From last year’s attack on Sony Pictures Entertainment to this summer’s breach of the Office of Personnel and Management, which compromised the records of as many as 18 million people, numerous high-profile and damaging cyberattacks over the past several years have finally prompted a response from Congress.
On Friday, landmark cybersecurity legislation tucked into a major $1.1 trillion spending package passed the House by a vote of 316-113. The Senate later backed the bill 65-33, sending it to President Obama, who signed it into law Friday afternoon.
The Cybersecurity Act of 2015 included in the Omnibus bill aims to protect the nation’s private sector and federal networks from cyber threats, such as foreign hackers and cyber terrorists, by creating a voluntary cybersecurity information sharing process that allows private and public sector entities to share threat information without fear of legal barriers.
The legislation also includes provisions to improve federal network and information system security, provide assessments on the Federal cybersecurity workforce, and provide reporting and strategies on cybersecurity industry-related and criminal-related matters.
The Cybersecurity Act of 2015:
- Establishes the Department of Homeland Security (DHS) as the sole interface where companies can receive liability protections for sharing cyber threat information with the federal government.
- Requires companies to review and remove any Personally Identifiable Information unrelated to cyber threats before sharing information with the government.
- Requires DHS to be co-author of all the privacy procedures to ensure that the robust privacy protections already in place at DHS’ cyber operations center, the National Cybersecurity & Communications Integration Center, will be “baked” into all privacy procedures for information sharing.
- Requires DHS to deploy intrusion detection and prevention capabilities to secure federal networks.
- Requires DHS to utilize advanced network security tools to improve network visibility and to detect and mitigate intrusions and anomalous activity.
- Authorizes DHS to execute intrusion detection and prevention capabilities when an imminent cyber threat to an agency information system is identified.
The Cybersecurity Act of 2015 includes provisions that originated in HR 1731, the National Cybersecurity Protection Advancement Act, which was introduced by House Committee on Homeland Security Committee Chairman Michael McCaul (R-Texas) and overwhelmingly passed the House on April 23, 2015 by a vote of 355-63.
“Enhancing DHS’s ability to more effectively secure federal networks is something I have personally been working hard to enact since introducing HR 3313, the Federal Defense of Cyber Networks Act,” McCaul said. “In light of the OPM breach, this provision ensures our federal cyber networks are able to defend against nation-states like China, Russia, Iran and North Korea and terrorist threats. Furthermore, this streamlines the Federal government’s ability to more effectively identify and thwart cyber-attacks.”
Proponents of the legislation say it’s no silver bullet, but represents a significant step in the right direction. “I’m especially proud to have worked on the Cybersecurity Act of 2015,” Sen. Tom Carper (D-Del.), top Democrat on the Senate Committee on Homeland Security and Governmental Affairs, said. “This legislation which would facilitate the sharing of cyber threat information among and between the private sector and federal government and authorize key cyber defense programs at the Department of Homeland Security, such as the cyber intrusion and detection system known as EINSTEIN, while maintaining privacy protections.”
Carper added, “Overall, this measure, which is the reflection of bipartisan collaboration and compromise, will strengthen our nation’s defenses online and help federal agencies, businesses and consumers better protect themselves against the evolving cyber threats of the twenty-first century.”
Privacy advocates and civil liberties groups, on the other hand, fear the legislation will put the privacy of the American people in jeopardy. The bill shields private companies that choose to share consumer information with the government from unfounded litigation and removes many of the legal barriers that prevent the sharing of cybersecurity threat information.
Although the White House had threatened to veto similar bills in 2012 and 2013 due to a lack of adequate privacy safeguards, Obama said he would sign the omnibus bill if it reached his desk. After the bill cleared Congress, Obama signed the new legislation into law Friday afternoon.
McCaul explained, “It is extremely important for private companies that voluntarily share cyber threat indicators and defensive measures with DHS, or each other, have liability protections to ensure they are shielded from the threat of unfounded litigation.”
“This will better secure public and private networks,” McCaul said.