October 23, 2015 | Issue Brief on National Security and Defense
The Senate is now considering the Cybersecurity Information Sharing Act (CISA), and the sponsors of the bill have presented a manager’s amendment in addition to many other amendments presented by individual Senators. While some of these amendments are technical or have no significant influence on the bill, several will harm the value and likelihood of information sharing.
Information sharing is centered on sharing data on cybersecurity threats and vulnerabilities between and among private-sector and government actors. Similar to the way that the Waze application or traffic reports on the radio warn commuters of troublesome accidents, information sharing helps private-sector and public-sector organizations avoid cybersecurity attacks or using flawed programs. As such, information sharing is focused on sharing the threat signatures and faulty coding in IT products, not on personal data, such as the contents of e-mails. Such shared information should be available to law enforcement to stop and investigate cyber-crimes, as well as to investigate other problems that are related to those cyber-crimes.
In order to ensure that such sharing occurs, the private sector needs liability and regulatory protections, as well as immunity from Freedom of Information Act (FOIA) requests. Without those protections, companies will be hesitant to share information because it could be used against them in court, by a regulator, or by their competitors and cyber adversaries. While information sharing is not a silver bullet, it will improve the information available to all parties, and thus can improve America’s cybersecurity posture.
In the manager’s amendment, there do not appear to be any provisions that harm information sharing, but CISA was also expanded to include non-information-sharing provisions. Flowing from the failure to detect the hack on the Office of Personnel Management (OPM), CISA’s new Title II seeks to strengthen U.S. detection capabilities with its networks, and to ensure that the appropriate strategies, plans, and assessments guide the development of these capabilities. Title III seeks to identify federal cyber workforce needs and require that each agency develop a plan to remedy its cyber workforce shortcomings. The final title calls for a variety of studies and strategies, including on mobile security, State Department cyber diplomacy, apprehending cyber criminals, emergency services cybersecurity, the security of the health care industry, and vulnerable infrastructure.
Other amendments are harmful. Senator Patrick Leahy’s (D–VT) amendment will strip the remaining protections from FOIA requests from the bill, which will certainly harm information sharing and make voluntarily shared information available to competitors and adversaries. Any amendments that require additional, duplicative scrubbing of personal identification, beyond the provisions already in the bill, will further slow down information sharing, lessening its usefulness.
While one of Senator Jeff Flake’s (R–AZ) amendments institutes a six-year sunset provision—which may threaten the use of information sharing due to companies preferring long-term protections—it does wisely include a savings clause to protect information-sharing activities that occurred while the act was in force.
One other amendment that has been pulled from consideration but is worth mentioning is the Judicial Redress Act, which quickly passed the House on suspension. This act would allow citizens and governments of select allies as well as “regional economic integration organizations,” such as the European Union, to sue U.S. agencies that do not properly respond to requests made under the Privacy Act. European nations have demanded such provisions as part of negotiations regarding transatlantic data transfers. The measure certainly does not belong in the CISA debate and it may open U.S. intelligence and law enforcement agencies up to even more lawsuits from individuals and governments across the world. While U.S. citizens supposedly can make similar requests and take similar legal action against European nations, it would be worth investigating to see if this is actually true in practice.
To ensure that information sharing contributes as much as possible to U.S. cybersecurity, Congress should:
CISA will improve the cybersecurity of the U.S. so long as amendments do not weaken information-sharing provisions. Congress should also be looking for additional ways to strengthen U.S. cybersecurity, especially when responding to aggressive state actors in cyberspace.—David Inserra is Policy Analyst for Homeland Security and Cyber Security in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
 David Inserra, “Senate Cyber Information Sharing Bill: Good Start But Can Be Improved,” Heritage Foundation Issue Brief No. 4381, April 10, 2015, http://www.heritage.org/research/reports/2015/04/senate-cyber-information-sharing-bill-good-start-but-can-be-improved.
 Managers’ Amendment to Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong.1st Sess., http://static.politico.com/a0/21/0d51de3c4da3a7da118fdf92e1f5/cisa-managers-amendment.pdf (accessed October 22, 2015), and Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong., 1st Sess., https://www.congress.gov/bill/114th-congress/senate-bill/754/amendments (accessed October 22, 2015).
 David Inserra and Paul Rosenzweig, “Cybersecurity Information Sharing: One Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2899, April 1, 2014, http://www.heritage.org/research/reports/2014/04/cybersecurity-information-sharing-one-step-toward-us-security-prosperity-and-freedom-in-cyberspace.
 Inserra, “Senate Cyber Information Sharing Bill: Good Start But Can Be Improved.”
 Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. 1st Sess., https://www.congress.gov/bill/114th-congress/senate-bill/754/amendments (accessed October 22, 2015).
 STIX stands for Structured Threat Information Expression. It “is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.” Together with other tools, such as the Trusted Automated Exchange of Indicator Information (TAXII), information sharers can use a common language and process for sharing information, knowing what information to share and how to share it, reducing the inadvertent inclusion of any personally identifiable information. STIX and TAXII are being transitioned internationally as they have reached a sufficient level of maturity. “About STIX,” Mitre Corporation, http://stixproject.github.io/about/ (accessed October 22, 2015), and “STIX/TAXII Standards Transition–Frequently Asked Questions,” Mitre Corporation, https://stixproject.github.io/oasis-faq.pdf (accessed October 22, 2015).