Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December.  The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.  We summarize each of the guidance documents below.

The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.  It summarizes the sharing authorized by CISA as follows: “Effectively, the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.”  But it also notes that “otherwise conflicting laws, including privacy laws, do not restrict sharing or any other action undertaken pursuant to CISA,” consistent with the language of Section 104(c) of CISA, which permits such sharing “notwithstanding any other provision of law.”  
Continue Reading Federal Government Releases Final Guidance on CISA

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress today as part of the 2016 omnibus spending package.  The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of our previous analysis, although there are some important differences which we highlight below.  If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities.
Continue Reading Congress Passes the Cybersecurity Act of 2015

As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754).  If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities.  CISA must now be reconciled with two similar bills that the House passed in April before it can be sent to the President and enacted into law.  According to CISA’s co-sponsor Sen. Richard Burr (R-NC), a conference version of CISA will not be available for review until January 2016, at the earliest.  Below is a deeper explanation of CISA’s four Titles and how they purport to improve cybersecurity.
Continue Reading A Closer Look at CISA’s Cybersecurity Information-Sharing Provisions

The U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754) today.  In material part, the bill:

  • establishes a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between private organizations (defined to also include state and local governments) and the federal government;
  • with respect to information sharing among private

By Ray Biagini and Scott Freling

We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan.  Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital.  The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption.  Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?

In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism.  Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.”  The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level[] of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.”  Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.
Continue Reading SAFETY First: Using the SAFETY Act to Bolster Cybersecurity

On Monday, the 2015 G-7 Summit ended with the President and other Leaders of the G-7 focused generally on a wide range of economic, security, and development issues, and specifically discussing the energy sector’s cybersecurity posture.  According to the White House, the Leaders “launched a new cooperative effort to enhance cybersecurity of the energy sector

Yesterday the U.S. House of Representatives passed the National Cybersecurity Protection Advancement Act (NCPAA), a bill that would provide liability protections for companies sharing cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).  A related bill, the Protecting Cyber Networks Act (PCNA), was passed by the House on Wednesday and would provide similar liability protections when companies share information with civilian agencies.  As we reported last week, the two bills are expected to be combined before heading to the Senate.
Continue Reading House Passes Cybersecurity Information Sharing Bills

By Caleb Skeath

During the White House’s inaugural Summit on Cybersecurity and Consumer Protection last Friday, President Obama signed an executive order designed to facilitate increased information sharing between the private sector and the federal government.  The order follows the introduction of the Cyber Threat Sharing Act of 2015 in the Senate, an information-sharing bill modeled on the legislative proposal released by the White House in January.

Continue Reading President Obama Signs Executive Order to Encourage Information Sharing

By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which would protect private entities from

On Tuesday, President Obama announced his proposal for legislation that would encourage sharing of cyber threat information between the public and private sector by shielding private entities from liability for sharing information on cyber threats. The White House has since released the text of the proposed bill, which includes limitations on liability for private entities along with a mandate to develop policies and procedures to address privacy concerns. In comparison with previous failed attempts to enact similar legislation, the current White House proposal offers increased privacy protections and more narrowly defined exemptions from liability, but it remains to be seen whether this proposal can succeed where others have failed.
Continue Reading Analysis of President Obama’s Information Sharing Legislation