Policy Advocacy

Cybersecurity Information Sharing Act of 2015 (CISA): Building Capacity and Fostering Trust

Passing CISA—the Cybersecurity Information Sharing Act of 2015—was the Chamber’s top cyber policy priority in 2015. The law establishes a voluntary information-sharing program to help strengthen businesses’ resilience against cyberattacks.

CISA gives businesses legal certainty that they have safe harbor when sharing and receiving cyber threat data to mitigate cyber incidents. CISA safeguards individuals’ privacy and civil liberties and establishes appropriate roles for government agencies.

Companies need to feel that policymakers have their backs. The Chamber urges lawmakers and the next administration to be industry’s ally as they use the CISA program. The network of voluntary and protected information-sharing bodies needs to grow. The Chamber wants senior leaders of industry groups to promote CISA among their peers and constituencies.

To learn more about Automated Indicator Sharing (AIS), how it works and how to use it for your own company, visithere

The Cybersecurity Framework: Preserving Flexibility and Collaboration, Driving International Alignment

The jointly crafted industry-National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Framework) is a cornerstone of businesses’ risk management practices.

The framework is largely a process—it’s designed to help organizations start a cybersecurity program or improve an existing one. The framework features a number of industry-vetted actions that businesses can take to assess and strengthen their state of security over time. It is not meant to be regulatory, which will be repellent to industry.

Watch this video to learn more about the Framework works and why organizations of all sizes and types should be using NIST’s voluntary Cybersecurity Framework.

Norms and Deterrence: Negotiating Toward Acceptable Behaviors and Imposing Costs on Malicious Actors

The United States needs to coherently increase the costs to bad actors associated with cyberattacks in ways that are timely, legal, and proportionate. The Chamber holds that public and private sector stakeholders should conduct a review of actions that can be appropriately and wisely taken by business and government to deter bad actors. For norms and deterrence to be effective, businesses should have a menu of legal options at their disposal, sending a credible message that cyberattacks on industry and government will not be tolerated.

Many companies operate globally. Standards, guidance, and best practices relevant to cybersecurity are typically industry driven and adopted on a voluntary basis. The globalized economy works via the digital platform. Businesses need a cybersecurity system that is workable across borders.

Commission on Enhancing National Cybersecurity

In February 2016, the President announced a Cybersecurity National Action Plan (CNAP) to take a series of short-term and long-term actions to improve our nation’s cybersecurity posture.  A central feature of that plan is the non-partisan Commission on Enhancing National Cybersecurity, comprised of leading thinkers from business, technology, and academia and charged with making recommendations to the nation for actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sector.

Taken as a whole, the Chamber believes that the Commission’s recommendations to the next administration do not need to solve every complex cybersecurity challenge—there are too many. Instead, the Commission should seek to (1) maintain the momentum of quality initiatives, particularly the joint industry-NIST Framework for Improving Critical Infrastructure Cybersecurity (the Framework) and the new information-sharing law. The Commission should also (2) examine ways to boost adherence to international norms and deterrence.

To read the Chamber’s comments submitted to the Commission, click here.