Following numerous calls for legislation to ease the path for private companies to share cyber threat information with the government without fear of liability, Sen. Tom Carper (D-Del.) has introduced a bill to clearly authorize the sharing of data with the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other “self-certified” information sharing and analysis groups.
“The Cyber Threat Sharing Act of 2015 builds on the cybersecurity bills President Obama signed into law last year by empowering companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections,” he continued. “This bill reflects the valuable input of the Administration and incorporates insights and advice from our Committee’s hearing on the topic earlier this month. Introduction of this bill is the logical next step in this conversation. I value the work the leaders of the Senate Intelligence Committee and others have done on this issue. I invite and encourage all stakeholders to engage with my colleagues on the Homeland Security and Governmental Affairs Committee and me and provide feedback on how we can make this bill better in an open and transparent process. We must all work together to find a legislative solution that will address our cybersecurity needs while upholding the civil liberties we all cherish. And given the threats we face today, we must move with a sense of urgency. The country is counting on us.”
The “self-certification” piece would apply to any organizations that have proven they follow best practices for sharing and analyzing cyber threat data, according to Carper. Data shared under the bill would be protected from disclosure through the Freedom of Information Act.
Carper noted that the only information authorized to be shared under the bill would be cyber threat data that could not be used to identify individuals.
“It ensures that strong privacy policies exist within the Federal government for cyber threat sharing, and that liability protections for sharing with the federal government are only granted for sharing with a civilian agency and only once appropriate privacy policies are in place,” asserted Carper. “It would narrowly limit how the Federal government could use cyber threat data it receives. It would also require transparency reports on the bill’s implementation to ensure accountability in the sharing of cyber threat data.”