by David Burg and Douglas Bloom. Late last week, the President signed the Cybersecurity Act of 2015 (the “Act”) into law as part of the omnibus appropriations bill. Among other things, the Act provides a framework for the sharing of cyber threat information between private industry and the government. Industry counsel has long pushed Congress for a means to share information without exposing their organizations to legal liability. On its path to passage, however, the bill attracted more than its fair share of controversy. Privacy advocates and some in the technology industry viewed the effort as unnecessarily expanding government surveillance and undermining protection of personal identifiable information (“PII”). The Act seeks to strike a balance between these seemingly (though not entirely) contrary interests, protecting privacy while providing important tools to those charged with safeguarding corporate interests, including customers’ privacy, and critical civic infrastructure. In the end, the Act, coupled with the continuing effort to establish and mature Information Sharing and Analysis Organizations (ISAOs), is an important step towards allowing those charged with defending against cyberattacks to do what those engaged in cyberattacks have done for a very long time: learn from each other.
At its core, the Act requires the Attorney General, Director of National Intelligence, and the Secretaries of Homeland Security and Defense to jointly create and maintain a program permitting private and government entities to share cybersecurity information, threat indicators and defensive measures. Much of the cybersecurity information in the government’s possession is classified. As a result, information sharing to date has largely been a one-way street with legal sanctions, including criminal penalties, barring the government from sharing information with industry. The Act seeks to overcome that barrier in two ways. First, it mandates that the new program must permit the sharing of classified information with private industry employees who hold security clearances, thereby limiting legal liability for those who share classified data under the Act. Second, it encourages the declassification of cybersecurity information so that it can be shared with a broader audience.
PwC and the White House have been working together to help industry establish ISAOs where key industry players can come together to help each other protect against cyberthreats. A major stumbling block in that effort has been the government’s inability to facilitate information sharing given the classified (and often over-classified) nature of the information in its hands. Through the Act, Congress has sent a signal that those classifications should be revisited. Collectively, this lays the foundation to finally open a two-way flow of information between industry and government.
The Act also provides a number of the legal protections sought by industry. For instance, it provides an exemption from antitrust laws for the sharing of cybersecurity information and defenses between private companies, specifies that sharing information under the Act will not act as a waiver of legal privilege or trade secret protection, and exempts from FOIA disclosure information provided by industry to the government.
At the same time that it aims to eliminate barriers to information sharing, the Act attempts to answer privacy concerns. Private industry must review all shared information for PII. Information pertaining to or identifying specific individuals cannot be shared unless that information is directly related to a cybersecurity threat. Those who violate this restriction lose the legal protections afforded by the Act, while those who comply are shielded from civil suits arising from their sharing information. The Act also mandates that the information sharing program set minimum standards for data security surrounding the shared information for both industry and the government.
For its part, the Government must maintain the security of the shared information and can only use that information for a purpose related to cybersecurity or investigations and prosecutions arising from:
- a specific threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
- a serious threat to a minor, including sexual exploitation and threats to physical safety; or
- an offense arising out of—
- identity theft and computer fraud;
- state secret espionage;
- economic espionage; and
- theft of trade secrets.
The Act does not answer all of the critics, nor does it provide every protection that industry sought. It does, however, remove several barriers that have held back the development of a protected space where those on the front lines of cyberdefense—both in industry and government—can effectively help each other protect our country, economy, and personal information from attack. PwC has been deeply involved in the development of ISAOs—the formal structures for that information sharing space—because we believe that information is not only the prime target of cyberattacks, but a powerful tool in preventing them. By allowing those who are threatened by cyberattack to learn from each other’s experiences, the Act marks an important step forward in our collective struggle against cyber threat.