A bipartisan reauthorization of a critical cybersecurity information-sharing act is unlikely to pass as standalone legislation and will instead be part of another piece of major legislation, two senators behind the renewal proposal said Tuesday.
The Cybersecurity Information Sharing Act of 2015 – or CISA 15 – established a legal framework for government and industry members to share cybersecurity threat data, and it has since been hailed as foundational to improving U.S. cybersecurity.
But the renewal of those frameworks is unlikely to pass by itself, said Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., who both hold leadership positions within cyber-related committees in the Senate.
The senators proposed legislation last month dubbed the Protecting America from Cyber Threats (PACT) Act, which would continue to allow the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with industry in threat data sharing.
Now, speaking at the Aspen Cyber Summit in Washington, the senators said they aren’t sure the bill will pass by itself after Senate Majority Leader John Thune, R-S.D., has prioritized other bills.
“The chairman wants to do other legislation that’s not related to it, and that’s a problem,” said Peters. “So, it probably won’t be a standalone bill. We’re gonna have to get it in a defense authorization or other kinds of bills. We’re looking at every avenue that we can to get that in.”
Rounds also pointed to long Senate procedures that often stall legislation while it makes its way through the chamber.
“You can do standalone legislation, but it can take up to two weeks to push a single bill through the Senate, because you have time limits put into it designed to slow things down, unless you do things by unanimous consent,” Rounds said, while agreeing with Peters that Thune has a lot of power in his ability to slow that process down even more.
CISA 15 was temporarily extended until late January under the recent stopgap funding bill that ended the historic government shutdown, which Rounds pointed to as being a positive sign that there is motivation to get the cyber sharing law renewed.
“Hopefully by [the end of January], we will have the vast majority of the appropriation bills already completed for the rest of this year, and we’ll be able to move into some of these other packages … and get it across the floor of the Senate,” Rounds said.
When the bill’s liability protections lapsed during the 42-day shutdown, Peters said that one company reported they went from documenting cyberattacks and sharing that information with CISA within 30 minutes to 24 hours.
“Twenty-four hours is a lifetime,” Peters said. “As all of you know, when it comes to cyber, that’s simply unacceptable to do that.”
Part of getting a reauthorization for CISA 15 across the finish line includes spreading more awareness on the issue across Congress, the senators said.
“The folks who are in our committees work on those issues a lot, but I don’t think it’s widespread. A lot of my colleagues … don’t deal with these issues on a daily basis,” Peters explained, calling on industry and cyber experts to engage with Congress on cybersecurity-related issues.
“If we have to do it on the full floor, we have to then sell it to a whole lot more members who may be having a different view of [the legislation],” Peters said, adding, “They need to hear from you; you are the experts.”