A 2015 cybersecurity law that has spawned a number of crucial public-private and inter-government information sharing programs is set to expire this September, but a bipartisan group of Senators are rallying to extend its terms for another 10 years.
Cybersecurity law renewal receives broad support, but may need an overhaul
Though it came into force in 2015, the Cybersecurity Information Sharing Act (CISA, not to be confused with the agency) has become a crucial backbone of a tapestry of public-private cybersecurity efforts that greatly accelerated during the Biden years in the interest of national security. The programs the cybersecurity law authorizes not only facilitate information sharing, but also offer legal protections to private partners that might otherwise be hesitant to engage with the government for fear of repercussions.
A broad assortment of supporters want it renewed just for those reasons, but many caution that it also needs tweaks and improvements to account for developments over the past decade. The first item in this area that jumps out is AI, which is not even really mentioned in the original 2015 cybersecurity law. It also has less specificity about the tactics and risks of nation-state APT groups, which certainly did exist at the time but were not quite as active or brazen in the lines they are now willing to cross.
Another element of the cybersecurity law that is up for debate is the fact that all of its information sharing programs are voluntary for private partners. That was the de facto standard until the Biden administration began issuing executive orders for critical infrastructure companies in the wake of the 2021 Colonial Pipeline and JBS ransomware attacks that caused substantial real-world disruption, giving some industries new mandatory incident reporting requirements. Some feel any revision of the cybersecurity law must include mandatory information sharing requirements for select partners that have an outsized potential impact on national security.
Information sharing law extension faces some opposition
Though it is generally popular, the information sharing law does have some detractors that have the potential to derail it. The bill is bipartisan having been introduced by U.S. Senators Gary Peters (D-MI), Ranking Member of the Homeland Security and Governmental Affairs Committee and Mike Rounds (R-SD), and with additional supporters in both the House and Senate on both sides of the political aisle.
The most potent force in opposition in Sen. Rand Paul of Kentucky, who has been against the information sharing law since it was introduced 10 years ago. Paul’s primary point of contention is along the lines of personal privacy, arguing that the cybersecurity law essentially creates a backdoor for the federal government to gather citizen personal information from these private companies that would otherwise require warrants and a legitimate investigation. However, there are no very clear examples of this actually happening during its existence. Still, Paul is the head of a Homeland Security panel that the extension will likely go before (and have to clear) to proceed.
An example of a vital information sharing program enabled by the cybersecurity law, that is broadly considered desirable and necessary, is the Joint Cyber Defense Collaborative. This program loops major tech firms (like Microsoft and Google) and the leading cybersecurity defense companies (like Mandiant and FireEye) directly in with federal government agencies involved in national defense, and the partnership has been considered to be crucial in addressing and mitigating major attacks by APT groups like SolarWinds and the Volt and Salt Typhoon campaigns.
Not every program has been so desirable, however. The Automated Indicator Sharing (AIS) program is another one created by the cybersecurity law, and despite being active since 2015 has seen steeply decreasing use and activity over the years. It is now widely seen as an afterthought for CISA (the agency), who have been characterized as barely funding and paying minimal attention to it. The fate of the whole package will likely come down to Trump administration funding priorities for cybersecurity, which remain unclear amidst his continuing broad slashing of government spending.
