The Cybersecurity Information Sharing Act (CISA

113th Congress The 113th United States Congress was a meeting of the legislative branch of the United States federal government, from January 3, 2013, to January 3, 2015, during the fifth and sixth years of Barack Obama's presidency. It was composed of the ...

114th Congress The 114th United States Congress was a meeting of the legislative branch of the United States of America federal government, composed of the United States Senate and the United States House of Representatives. It met in Washington, D.C., from Ja ...

) is a

United States federal law The law of the United States comprises many levels of Codification (law), codified and uncodified forms of law, of which the supreme law is the nation's Constitution of the United States, Constitution, which prescribes the foundation of the ...

designed to "improve

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the

U.S. Senate The United States Senate is a chamber of the bicameral United States Congress; it is the upper house, with the U.S. House of Representatives being the lower house. Together, the Senate and House have the authority under Article One of the ...

on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the

NSA The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

and local police. The text of the bill was incorporated by amendment into a consolidated spending bill in the

U.S. House The United States House of Representatives is a chamber of the bicameral United States Congress; it is the lower house, with the U.S. Senate being the upper house. Together, the House and Senate have the authority under Article One of th ...

on December 15, 2015, which was signed into law by President

Barack Obama Barack Hussein Obama II (born August 4, 1961) is an American politician who was the 44th president of the United States from 2009 to 2017. A member of the Democratic Party, he was the first African American president in American history. O ...

on December 18, 2015.

History

The Cybersecurity Information Sharing Act was introduced on July 10, 2014, during the 113th Congress, and passed the

Senate Intelligence Committee The United States Senate Select Committee on Intelligence (sometimes referred to as the Intelligence Committee or SSCI) is dedicated to overseeing the United States Intelligence Community—the agencies and bureaus of the federal government of ...

by a vote of 12–3. The bill did not reach a full senate vote before the end of the congressional session. The bill was reintroduced for the 114th Congress on March 12, 2015, and the bill passed the Senate Intelligence Committee by a vote of 14–1. Senate Majority Leader

Mitch McConnell Addison Mitchell McConnell III (; born February 20, 1942) is an American politician and attorney serving as the senior United States senator from Kentucky, a seat he has held since 1985. McConnell is in his seventh Senate term and is the long ...

(R-KY) attempted to attach the bill as an amendment to the annual

National Defense Authorization Act The National Defense Authorization Act (NDAA) is any of a series of United States federal laws specifying the annual budget and expenditures of the U.S. Department of Defense. The first NDAA was passed in 1961. The U.S. Congress oversees the de ...

, but was blocked 56–40, not reaching the necessary 60 votes to include the amendment. Mitch McConnell hoped to bring the bill to senate-wide vote during the week of August 3–7, but was unable to take up the bill before the summer recess. The Senate tentatively agreed to limit debate to 21 particular amendments and a manager's amendment, but did not set time limits on debate. In October 2015, the US Senate took the bill back up following legislation concerning

sanctuary cities A sanctuary city is a municipality that limits or denies its cooperation with the national government in enforcing immigration law. Proponents of sanctuary cities cite motives such as reducing the fear of persons which illegally immigrated fr ...

Provisions

The main provisions of the bill make it easier for companies to share personal information with the government, especially in cases of cyber security threats. Without requiring such information sharing, the bill creates a system for federal agencies to receive threat information from private companies. With respect to

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

, the bill includes provisions for preventing the sharing of personal data that is irrelevant to cyber security. Any personal information that does not get removed during the sharing procedure can be used in a variety of ways. These shared cyber threat indicators can be used to prosecute cyber crimes, but may also be used as evidence for crimes involving physical force.

