A coalition of 52 U.S. organizations urged lawmakers on Tuesday to reauthorize a law that protects cyber threat information that businesses share with the federal government.
The Cybersecurity Information Sharing Act, which is set to expire on Sept. 30, creates a system for federal agencies to receive threat indicators from companies and share those indicators with other agencies and companies. The law specifies that companies can share threat information with one another without violating antitrust laws and requires agencies to remove personal information before sharing information. It also prohibits the government from using any shared data to regulate companies.
If the law expires, “the U.S. will encounter a more complex and dangerous security environment,” the coalition of private companies and trade groups wrote to members of Congress.
“Sharing information about cyber threats and incidents complicates attackers’ operations because defenders learn what to monitor and prioritize,” the group said. “CISA 2015 helps defenders improve their security measures while raising costs for attackers.”
For years, the government and the private sector have warned that roadblocks to information sharing impede the U.S.’s ability to understand the threat landscape and block cyberattacks. Congress passed CISA in 2015 to make it easier for companies to alert the government to digital threats while also protecting the privacy of information they share.
The broad list of signatories pressuring Congress to reauthorize the Cybersecurity Information Sharing Act illustrates the law’s widespread support within the private sector. Among the signatories are trade associations representing nearly every critical infrastructure sector, including transportation, telecommunications, healthcare, energy, water, financial services, chemical, entertainment, defense, retail and technology.
The healthcare industry’s information-sharing and analysis center, Health-ISAC, signed the letter, as did a group representing health-care IT executives, an association of third-party auditors and a group that advocates for open radio access networks (open RAN) in the wireless industry.
The U.S. Chamber of Commerce organized the effort to pressure Congress, highlighting the seriousness of CISA reauthorization to the business community.
Legal protections at risk
While much of the public conversation about the law relates to its role in facilitating public-private information sharing, companies also rely heavily on its legal protections for private-to-private sharing, which underpins the vast cyber threat intelligence industry that partners with governments worldwide to stop hackers.
“Most of the use of it that we see every day in the private sector is tied to the protections for private-to-private cyber threat sharing,” said Ari Schwartz, managing director of cybersecurity services at the law firm Venable and coordinator of the the Cybersecurity Coalition, an advocacy trade group that signed the letter.
The financial services and retail-and-hospitality ISACs rely on this protection to exchange threat indicators, Schwartz said, as does the Cyber Threat Alliance, which hosts an information-sharing platform and produces research reports. “Both of these efforts had previously raised internal technical antitrust questions before the passage of the law,” Schwartz told Cybersecurity Dive via email.
If the law expires, Schwartz said, “we could see, at best, major disruptions to existing threat sharing arrangements and, at worst, an end to many of them.”
The letter’s submission comes as lawmakers begin scrutinizing CISA and considering whether and how to modify it as part of the reauthorization process.
The House Intelligence Committee received a classified briefing on the law’s impact last week, with panel leaders saying they were focused on making the information-sharing process as efficient as possible. The House Homeland Security Committee’s cyber subcommittee will hold a hearing on the law on Thursday.
Secretary of Homeland Security Kristi Noem said at the RSAC Conference in late April that the Trump administration supports the renewal of the law
