CALEA and the Cybersecurity Information Sharing Act
CALEA (1994) requires telecommunications carriers to design interception capability into their products; the FCC extended it to broadband and VoIP. CISA (2015) lets companies voluntarily share cyberthreat indicators with liability, privilege, and FOIA protections, but they must first remove personal information.
CALEA (the Digital Telephony Bill) requires telecommunications carriers to design products and services so they can carry out lawful interception orders. It originally did not cover internet services, but in 2005 the FCC extended it to broadband internet access and VoIP providers that interconnect with traditional telephone service.
CISA permits the federal government to share unclassified technical attack data with companies and encourages companies to voluntarily share Cyberthreat indicators and defensive measures. Participation is voluntary.
- A company must FIRST remove personal information not directly related to a threat (or use a technical capacity to do so) before sharing
- Sharing with the FEDERAL government does not waive privileges - but there is NO similar protection for sharing with state/local governments or other companies
- Shared information is exempt from federal and state FOIA
- Government may not use shared information to regulate or take enforcement action against lawful activities (but may use it to develop new cybersecurity rules)
- Companies are protected from liability for monitoring - but NOT for operating defensive measures