Positions

Indemnification

Sharing National Intelligence threat data among public and private partners is a hard problem, and one that many care about. The National Intelligence Threat Sharing (NITS) project is intended as an innovative solution to this hard problem. Altogether NITS is both innovative and useful. But first, to ensure that NITS is trustworthy, private partners must be indemnified. Indemnification takes an act of Congress, literally. The underlying impediment to more fulsome cooperation among buyers, sellers, and peers within a supply chain is

indemnification In contract law, an indemnity is a contractual obligation of one party (the ''indemnitor'') to compensate the loss incurred by another party (the ''indemnitee'') due to the relevant acts of the indemnitor or any other party. The duty to indemni ...

. Indemnification is needed to secure industry partners against legal responsibility for their actions. Unfortunately, congressional refusal to offer indemnification remains an impediment to real collaboration. At least qualified immunity should be accorded. This is immunity of individuals performing tasks as part of the government's actions.

Businesses and trade groups

The CISA has received some support from advocacy groups, including the

United States Chamber of Commerce The United States Chamber of Commerce (USCC) is a business association advocacy group and is the largest lobbying group in the United States. The group was founded in April 1912 out of local chambers of commerce at the urging of President Will ...

, the

National Cable & Telecommunications Association NCTA, formerly known as the National Cable & Telecommunications Association (NCTA), is a trade association representing the Internet in the United States, broadband and Cable television in the United States, cable television industries in the U ...

, and the

Financial Services Roundtable The Bank Policy Institute (BPI) is an American public policy, research, and advocacy organization, based in Washington, D.C. The organization was formed in July 2018 following the merger of the Financial Services Roundtable and the Clearing Hou ...

. A number of business groups have also opposed the bill, including the

Computer & Communications Industry Association The Computer and Communications Industry Association (CCIA) is an international non-profit advocacy organization based in Washington, DC, United States which represents the information and communications technology industries. According to their ...

, as well as individual companies such as

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

Yelp Yelp Inc. is an American company that develops the Yelp.com website and the Yelp mobile app, which publishes crowd-sourced reviews about businesses. It also operates Yelp Guest Manager, a table reservation service. It is headquartered in S ...

Apple An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...

, and

Reddit Reddit ( ) is an American Proprietary software, proprietary social news news aggregator, aggregation and Internet forum, forum Social media, social media platform. Registered users (commonly referred to as "redditors") submit content to the ...

. BSA (The Software Alliance) appeared initially supportive of CISA, sending a letter on July 21, 2015, urging the senate to bring the bill up for debate. On September 14, 2015, the BSA published a letter of support for amongst other things cyber threat information sharing legislation addressed to Congress, signed by board members

Adobe Adobe (from arabic: الطوب Attub ; ) is a building material made from earth and organic materials. is Spanish for mudbrick. In some English-speaking regions of Spanish heritage, such as the Southwestern United States, the term is use ...

Apple Inc. Apple Inc. is an American multinational corporation and technology company headquartered in Cupertino, California, in Silicon Valley. It is best known for its consumer electronics, software, and services. Founded in 1976 as Apple Comput ...

Altium Altium Limited is an American multinational software company that provides electronic design automation software to engineers who design printed circuit boards. Founded as Protel Systems Pty Ltd in Australia in 1985, the company has regional he ...

Autodesk Autodesk, Inc. is an American multinational software corporation that provides software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. Autodesk is headquarte ...

CA Technologies CA Technologies, Inc., formerly Computer Associates International, Inc., and CA, Inc., was an American multinational corporation, multinational enterprise software developer and publisher that existed from 1976 to 2018. CA grew to rank as one o ...

DataStax DataStax, Inc. is a real-time data for AI company based in Santa Clara, California. Its product Astra DB is a cloud Database as a service, database-as-a-service based on Apache Cassandra. DataStax also offers DataStax Enterprise (DSE), an on-pr ...

IBM International Business Machines Corporation (using the trademark IBM), nicknamed Big Blue, is an American Multinational corporation, multinational technology company headquartered in Armonk, New York, and present in over 175 countries. It is ...

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

, Minitab,

Oracle An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...

