After several years of discussion, the Cybersecurity Act of 2015 was signed into law as part of the 2016 omnibus spending bill. The Cybersecurity Act of 2015 encourages sharing of cyber threat information between private businesses and the federal government. In addition to the sharing of threat information, the Act will require the federal government to release periodic cybersecurity best practices.
There has been a great deal of criticism for the long-awaited legislation, some wary of whether the liability protections hold up against the more stringent Safe Harbor protections. Others believe the past-looking focus of the legislation will only marginally improve cybersecurity, since it does not focus on new threats or risks but rather past actions. Still further, other critics believe the bill is a mask for surveillance due to its vague language. Many organizations have stated they will not take place in information sharing, which makes critics wonder if the law holds any value.
Still, at face value, a greater sharing of cyberthreat information is a good first step toward improving cybersecurity for both public and private sector. CEO and co-founder of TruSTAR Technology, summarized:
"This is the first tangible demonstration of a partnership between Congress, the Administration and the private sector to address the critical need for cyber incident sharing to help protect our economy and national security. Providing liability relief for companies sharing cyber incident data amongst themselves and with the government provides a foundation on which to build a more collaborative cybersecurity defense. However, information-sharing should not have to cost us our privacy, and now it will be up to the private sector to build an infrastructure that both promotes security and preserves trust."
The law’s provisions are voluntary, but should your organization wish to take part, it is recommended that you still consult counsel in order to ensure the Act does not interact with other federal or state laws and regulations that impact your organization’s use of personally identifiably information (PII) or proprietary information. The bill does require that organizations scrub personal information from cyber threat data shared, so a thorough understanding of data being shared will be key to ensuring privacy is not compromised by the good intentions of cyber threat information sharing.