A major cybersecurity law is expiring soon — and advocates are prepping to push Congress for renewal – CyberScoop
A push is gearing up to renew an expiring 10-year-old cybersecurity law that was viewed at its initial passage as the most significant cybersecurity legislation Congress had ever passed, and that advocates say now fosters several important threat-sharing initiatives.
The 2015 Cybersecurity Information Sharing Act provides safeguards for companies that voluntarily share threat intelligence data with the government or each other, such as federal antitrust exemptions and shields against state and federal disclosure laws.
Reauthorization of the law faces several hurdles, including uncertainty about who will take the lead on the bill in the House and Senate, potential privacy concerns, a tight timeline, and other competing priorities. There are also some who believe the law could use updates to fit today’s threats, potentially introducing further complications.
But its renewal has some bipartisan support, including among leaders of committees important to its passage, and there is optimism among outside groups that it can win congressional approval. The push is in the very early stages, but there’s a “growing recognition” that it needs to be reauthorized, said Matthew Eggers, vice president of cybersecurity policy in the U.S. Chamber of Commerce’s cyber, intelligence and security division.
“We’re in a little bit of spring training in the sense that we haven’t advocated for this legislation for about 10-plus years,” he said. “A number of organizations, over the last 10 years, have probably taken for granted the work that’s been done to get the legislation passed.”
What the bill accomplished
The 2015 law — often called “2015 CISA” to differentiate it from the agency with the same acronym, the Cybersecurity and Infrastructure Security Agency — evolved from earlier bills, namely an effort that began in 2009 and culminated in an ultimately unsuccessful attempt in 2012 to pass “comprehensive, bipartisan cybersecurity legislation.”
Lawmakers then turned their attention to an industry-supported element of the legislation: information sharing. It moved through the Senate Intelligence Committee in 2014, then again in 2015, before gaining passage on the Senate floor by a 74-21 vote. It was then inserted into an annual spending bill, which President Barack Obama signed into law that December.
Those who opposed the bill said it contained inadequate privacy protections, fearing what kind of personal data would end up in government hands. One of the biggest opponents then was Sen. Rand Paul, R-Ky., who now chairs the Homeland Security and Governmental Affairs Committee that may end up playing a key role in the fate of the law’s renewal.
Eggers said a “notable accomplishment” of the law is that there’s no real evidence that those privacy concerns have played out as feared.
One group that criticized the 2015 legislation, the Center for Democracy and Technology, said it still is concerned about the privacy ramifications, especially with the haphazard handling of private data under the Trump administration’s Department of Government Efficiency.
“The concerns are the same, but the data privacy environment is much more ominous,” said Jake Laperruque, deputy director of the group’s security and surveillance project. “Our sensitive and revealing data is generated more frequently, sought out and sold off more aggressively by data brokers, and now often churned through AI systems with an endless appetite.”
“Renewing this authority will require a lot of trust, right now it’s a big question of whether the government will earn it,” he added.
After the 2015 law passed, the Homeland Security Department established the Automated Indicator Sharing (AIS) program. That program has been the subject of often-negative watchdog reports, with the most recent one published in September noting that the number of participants fell to the lowest levels since 2017 in the period it reviewed, from 304 in 2020 to 135 in 2022. The number of actual threat indicators, like malicious IP addresses, fell precipitously to 93%, according to the DHS inspector general.
The report faulted the Cybersecurity and Infrastructure Protection Agency’s recruitment strategy for the dropoff in participants, and the dropoff in indicators on an unnamed federal agency that stopped sharing with the program over “unspecified security concerns.”
Advocates of renewing the 2015 law say some criticisms of the DHS program are fair, while others are misleading, but that the law’s importance isn’t tied to the AIS program created in its wake.
Eggers said that some companies haven’t seen enough high-quality threat information coming back from the program to justify participation. But he said the membership numbers are deceptive, since sector-specific industry information sharing and analysis centers (ISACs) might count as one member, but have thousands of companies who benefit from the program.
Kemba Walden, a former attorney at the Cybersecurity and Infrastructure Security Agency and later the acting national cyber director, said during her time at the agency some sectors made good use of the program, such as energy, transportation and financial services.