Salesforce.com Salesforce, Inc. is an American cloud-based software company headquartered in San Francisco, California. It provides applications focused on sales, customer service, marketing automation, e-commerce, analytics, artificial intelligence, and appl ...

Siemens Siemens AG ( ) is a German multinational technology conglomerate. It is focused on industrial automation, building automation, rail transport and health technology. Siemens is the largest engineering company in Europe, and holds the positi ...

, and

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

. This prompted the digital rights advocacy group

Fight for the Future Fight for the Future (often abbreviated fightfortheftr or FFTF) is a nonprofit advocacy organization, advocacy group in the area of digital rights founded in 2011. The group aims to promote causes related to copyright legislation, as well as ...

to organize a protest against CISA. Following this opposition campaign, BSA stated that its letter expressed support for cyber threat sharing legislation in general, but did not endorse CISA, or any pending cyber threat sharing bill in particular. BSA later stated that it is opposed to CISA in its current form. The

, another major trade group including members such as

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

Amazon.com Amazon.com, Inc., doing business as Amazon, is an American multinational technology company engaged in e-commerce, cloud computing, online advertising, digital streaming, and artificial intelligence. Founded in 1994 by Jeff Bezos in Bellevu ...

Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

Netflix Netflix is an American subscription video on-demand over-the-top streaming service. The service primarily distributes original and acquired films and television shows from various genres, and it is available internationally in multiple lang ...

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

Red Hat Red Hat, Inc. (formerly Red Hat Software, Inc.) is an American software company that provides open source software products to enterprises and is a subsidiary of IBM. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North ...

, and

Yahoo! Yahoo (, styled yahoo''!'' in its logo) is an American web portal that provides the search engine Yahoo Search and related services including My Yahoo, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Sports, y!entertainment, yahoo!life, and its a ...

, also announced its opposition to the bill.

Government officials

Proponents of CISA include the bill's main cosponsors, senators

Dianne Feinstein Dianne Emiel Feinstein (; June 22, 1933 – September 29, 2023) was an American politician who served as a United States senator from California from 1992 until her death in 2023. A member of the Democratic Party, she served as the 38th ...

(D-CA) and

Richard Burr Richard Mauze Burr (born November 30, 1955) is an American businessman and politician who served as a United States senator from North Carolina from 2005 to 2023. A member of the Republican Party, Burr was previously a member of the United Stat ...

(R-NC). Some senators have announced opposition to CISA, including

Ron Wyden Ronald Lee Wyden ( ; born May 3, 1949) is an American politician serving as the Seniority in the United States Senate, senior United States Senate, United States senator from Oregon, a seat he has held since 1996 United States Senate special el ...

(D-OR),

Rand Paul Randal Howard Paul (born January 7, 1963) is an American politician serving as the Seniority in the United States Senate, junior United States senator from Kentucky since 2011. A member of the Republican Party (United States), Republican ...

(R-KY), and

Bernie Sanders Bernard Sanders (born September8, 1941) is an American politician and activist who is the Seniority in the United States Senate, senior United States Senate, United States senator from the state of Vermont. He is the longest-serving independ ...

(I-VT). Senator Ron Wyden (D-OR) has objected to the bill based on a classified legal opinion from the

Justice Department A justice ministry, ministry of justice, or department of justice, is a ministry or other government agency in charge of the administration of justice. The ministry or department is often headed by a minister of justice (minister for justice in a ...

written during the early George W Bush administration. The

Obama administration Barack Obama's tenure as the 44th president of the United States began with his first inauguration on January 20, 2009, and ended on January 20, 2017. Obama, a Democrat from Illinois, took office following his victory over Republican nomine ...

states that it does not rely on the legal justification laid out in the memo. Wyden has made repeated requests to the

US Attorney General The United States attorney general is the head of the United States Department of Justice and serves as the chief law enforcement officer of the federal government. The attorney general acts as the principal legal advisor to the president of the ...

