WASHINGTON – Today, in a vote of 74-21, the Senate passed the Cybersecurity Information Sharing Act of 2015. The bill, which is sponsored by Senate Select Committee on Intelligence (SSCI) Chairman Richard Burr (R-NC) and Vice Chairman Dianne Feinstein (D-Calif.), helps protect Americans’ personal privacy by taking steps to stop future cyber-attacks before they happen. This legislation creates an environment that encourages the sharing of information about cyber threats, allowing all participants to get a better understanding of the current threats that may be used against them.
“This landmark bill finally better secures Americans private information from foreign hackers,” said Sen. Burr. “American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks. This legislation gives the government and U.S. companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years. I thank Vice Chairman Feinstein for her tenacity in working to get this bill through the Senate.”
“I'd like to thank Chairman Burr for standing shoulder-to-shoulder with me to get this bipartisan bill passed,” said Sen. Feinstein. “I'm very grateful for the work we’ve been able to do together. For a bill as technically difficult as this one, such cooperation was absolutely necessary. This bill will allow companies and the government to voluntarily share information about cyber threats and the defensive measures they can implement to protect their networks. We took every step we could to satisfy privacy concerns. There's a lot more work ahead, including conferencing the final legislation, but I believe this is a very good bill that reflects consensus on a very complicated issue.”
Cybersecurity Information Sharing Act of 2015 Bill Summary
The bill seeks to improve cybersecurity of private entities and increase sharing of cyber threat information:
- The bill provides clear authority and liability protection for private sector entities to share information about cyber threat indicators and defensive cyber measures with other companies and with the Federal government. Such sharing is voluntary, and subject to several privacy protections.
- The bill provides authority and liability protection for a private entity to monitor its networks, and the networks of their customers and other third parties upon express authorization and consent, for cybersecurity purposes.
- The bill authorizes private entities’ use of “defensive measures” on their networks for cybersecurity purposes. The bill does not authorize offensive cyber countermeasures, nor does it authorize a company to take actions on its network that can cause substantial harm to other networks.
The bill also addresses the government’s sharing and use of cyber information:
- The federal government is directed to increase its sharing of cyber information to the private sector to assist companies in protecting their systems.
- Information shared with the federal government under the bill is governed by specific, transparent rules, including:
- Establishment of a “portal” managed by the Department of Homeland Security through which electronic cyber information will enter the Federal government and be shared with other appropriate federal entities consistent with mandatory privacy guidelines.
- Limits on the Federal government’s use of cyber threat information to cybersecurity purposes, responding to imminent threats to life or serious economic harm, threats to minors, and countering cyber-related crimes.
- Protections for privacy, through requirements established by the Attorney General and the Secretary of the Department of Homeland Security, that will govern the receipt, sharing, retention, and use of cyber information by the Federal government.
The bill includes:
- A provision that enables the Federal government to prosecute overseas cybercriminals who profit from financial information that has been stolen from Americans.
- A provision that sunsets CISA’s authorities after ten years.