Omnibus spending bill: strongest cybersecurity protections to date
December 18, 2015 | By Barbara Vergetis Lundin
Today, the House will vote on -- and is expected to pass -- a massive year-end omnibus spending bill, which includes provisions regarding cyber security and cyber threat information sharing.
The omnibus spending bill includes the Cybersecurity Act of 2015 and the FY16 Intelligence Authorization Act.
The Cybersecurity Act of 2015 is similar to the Protecting Cyber Networks Act (HR 1560), which passed the House on April 22 by a vote of 307-116. It also resembles the National Cybersecurity Protection Advancement Act of 2015, which passed the House by a vote of 355-63, and the Cybersecurity Information Sharing Act of 2015, which passed the Senate by a vote of 74-21.
"The Cybersecurity Information Sharing Act of 2015 (CISA) is legislation that we need now…Over the past several years, major cyberattacks have dominated the headlines and dramatically raised public awareness of online security," said U.S. Chamber of Commerce President and CEO Thomas J. Donohue. "This legislation, long championed by the Chamber, is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks. Government and businesses alike are the target of these criminal efforts, and CISA will allow industry to voluntarily work with government entities to better prevent, detect, and mitigate threats."
The Cybersecurity Act of 2015 includes measures agreed upon in negotiations between the House Permanent Select Committee on Intelligence, the House Committee on Homeland Security, the House Judiciary Committee, the Senate Select Committee on Intelligence, and the Senate Committee on Homeland Security and Governmental Affairs, which are designed to allow for greater information-sharing on cyber threats among private-sector companies and between the private sector and the government.
For example, the Act establishes the Department of Homeland Security (DHS) as the portal for cyber threat information sharing with the government, while giving the President the authority to designate an additional, civilian portal if the DHS portal fails to be fully and securely operational. In addition, it provides positive authority to share cyber threat indicators and defensive measures, as well as provides for strong and clear liability protections.
In part, the bill also provides $314 million -- $10 million more than the fiscal year 2015 level -- for cybersecurity activities, which will serve, in part, to better protect the DOE and national laboratories from increasingly frequent cyberattacks, and improve the cybersecurity of the energy sector.
Part of the cybersecurity funding included in the bill is for research, specifically including $72.7 million for cryptographic standards -- an increase of $7 million, and $31.5 million for the expanded National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCOE) -- which will consolidate the activities of the National Strategy for Trusted Identities in Cyberspace into the NCCOE.
"It is difficult to overstate the threat posed by bad cyber actors to our security, our privacy and our economy. After several years of effort, Congress has now produced a bipartisan cyber bill that allows the private sector and government to share information about malicious intrusions to protect Americans from further harm," said Ranking Member Adam Schiff. "The bill contains the strongest privacy protections to date, requiring personal information to be stripped out before malicious code is shared with DHS, and providing narrow liability protections to protect businesses that voluntarily participate in the program. It is the most significant effort by Congress to address the cyber threat to date, and should now become law."
Legislation designed to increase cyber-threat information sharing between the private and public sectors had passed both the House and Senate earlier this year, but inclusion of final language in year-end spending bills means that reconciled legislation can finally be signed into law by President Obama.
"Cyber-attacks will increasingly be the tool of choice for criminal syndicates, rogue states and terrorist organizations bent on disrupting and damaging America's economy. Giving businesses the tools and legal protections needed to share cyber-threat indicators is the first step in what must be a national commitment to protecting American businesses and consumers," said Nicholas Ahrens, vice president, privacy and cybersecurity, Retail Industry Leaders Association (RILA). "Cyber-attacks and the criminal elements that sponsor them are growing more sophisticated and brazen in their attacks on businesses, institutions, infrastructure and governments. Collaboration between the private sector and government is essential for businesses and law enforcement to better tackle this evolving threat and protect our economy."
© 2015 FierceMarkets, a division of Questex, LLC. All rights reserved.