The number and severity of cyber threats in the United States are on the rise, and a new voluntary program aims to increase cooperation among government entities and private-sector organizations looking to reduce these damaging cyber events.
New US legislation promotes and encourages the private sector and the US government to exchange cyber threat information. The legislation also authorizes the information to be shared amongst several US federal agencies, including the Department of Commerce, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Office of the Director of National Intelligence.
The legislation had a long incubation period, and similar bills were introduced in previous sessions of Congress. The idea was jumpstarted again about a year ago when US President Barack Obama called for cybersecurity legislation in his 2015 State of the Union address. In late April 2015, the House of Representatives passed two separate versions of the legislation, and in October 2015, the Senate followed suit by passing its own version of the bill. A conference committee was convened to hammer out a compromise version, and the bill was tacked onto to a large omnibus spending bill in order to make to the respective chambers for a vote. President Obama signed the measure into law on 18 December 2015.
Under the new law, the sharing of information is completely voluntary on the part of private entities. Shared information must not include personally identifiably information unless that information is directly related to the threat being reported. For those that do share information, legal liability protections are provided so long as the information shared is in accordance with the procedures outlined in the Act.
Most of the specific rules are not initially detailed in the Act. Instead, the Secretary of Homeland Security and the US Attorney General will develop and issue regulations for the requirements and procedures to be followed. Thus, much of the practical effect of the legislation is still unclear.
What is also unclear is how forthcoming the private sector will be in sharing cyber threat information. Prior to the enactment of the legislation, many companies expressed that liability protections were a minimum necessary requirement before they consider sharing information.
Reaction to the legislation was mixed. Some industry leaders welcomed the measure. Several high-profile tech companies along with privacy advocates, however, are not in favor of the legislation, with some worrying that it is a “surveillance act” disguised as a cybersecurity act.
Read a Special Report on the legislation from ISACA’s Cybersecurity Nexus (CSX) for background on the act, as well as survey results on opinions about the Act and whether companies are likely to voluntarily share information.