Congress has less than 90 days to avert a cybersecurity nightmare. At the end of September, a keystone law enabling information sharing between private companies and government and among private companies will expire unless Congress reauthorizes it. Without the law, too many companies will fear liability concerns when they act as good Samaritans by sharing warnings about cyber threats.
Companies Want Protections To Share Information
A decade ago, companies were hesitant to share information about cyber threats because of antitrust, data protection, and transparency laws. Corporate lawyers were concerned their clients would be prosecuted under the Sherman Antitrust Act, since the law does not explicitly allow cybersecurity sharing, or under the Electronic Consumer Protection Act, or other data privacy laws if they inadvertently shared the protected personal information of a third party. Companies were further concerned that if they shared information with the government, citizens, journalists, and malicious actors alike could submit Freedom of Information Act requests and receive proprietary information and trade secrets.
While companies could negotiate data-sharing agreements with threat information-sharing bodies, and while the Department of Justice issued guidance that companies would not be prosecuted for cyber intelligence sharing, this situation left too much to prosecutorial discretion for comfort.
To remedy this problem, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015). The law disarms liability concerns over data sharing by creating explicit protections for companies sharing “cyber threat indicators” and “defensive measures” with other companies and the federal government. The law provides “legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators and taking steps to mitigate cyberattacks,” according to the U.S. Chamber of Commerce.
Industry Groups Back Reauthorization
CISA 2015 is set to expire on September 30. Lawmakers have debated using the reauthorization to expand the definition of cyber threat indicators or clarify and expand the liability protections. Sen. Rand Paul (R-KY), meanwhile, who serves as chair of the Senate Homeland Security and Government Affairs Committee, wants the reauthorization to ban the Cybersecurity and Infrastructure Security Agency from combating disinformation — an unrelated but pet issue for the chairman. Back in April, senators Mike Rounds (R-SD) and Gary Peters (D-MI) also introduced legislation to extend CISA 2015 as written.
Given the ticking legislative clock, an increasing number of private sector groups have called for a straight reauthorization of the law, without changes that may require lengthy debates. A health care organization asserted back in March that the information sharing enabled by CISA 2015 “provides enormous benefits” and is critical for “keeping networks and infrastructure safe.” An open letter signed by major banking, energy, and technology associations commented that the law has been “instrumental in strengthening our collective defense” and “meaningfully improved the capacity and speed with which we can respond to large-scale cyber incidents.” A coalition of security companies, researchers, and technology policy experts warned on July 7 that allowing the law to “lapse would jeopardize over a decade of progress in enhancing our collective cybersecurity posture.”
Technology leaders similarly warned that without the law “there’s going to be some companies that won’t voluntarily” share information. Allowing the law to expire would amount to “legislative malpractice,” admonished Larry Clinton, president of the Internet Security Alliance.
Congress’ Turn To Act
Consensus in Congress seems to be coalescing around a straight reauthorization. That option provides the greatest likelihood of averting the crisis that would accompany the expiration of the law. While there are nearly 90 days left on the calendar before CISA 2015 expires, there are only 35 working days for Congress between now and the end of September. Lawmakers should act with haste.
Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD senior fellow. Stefan Videnovic is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.
