislation should be passed. Some businesses and industries welcome the information sharing and liability protections the Act would provide. Privacy advocates, however, warn that the Act would put individuals’ private information in the hands of the US government.
Sr. Manager of Cybersecurity Practices, ISACA
[ISACA Now Blog]