The Senate Intelligence Committee recently approved the “Cybersecurity Information Sharing Act”, which would facilitate the sharing of information about cybersecurity threats or countermeasures by among private entities and with the federal government. If information is shared in accordance with certain requirements (such as the use of technical controls to protect shared information), the bill provides broad protections for entities sharing information for cybersecurity purposes, including immunity against any legal action related to the monitoring, sharing, or receipt of information done in accordance with the Act.
The bill was introduced the same week that the global information technology (IT) firm Unisys published a study concerning how utility, energy, and manufacturing companies in 13 different countries address cybersecurity threats. The study analyzed survey responses by IT practitioners in charge of securing or overseeing the security of their organizations’ information systems. Among the most notable findings of the study, most survey respondents (57%) agreed that risks to SCADA and other types of industrial control systems have substantially increased because of cyber threats, and only 21% agreed that the risk level to SCADA has substantially decreased because of regulations and industry-based security standards.
Information-sharing among private entities and with government is widely seen as essential to effective and timely response to cybersecurity threats. These concepts are an integral component of the White House’s Framework for Improving Critical Infrastructure Security (Framework) and the Department of Homeland Security’s Critical Cyber Community Voluntary Program (C3 Voluntary Program), both announced in March 2014. (See prior post here). Similar to the drafting of the Framework, however, privacy advocates have raised concerns regarding the adequacy of safeguards for personal information in the Cybersecurity Information Sharing Act. It is therefore uncertain how the current bill will fare in light of these objections. Nevertheless, given the recent industry survey findings, it is clear that cyber risks to energy infrastructure are growing and that enhanced public/private and private/private coordination would be beneficial, assuming appropriate privacy safeguards can be devised.