Sen. Tom Carper (D-Del.) on Wednesday introduced legislation aimed at promoting the voluntary sharing of information about cyber threats by offering liability protections to the private sector, a feature that industry wants to see in a cyber bill that becomes law.
The Cyber Threat Sharing Act of 2015 authorizes the sharing of cyber threat data with the National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security, and with Information Sharing and Analysis Organizations (ISAOs) that have self-certified that they follow cyber best practices. The ISAOs were called for in a legislative proposal by President Barack Obama’s earlier this year but such organizations don’t exist yet.
A press release issued by Carper’s office said, “The bill makes clear that any cyber data sharing and analysis center or private organization can self-certify as an information sharing and analysis organization under the bill.” Carper is the ranking member on the Senate Homeland Security and Governmental Affairs Committee.
Granting liability protections to companies is seen as a key way to incentivize industry to share cyber threat data with NCCIC.
The legislation also calls for information to be shared within the federal government and with industry in as close to real time as possible and protects data shared with the NCCIC from disclosure under the Freedom of Information Act and prohibits the data from being used as evidence in a regulatory action against the entity that shared the threat indicator.
The bill also allows sharing of classified and unclassified cyber threat data by the federal government with industry and aims to improve coordination among federal agencies on how they share this data with each other and the private sector.
To answer privacy concerns, Carper’s bill narrowly defines what information can be shared to cyber threat data and “requires that reasonable efforts be made to minimize data that can be used to identify specific persons,” the release said. The liability protections are only granted for sharing with federal civilian agencies.
This bill “builds on the cyber security bills President Obama signed into law last year by empowering companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections,” Carper said in a statement.