Congressional scrutiny of several cyber security-related bills is due to intensify this month as the Senate starts consideration of two House-passed bills, and votes on its own bill.
Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed, recently provided a summary of the bills. Here are excerpts from his summary:
All eyes are on the Senate, as it looks like a vote on its own cyber security bill is set to take place later in May. [This] post will highlight the two House bills recently passed by the House and the Senate's bill under consideration.
Protecting Cyber Networks Act (H.R. 1560)
This bill encourages the timely sharing of cyber threat information among private entities, nonfederal government agencies, and local governments. It provides businesses liability protection for sharing cyber threat indicators when taking reasonable efforts to remove personally identifiable information.
The bill also allows the federal government (excluding the National Security Agency and Department of Defense) to share cyber threat information with private entities, nonfederal government agencies, and local governments.
To further promote and protect individual privacy, the bill would also require that the Department of Justice periodically review the information shared to ensure that PII is not being received, used, or disseminated by a federal entity.
Finally, this bill directs the Cyber Threat Intelligence Integration Center, under the direction of the Office of the Director of National Intelligence, to serve as the primary organization to analyze and integrate all intelligence shared.
National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731)
The purpose of this bill is also to encourage information sharing of cyber-related risks among the private sector and government. Unlike its companion bill, which directs the CTIIC as the overseer of the information-sharing program, this bill authorizes the Department of Homeland Security to do so.
In order for the DHS to serve in this capacity, the bill expands the composition and scope of the DHS national cyber security and communications integration center to include additional parties, namely private entities and information-sharing and analysis centers, among its nonfederal representatives.
As with H.R. 1560, the bill has provisions to protect individual privacy and requires that the DHS performs an annual privacy policies and procedures review. As with its companion House bill, liability protection is afforded to parties sharing information.
Cybersecurity Information Sharing Act (S. 754)
The Senate's version of cyber security legislation is a companion bill to the two recently passed House bills and combines tenets of both of them.
It's viewed as an information-sharing bill, with the DHS serving as the federal entity responsible for overseeing the sharing of data between the government and private sector. DOJ is responsible for ensuring that privacy and civil liberties are upheld within the information-sharing program. As with the House bills, liability protection is provided to all entities sharing information.
The value proposition of information sharing behind all of these bills is for that both the government and the private sector would benefit. As evidenced by the strong participation of many financial institutions with the Financial Services Information Sharing and Analysis Center, many financial institutions are seeing value to sharing cyber security information within their own sectors.
Additionally, the Retail Industry Leaders Association established the Retail Cyber Intelligence Sharing Center earlier this year to share cyber threat information between retailers and law enforcement.
These bills would offer avenues for the private sector and government to break down their silos and share information while being afforded liability protections. Importantly, they are meant to promote information sharing while maintaining privacy.