On Dec. 18, 2015, President Obama signed into law an omnibus spending bill that included the Cybersecurity Act of 2015 (“The Act”). The Act was a compromise of cybersecurity information sharing bills that passed the House and Senate earlier in 2015. It creates a voluntary process for sharing cybersecurity information and is intended to encourage public- and private-sector entities to share cyber-threat information. The Act is controversial, as the active sharing of information between and among the Federal Government and private sector entities does not currently occur routinely or effectively.
Private sector entities have been and still are very reluctant to share their security threat and breach information with the Federal Government. Private sector entities have obvious business risks by disclosing individuals’ confidential information, including potential consumer lawsuits. Further, sharing of information with the Federal Government could be used as evidence against the entity in potential regulatory actions. The disclosure and routine sharing of private sector security failures are not easy decisions for private entities, and are red-hot topics discussed at board-level meetings, especially for entities where their stock is publicly traded.
Federal, state and local municipalities also loath disclosing their failure to adequately protect and restrict access to private and public records. Trust in our public sector officials is at an all-time low due to these security breaches, which highlight an obvious neglect to remain current on critical security patches and basic perimeter controls to prevent unauthorized access by cybercriminals. Recent public sector security breaches include the Internal Revenue Service, which allowed hackers to obtain detailed tax-return information on 104,000 taxpayers; the Office of Personnel Management (OPM) which compromised more than 21 million current and former government employees' personal information and the U.S. Postal Service which had over 800,000 employee records stolen.
The Act strives to address many of the private and public concerns to encourage information sharing between and among the Federal Government and entities in the private sector. It also directs certain departments (Commerce, Defense, Energy, Homeland Security, Justice, Treasury and Office of the Director of National Intelligence) to create a process for sharing both classified and unclassified cyber-threat indicators and defensive measures with the private sector, as well as information relating to certain cybersecurity threats and best practices.