Last month, President Barack Obama put his signature to an Omnibus spending bill of $1.1 trillion which contained the Cybersecurity Information Sharing Act of 2015. The purpose of the act is to encourage the sharing of cybersecurity threat intel. The Obama administration believes this is essential in order for the country to win the war against cybercrime.
Cybersecurity Information Sharing Act of 2015 signed into law
The Cybersecurity Information Sharing Act of 2015 is a compromise bill that was penned after previous attempts to introduce legislation to force private sector companies to share cybersecurity threat intelligence failed to make it past the House and Senate. Instead, the Cybersecurity Information Sharing Act of 2015 facilitates the voluntary sharing of intelligence by removing some of the legal obstacles that have previously got in the way of data sharing.
It has long been possible for private sector companies to share certain cybersecurity information with government organizations; however, many companies have failed to do so out of fear of legal action stemming from accidental antitrust violations and inadvertent violations of the private rights of individuals. There was also concern that some of the information required by the federal government could in fact be used against the organization sharing the information. Regulatory enforcement actions for example.
The Cybersecurity Information Sharing Act of 2015 offers private companies immunity from private and government lawsuits, along with other claims that could potentially result from the sharing of cybersecurity intelligence.
Sharing of cybersecurity intelligence and immunity from lawsuits
The new law allows any person or private group to share cybersecurity information with the federal government. That information includes cyber threat indicators – information that describes the attributes of a threat – and defensive measures. Defensive measures are defined as actions, devices, signatures, techniques, or procedures that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”
Before any information is shared with the federal government it must first be stripped of personal information relating to specific individuals or information that would allow specific individuals to be identified.
The Cybersecurity Information Sharing Act of 2015 allows companies to share intel primarily with the Department of Homeland Security, although a host of government agencies such as the Departments of Commerce, Energy, and Justice. The information would also be shared with the Department of Defense, which includes the NSA, as well as the Office of the Director of National Intelligence.
The US Attorney General and Secretary of Homeland Security will prepare and publish guidelines to aid organizations with the identification of information that qualifies as a cyber threat indicator. Assistance will also be provided to help organizations identify the information that must be removed prior to sharing to avoid violating privacy laws.
Seven National Guard Cyberprotection teams will be set up and active by the start of 2020 to help deal with new cybersecurity threats. Those teams will be spread across 23 states and will be capable of rapidly mobilizing soldiers and airmen to assist U.S. Cyber Command.