By Darryl Drevna
Major cybersecurity legislation was included in an omnibus appropriations and tax reform package, essentially ensuring the President will sign the measure into law. The House is expected to vote on Friday to approve the bill and the Senate likely will pass the bill next week. The omnibus package includes the Cybersecurity Act of 2015, which combines elements from three cyber bills that are designed to encourage private companies to share more data on cybersecurity threats with the government.
In April, the House overwhelmingly passed two cybersecurity bills, the Protecting Cyber Networks Act (H.R.1560) (“PCNA”) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (“NCPAA”). The Senate in October passed its version of cybersecurity legislation, the Cybersecurity Information Sharing Act (CISA). The House and Senate did not officially enter a conference committee, but instead staff and members of the House Intelligence, Homeland Security and Judiciary committees and the Senate Homeland Security and Government Affairs committees worked to finalize a compromise version that took elements from all three bills.
The compromise measure establishes the Department of Homeland Security (DHS) service as the lead civilian portal for reporting cyber threats to the government. However, it also provides the President with the authority to designate an additional portal if the DHS portal if is not fully secure and operational. Privacy advocates have criticized this provision as a “loophole” to allow the President to create a portal managed by law enforcement or intelligence, rather than a civilian agency. The bill specifically precludes the Defense Department, including its National Security Agency, from becoming an alternate portal.
The bill also requires the Attorney General and DHS to jointly issue final policies and procedures relating to the federal government’s receipt of cyber threat indicators and defensive measures. The Attorney General and DHS also must issue final guidelines relating to privacy and civil liberties that govern the receipt, retention, use and dissemination of cyber threat indicators received by the federal government. These guidelines must be publicly available no later than 180 days after the date of enactment of the Cybersecurity Act of 2015. Polsinelli’s Privacy and Data Security team will monitor developments in this area.
The bill also includes liability protections for companies that share – or do not share – cyber threat indicators or defensive measures with the government. The bill specifically indicates that companies do not have a “duty to warn or act” based on the receipt of a cyber-threat indicator or defensive measure.
House Intelligence Committee chair Rep. Devin Nunes (R-CA) said the cyber bill is “vital for protecting America’s digital networks and for implementing the necessary funding, authorizations, and oversight for the intelligence community.” Rep. Adam Schiff (D-CA), the committee’s ranking member, said that the bill “contains the strongest privacy protections to date, requiring personal information to be stripped out before malicious code is shared with DHS, and providing narrow liability protections to protect businesses that voluntarily participate in the program. It is the most significant effort by Congress to address the cyber threat to date, and should now become law.”
Privacy advocates criticized the decision to include the cybersecurity bill in the larger omnibus package. In a recent letter to congressional leaders, Reps. Justin Amash (R-MI), Zoe Lofgren (D-CA), Jared Polis (D-Colo.) and Ted Poe (R-Texas) said that the negotiations and the bill text were not made public. Sen. Ron Wyden (D-OR) said that the cybersecurity measure was “a bad bill when it passed the Senate and it is an even worse bill today. Americans deserve policies that protect both their security and their liberty. This bill fails on both counts.”