to declassify the memo, dating at least as far back as when a 2010

Office of Inspector General In the United States, Office of Inspector General (OIG) is a generic term for the oversight division of a federal or state agency aimed at preventing inefficient or unlawful operations within their parent agency. Such offices are attached to man ...

report cited the memo as a legal justification for the FBI's warrantless wire-tapping program. On August 4, 2015, White House spokesman Eric Schultz endorsed the legislation, calling for the senate to "take up this bill as soon as possible and pass it". The

United States Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. United States federal executive departments, federal executive department responsible for public security, roughly comparable to the Interior minister, interior, Home Secretary ...

initially supported the bill, with

Jeh Johnson Jeh Charles Johnson ( "Jay"; born September 11, 1957) is an American lawyer and former government official. He was United States Secretary of Homeland Security from 2013 to 2017. From 2009 to 2012, Johnson was the general counsel of the Departm ...

, the secretary of the DHS, calling for the bill to move forward on September 15. However, in an August 3 letter to senator

Al Franken Alan Stuart Franken (born May 21, 1951) is an American politician, comedian, and actor who served from 2009 to 2018 as a United States senator from Minnesota. A member of the Democratic Party (United States), Democratic Party, he worked as an ...

(D-MN), the deputy secretary of the DHS,

Alejandro Mayorkas Alejandro Nicolas Mayorkas (born November 24, 1959) is an American attorney and government official who was the seventh United States secretary of homeland security, serving from 2021 until 2025. A member of the Democratic Party, Mayorkas previ ...

, expressed a desire to have all connections be brokered by the DHS, given the department's charter to protect the executive branch networks. In the letter, the DHS found issue with the direct sharing of information with all government agencies, advocating instead that the DHS be the sole recipient of cyberthreat information, allowing it to scrub out private information. In addition, the Department of Homeland Security has published a Privacy Impact Assessment detailing its internal review of the proposed system for handling incoming indicators from Industry.

Civil liberties groups

Privacy advocates opposed a version of the Cybersecurity Information Sharing Act, passed by the Senate in October 2015, that left intact portions of the law they said made it more amenable to surveillance than actual security while quietly stripping out several of its remaining privacy protections. CISA has been criticized by advocates of

Internet privacy Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. P ...

and

civil liberties Civil liberties are guarantees and freedoms that governments commit not to abridge, either by constitution, legislation, or judicial interpretation, without due process. Though the scope of the term differs between countries, civil liberties of ...

, such as the

Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties. It provides funds for legal defense in court, ...

and the

American Civil Liberties Union The American Civil Liberties Union (ACLU) is an American nonprofit civil rights organization founded in 1920. ACLU affiliates are active in all 50 states, Washington, D.C., and Puerto Rico. The budget of the ACLU in 2024 was $383 million. T ...

."Beware the Dangers of Congress’ Latest Cybersecurity Bill"
Sandra Fulton, ACLU (Washington, USA), June 27, 2014.

Similar laws in different countries

United Kingdom government policy: cyber securityThe Scottish Government Information Sharing

References

{{reflist, colwidth=30em

External links

S.2588 - Cybersecurity Information Sharing Act of 2014
Congress.gov, Library of Congress.
"Cybersecurity Information Sharing Act will help protect us"
Dianne Feinstein, ''San Jose Mercury News'', July 21, 2014.
Forbes: Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee
Gregory S. McNeal, July 9, 2014.
Center for Democracy and Technology: Analysis of Cybersecurity Information Sharing Act
Gregory T. Nojeim and Jake Laperruque, July 8, 2014.
- CISA Security Bill Passes Senate With Privacy Flaws Unfixed
ANDY GREENBERG AND YAEL GRAUER Oct 27, 2015

2010 to 2015 government policy: cyber security Computer security Copyright enforcement Internet law in the United States Proposed legislation of the 113th United States Congress Internet censorship

History

Provisions

Positions

Indemnification

Businesses and trade groups

Government officials

Civil liberties groups

Similar laws in different countries

See also

References

External links