The government shutdown and Congress’s failure to reauthorize the Cybersecurity Information Sharing Act of 2015 (CISA 15) have put cyber defenses at risk, cybersecurity experts are warning, saying the pressure is now on state and local governments and industry members.
After Democrats and Republicans failed to agree on passing a continuing resolution to maintain federal funding by midnight on Sept. 30, the government has officially shut down. With it, two key cyber-related provisions – CISA 15 and the State and Local Cybersecurity Grant Program (SLCGP) – were not reauthorized before their sunset date on Tuesday night.
CISA 15 put in place a legal framework for government and the private sector to share cybersecurity threat data, and the law has been hailed since then as foundational to improving U.S. cybersecurity.
Without those protections, industry leaders have said that both industry and the federal government will be handicapped in their efforts to address cyber threats in a timely manner before they become widespread – warning that threat actors won’t wait.
“The law’s liability protections have given companies confidence to share indicators of compromise and defensive insights without fear of legal or regulatory fallout,” said Jeff Ladner, chief product officer at Onspring, in a written statement shared with MeriTalk. “What was once a clear, protected channel for information exchange becomes a gray area, forcing leaders to weigh mission needs against legal exposure.”
Without legal protections from the federal government, industry is more likely to turn to states for information sharing protections, explained Mike Hamilton, the former chief information security officer (CISO) of the City of Seattle and field CISO at Lumifi Cybersecurity, in an interview with MeriTalk.
States have been working to meet those needs, largely spurred by an executive order signed by President Donald Trump earlier this year that shifted some responsibilities for risk management from the federal government to state and local governments, including those related to cyberattacks.
“What’s happening is states are saying enough is enough. We’re going to take on these responsibilities. You’re making us do it,” said Hamilton.
“States are going to have to recreate all the things that we got from CISA, including information sharing. We’re going to need volunteer teams of responders in case we have a significant cyber disruption,” Hamilton continued, pointing to efforts made by California, Texas, and Nebraska.
A federal shutdown poses a greater cyber risk to the government than industry because furloughed staff and contractors leave agencies unable to quickly patch vulnerabilities or monitor networks. This creates a window for nation-states and cybercriminals to exploit and embed in federal systems, Hamilton added.
“The big risk is to the federal government,” said Hamilton. “They’re just shooting themselves in the foot.”
While the homeland security committees in both the House and Senate are working on bills to reauthorize CISA 15 – the House panel recently favorably reported its measure to the full House – experts said that industry members should continue information sharing.
“As a new solution is formalized, information sharing needs to continue to be a top priority across the private sector,” said Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center and the former deputy director of the FBI’s Cyber Division, in a written statement shared with MeriTalk.
“Halcyon specifically intends to continue information sharing for now as though the protections of CISA 2015 are still in place, in good faith anticipation of some sort of renewal, and we hope other industry partners will similarly continue their sharing posture to ensure collective protection,” continued Kaiser.
While there aren’t protections for new data shared with the government, a former senior Cybersecurity and Infrastructure Security Agency (CISA) official told MeriTalk in an interview that the lapse of CISA 15 won’t have an immediate disruptive effect, and that non-federal entities that shared data before Sept. 30 will still receive protections.
“Where it comes into challenge is that individuals who have new incidents, new and novel threat actor indicators, will have to have that conversation with their internal counsels and risk metrics before sharing with the risk of FOIA, the risk of law enforcement engagement … until a time in which that authority is back in full strength,” the former official said.
Meanwhile, the former official explained that the federal government can continue to share information through other authorizations that the government has, which allow CISA and other intelligence agencies to put out alerts.
Though that information sharing is likely not to be as rapid as it was under CISA 15 protections.
“Anything that gets in the way of someone deciding to share adds seconds, minutes, hours, and days to that actual information being propagated through system channels, as well as across the board, to other sectors,” added the former CISA official.
Looking forward, Jordan Burris, head of public sector at Socure and former chief of staff to the federal chief information officer, said that Congress has an opportunity to expand on CISA 15 in its next set of protections for information sharing.
“Most identity-based attacks are now cyber-enabled, and by broadening Section 15 to explicitly include identity fraud related threat information sharing, we can bring organized fraud rings into scope, strengthen fraud prevention, and improve real-time intelligence collaboration,” said Burris in written comments shared with MeriTalk.
While CISA 15 was controversial when it was first passed, it largely has bipartisan backing with lawmakers, Trump administration senior leaders, and federal officials doubling down on the necessity of having those protected information sharing channels available.
“There are a lot of good reasons to make sure that this capability lives on,” said the former senior CISA official. “It’s also always an opportunity for Congress to take a look and revisit and make sure it’s supported in the ways they intended. So, we have a lot of good hope out there that the powers that be will see fit to extend to whatever extent necessary.”