Before recessing until after Labor Day, the Senate agreed to a process for considering S. 754, the Cybersecurity Information Sharing Act of 2015 (CISA), in the fall. The bill is a pragmatic approach that, among other things, encourages the voluntary real-time sharing and receipt of cyberthreat indicators among private sector companies and between the public and private sectors. The legislation, which includes strong privacy and civil liberty protections, was reported out of committee by an overwhelming bipartisan vote of 14 to 1. The House approved companion bills this past spring by similarly bipartisan votes of 355-63 and 307-116.
Cybersecurity experts agree that the need for such sharing legislation is immense given the unprecedented current threat landscape. Hardly a day goes by without news of a new cybersecurity event affecting American consumers, companies, or government agencies. And yet fear of lawsuits and other legal obstacles prevents companies and the government from sharing with each other in real time or near-real time what they know about the cyberthreats attacking their networks, so that prompt steps can be taken to prevent those threats from taking root elsewhere on the Internet.
S. 754 aims to improve the nation’s cybersecurity posture while at the same time providing strong protections for individual privacy and civil liberties. Indeed, by enhancing cybersecurity, CISA will further the privacy interests of consumers by reducing risks from unauthorized access to their personal information from hacks and other malicious cyber activities. Nevertheless, some parties misunderstand the bill’s provisions, and mistakenly claim it will encourage the widespread collection and sharing by industry or the government of “personal information.” This is factually incorrect.
CISA would enable American critical infrastructure industries to protect the networks on which they rely and the customers they serve from external threats and attacks perpetrated by hackers, cybercriminals, and nation-states. The legislation specifically enables the sharing and receipt of “cyberthreat indicators” (CTI) for “a cybersecurity purpose.” It does not encourage the collection of “personal information.”
The overwhelming majority of CTIs involve technical data – computer code revealing botnets, viruses and other forms of malware, as well as ports that are being used by attackers in various cyber exploits, malicious domain names, traffic volumetric data used in the analysis of network flow data to identify cyberattacks, and IP addresses that may reveal the locations or devices from which attacks are being launched.
In rare instances, some personal information may be embedded within those CTIs. The bill remedies this by requiring the automated removal of “any information that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat” – a process known as data minimization.
The automated data minimization requirement is intended to achieve the primary purpose of the bill – establishing an information sharing system for the purpose of protecting networks from cyber threats in as close to real time as is feasible. The millions of Americans whose personal information is being threatened every day by hackers, cybercriminals and, regrettably, even some nation-states or their proxies, will be big privacy winners under this legislation.