Witnesses at a House hearing on May 15 warned lawmakers that any lapse in the existing Cybersecurity Information Sharing Act of 2015 (CISA 15) would weaken the United States’ cybersecurity posture and undermine efforts to share information between the public and private sectors.
Testifying in front of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, witnesses praised CISA 15 for encouraging industry to share cyber threat indicators with the Federal government and private sector partners, but emphasized that Congress needs to act quickly to reauthorize the law and ensure its continued benefits.
The law is set to sunset in September without further congressional action.
“I want to underscore that any lapse in CISA 15 authorities would be an unfortunate step backwards, an unfortunate error that only stands to benefit cyber criminals, including sophisticated nation-state threat actors such as China, Iran and Russia,” said John Miller, senior vice president of policy for trust, data and technology at the Information Technology Industry Council (ITI), a tech trade group.
“The lapse of CISA 15 would remove the legal protections underlying the trust mechanisms and relationships that underpin the cyber threat information sharing that is fundamental to our collective cyber defense,” Miller added.
While witnesses praised CISA 15, they also said a reauthorized version of the law needs to reflect a changed cybersecurity landscape.
Diane Rinaldo, a former House Intelligence Committee staffer who helped write the law, said that the original legislation failed to correctly estimate the scale and complexity of today’s threat landscape.
“Over the past decade, threat actors have become more capable and emboldened, outpacing both legislative safeguards and defensive technologies,” said Rinaldo.
Rinaldo told lawmakers that problems persist with how the law operates more than ten years after it was first approved, with issues including limited participation, speed and relevance of information, lack of bi-directional flow, and inconsistent standards that result in a “a trust deficit.” She added that Congress should require Federal agencies to share timely and declassified intelligence with the private sector.
“Reauthorizing information sharing gives Congress the opportunity to strengthen and scale its original vision, to strengthen national security,” said Rinaldo. “Cybersecurity is no longer a technical issue – it’s a national security imperative that requires whole-of-nation coordination. No single company, agency, nor state can defend against these threats alone.”
Rinaldo also suggested expanding and clarifying liability protections in the law – which Kate Kuehn, the chief information security officer in residence at the National Technology Security Coalition (NTSC), said offer critical protections for companies that would otherwise face legal uncertainty in sharing data.
“This safe harbor position has been crucial in fostering a culture of trust and collaboration,” she said, adding that without liability protections, threat information sharing ends up “in the hands of the lawyers.”
Miller also suggested that the law update its definitions, calling into question whether some definitions – such as cyber threat indicator – reflect all the different types of attacks seen in today’s threat landscape.
Panel members voiced bipartisan support for renewing the legislation.
“It’s rare that these days we see such a wide consensus on any topic, but on the issue of reauthorizing CISA 2015 I’ve received a very clear message from everyone I talked to: do not let it lapse,” said Rep. Eric Swalwell (D-Calif.), ranking member of the subcommittee.
Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Cybersecurity Information Sharing Extension Act last month, which would extend the law to 2035.