Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., are leading efforts to reestablish legal protections for cyber threat information sharing between the federal government and industry after those protections expired last week.
The Cybersecurity Information Sharing Act of 2015 (CISA 15) expired at midnight on Sept. 30 after 10 years of offering legal protections for non-government entities that chose to share cyber threat data with the federal government.
Under a new name – the Protecting America from Cyber Threats Act – those protections would be reestablished if passed. The bill would continue to allow the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with industry in bolstering the nation’s cyber defenses.
“This bipartisan bill renews a proven framework that has helped defend critical networks at our hospitals, financial systems, and energy grids from cyberattacks for a decade,” said Sen. Peters in a statement.
“We must quickly renew these longstanding cybersecurity protections that encourage companies to voluntarily share information about cybersecurity threats with the federal government to ensure we are prepared to defend our national and economy security against relentless attacks from cybercriminals and foreign adversaries,” he continued.
While the new act meant to reauthorize CISA 15 doesn’t change any of the original bill’s provisions, it extends the legislation through September 2035 and would take effect retroactively as of Oct. 1.
A short-term extension of CISA 15 was included in the House-passed continuing resolution to keep the government open and funded, but that bill ultimately failed to pass in the Senate, leading to a government shutdown.
Following the sunset of CISA 15, industry cybersecurity leaders said that while the law’s lapse wouldn’t impact any cyber threats shared with the government before midnight on Sept. 30, it would open up non-government entities to legal liability if they choose to share information after the bill lapsed – putting pressure on states and industry to step up.
The cyber-sharing law has historically been controversial but has recently received largely bipartisan support from lawmakers and has been cited as critical to cybersecurity by Trump administration officials.
“The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Sen. Rounds. “The lapse in this legislation due to the government shutdown leaves our nation vulnerable to cyber attacks.”
The proposed legislation has already received support from industry, which has noted the importance of the protections in securing the nation.
“These authorities created the essential framework enabling real-time threat intelligence sharing across industry and with the government, breaking down the silos that attackers exploit,” said Ryan Gillis, senior vice president and global head of government partnerships at Zscaler, in a statement shared with MeriTalk.
“As nation-state and ransomware adversaries grow more pervasive and sophisticated, failing to renew these authorities could dramatically harm America’s national defense, economic security, and our critical infrastructure,” Gillis continued.
Sens. Peters and Rounds had introduced legislation earlier this year to reauthorize CISA 15 through 2035. Additionally, a bill that closely follows CISA 15, dubbed the Widespread Information Management for the Welfare of Infrastructure and Government Act, was favorably reported to the full House last month.