Three bills have been introduced in Congress that are intended to improve information sharing on cybersecurity threats and analysis between the public and private sector. Senator Richard Burr (R-NC) has introduced S. 754, the Cybersecurity Information Sharing Act (CISA). The Protecting Cyber Networks Act, H.R. 1560, was introduced by Rep. Devin Nunes (R-CA), while Rep. Michael McCaul (R-TX) introduced H.R. 1731, the National Cybersecurity Protection Advancement Act of 2015. All three of these bills are similar in that they provide liability protection to entities that choose to share information with the federal government through proscribed pathways. Each chooses to approach the information sharing process from different angles, though.
CISA is the lead proposal in the information sharing debate and tackles the issue as a whole. The two House bills borrow heavily from the language of the Senate proposal but divide the information sharing process into two avenues. The National Cybersecurity Protection Advancement Act makes the Department of Homeland Security’s (DHS) National Cybersecurity Communications Integration Center (or NCCIC) the primary hub for information sharing, while the Protecting Cyber Networks Act approaches the issue from an intelligence perspective. All of the bills require that measures be taken to scrub any personally identifiable information that isn’t related to a cyber risk from the relevant information before it is shared with the given federal agency.
These bills do not appear to have adverse implications for the higher education community. One element of the proposals did concern EDUCAUSE at first glance, though – their possible impact on Information Sharing and Analysis Centers (or ISACs). ISACs are organizations of similar entities and industries that share information among each other in order to better protect networks and critical information as well as analyze potential threats. The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), of which EDUCAUSE is a member, serves as the ISAC for higher education.
While the Senate bill only references ISACs, the president’s Executive Order issued on February 13, 2015, introduced the concept of Information Sharing and Analysis Organizations (ISAOs), which would act as regional centers for entities to share information. The House Homeland Security bill picked up this concept and included it in the bill language. Given the lack of details provided about ISAOs and how they would relate to ISACs, EDUCAUSE was initially concerned that these new structures would affect the efficiency and effectiveness of the pre-existing ISACs. Consultations with REN-ISAC as well as staffers of Rep. McCaul minimized such concerns. As presently understood, ISAOs would be intended to fill in the gaps in the existing cybersecurity information sharing structure by covering those entities or organizational relationships that don’t fit easily into an existing ISAC.
As a result, EDUCAUSE’s congressional outreach on this issue has focused on ensuring that higher education has access to raise concerns should any emerge. The Senate is expected to take up its bill in June, with the House having previously passed both of its bills. The Obama Administration has tentatively endorsed the House measures, so passage of the Senate bill and its reconciliation with the House’s legislation could easily lead to a new cybersecurity information law later this year.