Industry reps urge Congress to renew backbone cyber information-sharing law

Industry officials made a strong case to Capitol Hill Thursday that a foundational cyber threat information-sharing law must be renewed by this fall, arguing a lapse would give foreign adversaries arrant latitude to access sensitive U.S. data and destabilize critical infrastructure around the nation.

Testifying before a House Homeland Security panel’s cyber subcommittee, industry stakeholders urged lawmakers to extend the 2015 Cybersecurity Information Sharing Act that is poised to expire in September unless renewed by Congress. It allows industry to voluntarily share information about cybersecurity threats with the government, with liability safeguards in place that prevent firms from incurring legal actions that may arise from sharing sensitive data. 

Stakeholders say the liability protections in the law are critical because they shield companies from lawsuits and regulatory penalties when sharing cyber threat indicators with the federal government — a safeguard they argue is necessary to mitigate long-standing concerns about violating user privacy, breaching contracts or exposing sensitive business information.

A program lapse would “remove essential liability protections and hinder defensive operations across critical sectors,” said Kate Kuehn, the in-residence CISO at the National Technology Security Coalition. She added that such protections “have provided legal certainty for companies that might otherwise hesitate to share critical threat data.”

In the early 2010s, legislative efforts to establish a cyber threat information sharing framework had been underway for several years but faced major hurdles due to public skepticism over privacy and the misuse of shared information following Edward Snowden’s 2013 global surveillance disclosures. 

The landscape shifted notably after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.

A lapse in the law “could be interpreted by malicious actors as the U.S. ‘dropping its guard’ and would be an unforced error in a dangerous and evolving moment of cyber risk for the U.S.,” said John Miller, SVP of policy and general counsel at the Information Technology Industry Coalition.

“The one guarantee of a lapse … is that attackers would be in a better position to capitalize on any resulting confusion and uncertainty” caused by the law expiring, he said.

Rep. Andrew Garbarino, R-N.Y., who leads the cybersecurity subcommittee, told reporters that a clean extension bill appears most likely to occur.

“It was very important to have this [hearing] now so we can move it up. I do not know when the committee is going to have its next markup, but getting this in and now getting legislation drafted is the next step right away,” he said.

It’s not clear if a reauthorization bill will originate from the House Homeland side or from the House Intelligence Committee. Garbarino and Rep. Rick Crawford, R-Ark., who chairs the House intel panel, have been “talking quite a bit” about which direction to go, the New York congressman added.

“I think that the information-sharing transparency focus that [the bill] had when it first was made into law in 2015 is the core objective. And I think the importance of transparency and information sharing has only increased since that time,” Mandy Andres, the CISO at search company Elastic, said in a recent interview with Nextgov/FCW. 

“We need a good way and a safe way … for us to have any chance of being successful in helping defend ourselves, because what’s key about information-sharing, is that we’re not operating in silos, even though sometimes we like to act like we are,” she added.