Senator Carper Introduces Bill to Increase Sharing of Cyber Threat Data

WASHINGTON – Today, Sen. Tom Carper (D-Del.), ranking member of the Homeland Security and Governmental Affairs Committee, introduced a bill to better protect private industry and the federal government from evolving and growing cyber threats to our national and economic security. The Cyber Threat Sharing Act of 2015 would take critical steps to remove barriers in order to increase the sharing of cyber threat data between private industry and the federal government.

“Today, those seeking to do us harm do not need to travel thousands of miles to carry out an attack,” Sen. Carper said. “They can disrupt our lives and cause great damage with just a few keystrokes at a computer. Last year, Congress made strides in bolstering our nation’s cyber defenses by passing four cybersecurity bills that strengthen our national security and help modernize our nation’s cybersecurity and cyber workforce. But more must be done. One of our top priorities in Congress must be to promote the sharing of cyber threat data among the private sector and the federal government to defend against cyber-attacks and encourage better coordination.

“The Cyber Threat Sharing Act of 2015 builds on the cybersecurity bills President Obama signed into law last year by empowering companies with clear legal authority and liability protection to share critical data while still maintaining privacy protections,” he continued. “This bill reflects the valuable input of the Administration and incorporates insights and advice from our Committee’s hearing on the topic earlier this month. Introduction of this bill is the logical next step in this conversation. I value the work the leaders of the Senate Intelligence Committee and others have done on this issue. I invite and encourage all stakeholders to engage with my colleagues on the Homeland Security and Governmental Affairs Committee and me and provide feedback on how we can make this bill better in an open and transparent process. We must all work together to find a legislative solution that will address our cybersecurity needs while upholding the civil liberties we all cherish. And given the threats we face today, we must move with a sense of urgency. The country is counting on us.”

The Cyber Threat Sharing Act of 2015 would increase the sharing of cyber threat data to help combat cyber attacks in four key ways:

Authorizes sharing and provides liability protections: The bill would clearly authorize the sharing of cyber threat data with:

  • The National Cybersecurity and Communications Integration Center (NCCIC) at the Department of Homeland Security; and        
  • Information sharing and analysis organizations that have self-certified that they follow best practices for the operation of such organizations. 

The bill makes clear that any cyber data sharing and analysis center or private organization can self-certify as an information sharing and analysis organization under the bill.  The bill grants liability protections to companies for sharing cyber threat data with the NCCIC or an information sharing and analysis organization that has self-certified it is following best practices.

Sharing within the government and protection of information:  The bill requires the Secretary of Homeland Security, in coordination with the Attorney General, and in consultation with other appropriate Federal agencies, to ensure that cyber threat data are shared with other federal entities in as close to real time as practicable. The bill ensures that cyber threat data shared with the NCCIC pursuant to the legislation will be protected from disclosure under the Freedom of Information Act and may not be used as evidence in a regulatory action against the entity that shared the cyber threat indicator. 

Government to industry sharing and improved coordination:  The bill emphasizes Federal government sharing of classified and unclassified cyber threat data with industry.  The bill would also improve coordination among agencies on how they share threat data with each other and with industry. This helps ensure that companies can receive useful protective information from within the Federal government in a timely and actionable manner. 

Builds in strong privacy protections:  The bill narrowly defines what may be shared among industry and with the Federal government to cyber threat data and requires that reasonable efforts be made to minimize data that may be used to identify specific persons.  It ensures that strong privacy policies exist within the Federal government for cyber threat sharing, and that liability protections for sharing with the federal government are only granted for sharing with a civilian agency and only once appropriate privacy policies are in place.  It would narrowly limit how the Federal government could use cyber threat data it receives.  It would also require transparency reports on the bill’s implementation to ensure accountability in the sharing of cyber threat data.  The bill has a five-year sunset to ensure that as technology evolves, Congress can reexamine the implementation of the program to ensure it is still effective and adequately protects civil liberties.

Last Congress, the Senate Homeland Security and Governmental Affairs Committee authored several cybersecurity bills, which the president signed into law in December. Those include the Federal Information Security Modernization Act (S.2521) to update the Federal Information Security Management Act, the National Cybersecurity Protection Act of 2014 (S.2519) authorizing a National Cybersecurity and Communications Integration Center at the Department of Homeland Security for information sharing, and two bills to improve the federal cybersecurity workforce — the Cybersecurity Workforce Assessment Act (H.R.2952) and the Border Patrol Pay Reform Act (S.1691) (which contains provisions from the DHS Cybersecurity Workforce Recruitment and Retention Act of 2014).