The Cybersecurity Act of 2015 (the Act) was passed into law on December 18, 2015, as Division N of H.R. 2029 (Consolidated Appropriations Act of 2016), the 2016 omnibus spending bill. Less than a month later, H.R.4350 was introduced as a bipartisan bill to repeal the Act. Proponents of the Act assert that legislation is needed to address vulnerabilities created as innovations in technology emerge and create gaps in existing law. Opponents to the Act argue that it is unlikely to successfully thwart cyber attacks and creates a broad threat to privacy and question its legitimacy, viewing it as hastily signed into law as part of a spending bill.
Highlights of the Act include the following:
- Title I: Cybersecurity Information Sharing
- Establishes the framework for the voluntary, real-time sharing of cybersecurity information, such as “cyber threat indicators” and “defensive measures” between “non-federal entities” (defined to include state, tribal, or local governments) and “federal entities.”
- Provides liability protections by stating Title I shall not be construed to create “a duty to share” or a “duty to warn or act based on the receipt of a cyber threat indicator or defensive measure” and an antitrust exemption.
- Requires the removal of “personal information of a specific individual or information that identifies a specific individual” who is “not directly related to a cybersecurity threat.”
- Provides that Title I shall not be construed “to prevent the disclosure of a cyber threat indicator or defensive measure shared under this title in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.”
- Title II: National Cybersecurity Advancement
- Subtitle A, “National Cybersecurity and Communications Integration Center,” a part of the US Department of Homeland Security (DHS), is designated as the federal entity to implement the sharing of information as authorized in Title I, but explicitly does not grant DHS “any authority to promulgate regulations or set standards relating to the cybersecurity of non-Federal entities.”
- Subtitle B, “Federal Cybersecurity Enhancement,” establishes and amends cybersecurity-related requirements for the federal government to improve federal network security, create an intrusion assessment plan, advance internal defenses, and establish specific reporting requirements for government agencies.
- Title III: Federal Cybersecurity Workforce Assessment
- Requires the government to assess federal government cybersecurity workforce needs.
- Title IV: Other Cyber Matters
- Requires the development of government studies and voluntary best practices for cybersecurity.
- Requires an amendment to the Access Device Fraud Statute that allows prosecution of foreign individuals for access device fraud, even if none of their assets are within US jurisdiction.