The U.S. Senate has approved the Cybersecurity Information Sharing Act (CISA), controversial legislation intended to block the deluge of cyberattacks by opening up communication channels between the private sector and federal agencies.
Senate Bill 754 introduced in March by Sen. Richard Burr (R-N.C.) and co-sponsored by Dianne Feinstein (D-Calif.) passed the Senate by a 72–21 vote on Oct. 27, with mostly Democrats voting nay. The House approved two versions of the bill in April, which means the House bills will need to be aligned with the Senate bill in a conference—and approved—before a bill can go to President Obama's desk to be signed into law.
The bill seeks to provide a clear authority and liability protection for private sector entities to voluntarily share information about cyberthreat indicators and defensive cyber measures with other companies and the government. It also gives private entities the authority and liability protection to monitor their networks as well as the networks of their customers and other third parties for cybersecurity purposes. Meanwhile, it directs the federal government to increase its sharing of cyber information with the private sector to help companies protect their systems. Finally, it enables the federal government to prosecute overseas cybercriminals that steal financial information from Americans.
The Obama administration last week endorsed the bill, though it laid out a few concerns, arguing that the Department of Homeland Security (DHS) should be the central agency for incoming data. The bill that passed the Senate on Oct. 27 establishes a "portal" managed by DHS through which cyber information will enter the federal government and be shared with other federal entities.
The bill has industry's backing, but it is heavily opposed by privacy groups and civil liberty groups, which say its privacy protections are too weak. CISA will make it legal for companies to monitor their users and share their information with the government without a warrant, the groups say.
The Edison Electric Institute (EEI) lauded the bill's passage on Oct. 27. “The electric power sector already engages in significant information-sharing activities and has in place mandatory and enforceable reliability and cybersecurity standards," noted EEI President Tom Kuhn. The bill provides a "framework necessary to foster even more meaningful information sharing while maintaining the proper balance between liability and privacy protections," he said.
Despite many recommendations made over the past decade—Congress has held cybersecurity hearings every year since 2001—the only major cybersecurity measures enacted were five bills signed by President Obama in December 2014.
The bills codified the role of the National Institute of Standards and Technology (NIST) in developing a “voluntary, industry-led set of standards” to reduce cyber risk; codified DHS' National Cybersecurity and Communications Integration Center as a hub for interactions with the private sector; required DHS to develop a “comprehensive workforce strategy” within a year; and gave DHS new authorities for cybersecurity hiring.
—Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)