A bipartisan bill has been introduced to the Senate that would extend the terms of the Cybersecurity Information Sharing Act of 2015, widely seen as a vital national cybersecurity law.
The current terms are set to expire in September of this year. The act creates a partnership between the Department of Homeland Security (DHS) and private industry partners that promote sharing of software vulnerabilities, malware, or malicious IP addresses. If it passes, the new extension would lock the terms in for 10 more years.
Information sharing partnership provides nationwide security boost, better CISA support
The extension to the cybersecurity law was introduced by U.S. Senators Gary Peters (D-MI), Ranking Member of the Homeland Security and Governmental Affairs Committee and Mike Rounds (R-SD). The senators stressed the importance of the information sharing programs that the act authorizes in preventing and mitigating damage from major attacks by nation-state advanced persistent threat (APT) actors, particularly in helping with defense and recovery during the SolarWinds breaches and the more recent Volt Typhoon and Salt Typhoon campaigns.
Though the information sharing programs are popular and the bill has bipartisan support, its path to adoption may be rocky. Certain members of the Republican wing of Congress, most vociferously Sen. Rand Paul of Kentucky, have opposed the Cybersecurity Information Sharing Act since it was introduced over 10 years ago. Paul has opposed it on the basis of potential government overreach, with private industry partners possibly providing a large amount of otherwise protected personal information to government agencies under its terms. Paul now heads up the Homeland Security and Governmental Affairs Committee, and the bill will likely have to be reviewed by a Homeland Security panel before it proceeds.
However, a collection of both Republicans and Democrats have publicly signalled support for the cybersecurity law’s renewal. These include House Homeland Security Chairman Mark Green, and cyber subcommittee chair Andrew Garbarino. On the Democrat side, high-ranking chair member Bennie Thompson supports the renewal as well as key Intelligence Committee member Mark Warner.
Cybersecurity law terms may change before final version passes
The introduction of the information sharing extension was preceded by a Congressional Research Service (CRS) report that supported the idea of some sort of renewal of the legislation, but also noted that it lacked some key protections that were not as much of an issue (or even in existence in a meaningful way yet) in 2015. That includes AI, which is not addressed at all by the existing terms of the cybersecurity law. The report also notes that the original law predates the trend of APT groups heavily targeting flaws in poorly-protected home and office routers, pointing out a need for special attention to edge devices that often go overlooked.
Another point of note in the report is that participation in these information sharing programs is almost entirely voluntary for private industry partners. This approach began to shift under the Biden administration, as new executive orders put new incident reporting requirements on certain critical infrastructure industries that might pose a hazard to national security if breached.
Perhaps the most important of the information sharing programs funded under the bill, at least in terms of initial response to major breaches by APT groups, is the Joint Cyber Defense Collaborative. Formed in August 2021, the program creates a direct connection between assorted federal government agencies in charge of national security and a collection of the biggest private tech and cybersecurity outfits (such as Amazon, Microsoft, Google, Verizon, CrowdStrike and FireEye). The public and private participants develop joint planning agendas, cyber defense plans, and cyber defense exercises. This has included heavy coordination in the response to the sustained Volt Typhoon and Salt Typhoon campaigns of the past two years that have been aimed at potentially damaging the nation’s critical infrastructure should the US become involved in a Taiwan military conflict.
Not all of the information sharing programs have been a hit, however. One that has tended to receive criticism is the Automated Indicator Sharing (AIS) program, with annual watchdog reports noting quality issues that have led to not-infrequent “false positives” of malware detection and that it is simply a low priority for CISA that receives little of its funding and attention. Participation has dropped precipitously in recent years, with the program losing 93% of its sharing of threat indicators from 2020 to 2022. This suggests that some elements might be on the chopping block should the cybersecurity law be overhauled.
Another September deadline under review is the end of funding for the State and Local Cybersecurity Grant Program, which has provided assistance to beleaguered local government operations and smaller critical infrastructure companies that often do not have a proper IT budget yet are heavily targeted by advanced foreign threat actors. That program is presently under review by a U.S. House Subcommittee on Cybersecurity and Infrastructure Protection, but ultimately Congress will have to authorize continued funding for it.
April Lenhard, Principal Product Manager at Qualys, notes that the cybersecurity law is just a piece of a complex national cyber defense puzzle that has been put into place in recent years: “Reauthorizing the Cybersecurity Information Sharing Act (CISA) isn’t just a bureaucratic box-check-it’s about keeping the digital lines of communication open between the private sector and government. CISA has been instrumental in streamlining information flows that strengthen national cybersecurity defenses. Renewing CISA for another decade will preserve the continuity of critical threat intelligence exchanges within the private sector and between private entities and the federal government. CISA’s bipartisan support underscores how a voluntary and collaborative information sharing framework remains a robust tool for collectively defending against evolving cyber threats. Recent developments-such as the near-expiration of MITRE’s CVE program-highlight the complex interdependence between public and private sectors in both network defense and intelligence contribution: the entire threat intelligence ecosystem feels the ripple.”
Casey Ellis, Founder at Bugcrowd, adds: “Cybersecurity is a team sport, and the truth of this idea is only becoming more obvious in a progressively more hostile global environment. The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing and the “in community” sharing that powers US-based ISACs. I’m very glad to see Senator Rounds and Senator Peters moving this along.”
Chad Cragle, CISO at Deepwatch, is among those in the private sector that supports a refinement of the cybersecurity law if it is re-authorized: “ … a renewal shouldn’t simply be a rubber stamp. The threat landscape has evolved significantly over the past decade, as have the risks associated with data handling and cross-sector coordination. This is an opportunity to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity. Getting this right means building on what works while adapting to what has changed.”
And Gabrielle Hempel, Security Operations Strategist and Threat Intelligence Researcher for the Exabeam TEN18 Team, notes that legal protections must be a focus of any modernization effort: “One of the most important aspects is the afforded legal protections. CISA provided companies with legal protection when sharing cyber threat indicators with the federal government, which fostered a more open exchange of information. This has been important when it comes to responding to significant cyber incidents, like SolarWinds and Volt Typhoon. Extending these provisions encourages organizations to continue to share critical threat data without fear of legal repercussions. The extension is also an opportunity to modernize the legislation. The cyber threat landscape has evolved significantly since 2015, with complexity in supply chains and more sophisticated adversaries becoming a chief concern. Finally, it’s an important step to ensure that the Cybersecurity and Infrastructure Security Agency (the other CISA) and its Joint Cyber Defense Collaborative (JCDC) remain intact. These institutions have been an important part of coordinated cyber defense efforts.”
