Cybersecurity Information Sharing Act (CISA) is proposed legislation that will allow United States government agencies and non-government entities to share information with each other as they investigate cyberattacks. Sharing is voluntary for participating organizations outside the government.
Currently, a number of U.S. regulatory frameworks impede sharing. For example, should a hospital in the United States came under attack, hospital administrators could be prevented from sharing information with government agencies because of privacy restrictions in the Health Insurance Portability and Accountability Act (HIPAA).
Under CISA, the Director of National Intelligence and the federal departments of Homeland Security, Defense and Justice are required to work together and develop procedures for sharing cybersecurity threat information. Non-federal entities will be required to remove personal information before sharing cyber-threat indicators, and the Department of Homeland Security (DHS) will be required to conduct a privacy review of received information.
Opponents of the legislation worry that the federal government will abuse how uses the information it gathers. As of this writing, the government may only use shared information to:
- Identify a cybersecurity purpose.
- Identify the source of a cybersecurity threat or security vulnerability.
- Identify cybersecurity threats involving the use of an information system by a foreign adversary or terrorist.
- Prevent or mitigate an imminent threat of death, serious bodily harm or serious economic harm, including a terrorist act or a use of a weapon of mass destruction.
- Prevent or mitigate a serious threat to a minor, including sexual exploitation and threats to physical safety.
- Prevent, investigate, disrupt or prosecute an offense arising out of a threat such as serious violent felonies or relating to fraud and identity theft.