Cybersecurity Information Sharing Act of 2014: What does it allow?
By: Kyle J. Marcil, Student Law Intern
The Cybersecurity Information Sharing Act of 2014 was created to identify and share cyber threat indicators, which are pieces of information necessary to describe or identify “malicious reconnaissance;” a method of defeating a security control; security vulnerabilities; malicious cyber command; or any other cyber security threat.
The act requires the Director of National Intelligence, Secretary of Homeland Security, Secretary of Defense, and the Attorney General to develop and promote procedures for handling and sharing classified and declassified cyber threat indicators. These procedures will be used to provide private entities as well as government officials a means of collecting and monitoring cyber threats. The Act also calls for a procedure to make unclassified cyber threats available to the public.
Private entities are permitted to monitor and operate countermeasures to prevent cyber threats. In addition, private entities will be allowed to share these cyber threat indicators with other private entities and the federal government. The private entities are also tasked with creating countermeasures to cyber threats.
However, the Act limits the government from using the indicators to regulate lawful activity and prevents the government from requiring an entity to provide information.
Each federal agency is tasked with developing procedures to aid in the joint effort against cyber threats. The Attorney General must develop tracking procedures and explain limits to protect civil liberties and privacy. The Department of Homeland Security (DHS) Secretary must provide an electronic sharing database and notice to the public.
All federal entities must report to Congress at least every two years to assess the impact on privacy and civil liberties; review the appropriateness of their actions; and describe government violations. Additionally, the Department of National Intelligence must report to Congress its assessment of the current intelligence sharing issues; a list of countries or non-state actors that pose possible threats; a description of the U.S.’s response and prevention capabilities to a cyber-threat; and possible enhancements that can be made to improve the defense against cyber threats.