Scott Algeier, executive director of the Information Technology ISAC, said what AIS does well is “share indicators at scale,” something very useful to security researchers or companies with large security programs, and something that used to have to be done by plugging them into spreadsheets.
The reason for renewal
The real value of the 2015 law, advocates agree, is the legal protections it offers.
“It provides a really strong legal framework for the sharing of threat intelligence, both within industry and industry to government,” Algeier said. Before, industry relied largely on a Justice Department legal opinion as the framework for creating ISACs, but legislation is a far stronger framework, he said.
Walden, now president of the Paladin Global Institute, noted that a newer government-industry information-sharing program — the Joint Cyber Defense Collaborative — uses the 2015 law in its legal agreement with participants. It also could serve as the legal framework for future cyber threat-sharing initiatives, she said.
Eggers said that if businesses and their legal advisers “believe that they need the protections, then the protections are absolutely necessary to really achieve the kind of sharing and receiving of cyber threat information that benefits not only the business that’s doing the sharing and receiving, but industry partners and the government.”
Where updates are needed
As helpful as the 2015 law has been, it needs an update, said Larry Clinton, president of the Internet Security Alliance.
A renewal should result in “a bill that works for 2025 and so we should be looking at the current risks,” he said, further referencing events like the 2019 SolarWinds breach or last year’s CrowdStrike outage. When a product is used by an extremely large share of the market, and an incident can affect a substantial number of users, the companies that make them should meet with the federal government to take necessary security steps, then the government should reimburse them for costs and provide them protection from lawsuits, Clinton said.
Walden said there are other sections of the law that could use changes, like the definition of sharing information for a “cybersecurity purpose,” a term that doesn’t cover cyber frauds or scams and should be expanded to do so, she said.
She also said it’s unclear what kind of “defensive measures” companies can share with the government without running afoul of the Computer Fraud and Abuse Act, the main federal anti-hacking law. “If we expect for people in industry to lean forward and lean in on defending our critical infrastructure, maybe we should be a little bit more explicit,” Walden said.
When asked for comment, a CISA spokesperson did not directly address the renewal effort, telling CyberScoop that “the Cybersecurity Information Sharing Act of 2015 facilitates the voluntary sharing of cybersecurity information among companies and with CISA. That information empowers companies to defend their systems against cyber risks and supports a wide swath of CISA’s efforts in cybersecurity.”
Clinton said the Trump administration has shown signs of valuing industry collaboration, a positive sign for the law’s renewal.
What Congress thinks
Some leading members of the House and Senate Intelligence and Homeland Security panels support renewal, in some form.
“The committee, alongside other committees of jurisdiction, is prioritizing review of this legislation to ensure there are no information sharing gaps across the public and private sectors, which is especially important as nation-state threats to our networks and infrastructure intensify,” House Homeland Security Chairman Mark Green, R-Tenn., said.
The chair of his panel’s cyber subcommittee, Andrew Garbarino, R-N.Y., said renewing the law “makes sense going forward,” given that information sharing is an “essential component” of bolstering cybersecurity, but what the final reauthorization should cover is something that needs to be worked out in coming months.
Some key Democrats are on board, too.
“CISA 2015 is the backbone of operational collaboration between the Federal government and the private sector, and reauthorizing it is one of my top priorities this Congress,” said Mississippi Rep. Bennie Thompson, the top Democrat on Green’s panel. “We have just over six months to get this critical reauthorization across the finish line, and I am eager to work with my Republican colleagues as soon as they are ready to begin working on it.”
Said Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee: “CISA plays an essential role in public-private threat sharing, and I will strongly support its reauthorization.”
One key leader, though — Sen. Paul, who voted against the legislation in 2015 and now holds the gavel for a committee that might play a role in advancing or blocking renewal — was among those who didn’t respond to requests for comment.
The law is set to expire at the end of September, if Congress doesn’t act.
The post A major cybersecurity law is expiring soon — and advocates are prepping to push Congress for renewal appeared first on CyberScoop.
–
Read More – CyberScoop
