2015 Cybersecurity Act's Legacy Still to Be Determined, Stakeholders Say
The 2015 Cybersecurity Act's efficacy is still largely to be determined because it's been less than a year since the bill was enacted, said former government officials and industry stakeholders Thursday evening at an FCBA event. Congress passed the information-sharing-centric Cybersecurity Act in December as part of the FY 2016 omnibus spending bill (see 1512180052). The act codified the Department of Homeland Security National Cybersecurity and Communications Integration Center's role as the main civilian hub for cyberthreat information sharing. It enacted strong liability protections for information sharing and required private sector entities to remove personally identifiable information from data prior to sharing.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
DHS thinks “they're in the process of getting their part [of the information sharing apparatus created in the Cybersecurity Act] up and running and getting companies to buy in,” said ex-Deputy General Counsel Jonathan Meyer, a Sheppard Mullin cybersecurity and government contracts lawyer. DHS and DOJ released finalized information sharing rules in June (see 1606150059). DOD Senior Cyber Policy Adviser Charley Snyder said he believes information sharing generally is a good concept but “it really depends on what you do with the information.” The act presents a potential “broad and interesting avenue” for government-to-private sector sharing about potential defensive measures, he said.
It's “impossible to know” yet how the law ultimately will affect information sharing, since DHS and DOJ only recently finalized their sharing rules, said Mozilla Senior Policy Manager-Americas Heather West. Mozilla is “broadly skeptical” of cyber information sharing for privacy reasons, but the act “has the potential to help,” particularly if it actually encourages the federal government to share with private sector entities more of the information it collects, West said.
The law's legacy is “undetermined” but it's encouraging that information sharing and analysis centers and organizations are viewing the information sharing apparatus that the bill set up as an opportunity to more widely circulate non-indicator information like patches and vendor information, said HackerOne Director-Government Affairs Mara Tam. They have been wanting to “do this in a trusted system where you can do this across a supply chain.” A lot of companies “are coming around to the idea that [non-indicator] threat information sharing and sharing defensive information is really where a lot of value is for them,” Tam said.