The headline is the Cybersecurity Information Sharing Act of 2015, which had been bandied about for months before being folded into the budget at the last minute. The Act requires the federal government to set up procedures to help companies report cyber threats if they want to. And it gently pushes companies to share information on cyber threats—not just to the government, but with each other—by granting companies broad immunity for doing so. Without this immunity, companies could be subject to any number of legal claims, most notably privacy claims from data subjects. Even though the immunity has its limits, such as a caveat requiring companies to strip out non-essential personal information before sharing and a carveout for existing contractual duties of privacy, it continues to foster controversy.
The budget also provides for the government’s own cybersecurity. The National Cybersecurity Protection Advancement Act of 2015 aims to bolster US government’s internal cybersecurity defences. Similarly, the Federal Cybersecurity Workforce Assessment Act of 2015 commissions extensive reports on the cybersecurity experts that the government relies on, and what’s needed to recruit more experts to keep pace with growing threats. There are prohibitions on certain departments using funds for major computer systems unless they first assess associated cyber risks. (Interestingly, the Act singles out the risks posed by Chinese hackers for specific mention.) The Secretary of State must issue a report addressing, among other things, “cyber security measures to mitigate vulnerabilities, including those resulting from the use of personal email accounts or servers outside the .gov domain.” And of course there’s loads of cybersecurity funding for defence agencies, including a whopping $100 million for the Department of Homeland Security between now and October 2017. In short, they’ll be plenty of business for cybersecurity firms for the foreseeable future.
With respect to cybersecurity for the private sector, the Secretary of State is required to formulate a “comprehensive strategy relating to United States international policy with regard to cyberspace,” with particular attention to international cyber threats. Various heads of the intelligence, defense, and law enforcement community are required to produce a report on cybersecurity threats, including cyber attacks, theft, and data breaches, and to carry out a study to establish appropriate standards for measuring the damage of cyber incidents. And the Act commissions a report on cybersecurity in the healthcare industry and even establishes a Health Care Industry Cybersecurity Task Force.
But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy.