A federal program that encourages companies to share cyber threat information expired on Wednesday, raising fears of significantly diminished cybersecurity collaboration between the government and the private sector.
The 2015 Cybersecurity Information Sharing Act protected companies from antitrust liability, regulatory enforcement, private lawsuits and public-records disclosures associated with threat indicators they shared with government agencies or other companies. Those protections, which addressed longstanding concerns from corporate lawyers, led to a decade of robust information sharing between the federal government and the private sector, helping agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) identify, track and respond to widespread cyberattack campaigns.
But the law — known as CISA 2015 to distinguish it from the more recently created cyber agency — included a 10-year lifespan that expired on Wednesday. Congress failed to reauthorize the program despite months of hearings, speeches and letters highlighting its nearly universal support among Trump administration officials, lawmakers, industry leaders and cybersecurity experts.
The failure to renew CISA 2015 will leave U.S. computer networks “exposed, vulnerable and defenseless,” Sen. Gary Peters, D-Mich., the top Democrat on the Homeland Security Committee, said during a floor speech on Tuesday in which he urged his colleagues to act.
Members of the business community agreed. “America is more vulnerable to cyber threats today than it was yesterday,” Heather Hogsett, executive vice president for technology policy at the Bank Policy Institute, told Cybersecurity Dive.
The main obstacle to reauthorization was Senate Homeland Security Committee Chair Rand Paul, R-Ky. He objected to reauthorizing CISA 2015 without placing new restrictions on CISA’s efforts to combat online mis- and disinformation — which drew conservative criticism after the 2020 election — and he repeatedly blocked efforts to save the program. Paul drafted a bill that would satisfy his concerns about CISA’s misinformation work, but he never brought it to the Homeland Security Committee for a discussion.
The House, meanwhile, included a CISA 2015 reauthorization in its government funding bill, but Democrats blocked that legislation over concerns about Republicans’ spending cuts.
It remains unclear how companies’ information-sharing practices will change in the absence of liability and regulatory protections. Some companies might limit what they provide to the government; others might stop sharing entirely.
Michael Daniel, president of the Cyber Threat Alliance, an information-sharing group, predicted that some companies will “suspend some sharing activities with the government,” but he added that a lot will depend on “each company’s risk tolerance.”
“I think some collaboration will continue,” he said, “but likely at reduced levels and requiring more human oversight.”
Ari Schwartz, managing director of cybersecurity services at the law firm Venable, said “there will just be many more lawyers involved and it will all go slower, particularly new sharing agreements.” Venable has advised clients on what to consider when establishing such agreements.
As for companies sharing information with each other, that will likely continue for now because of a lack of near-term concern about antitrust investigations, Daniel said. But companies’ attitudes could change if the program isn’t reauthorized.
Henry Young, senior director of policy at the software industry trade group BSA, told Cybersecurity Dive that CISA 2015 was a critical tool for collective defense.
“Allowing artificial silos between government and industry to take hold would be a setback for the United States’ overall cybersecurity posture,” he said.
DHS CISA impact
In a letter to Congress last week, a broad coalition of industry associations warned that the expiration of CISA 2015 would expose the U.S. to “a more complex and dangerous security environment.”
The program’s expiration could also prompt changes at CISA. The agency recently told the Department of Homeland Security’s inspector general that it would consider discontinuing its real-time threat-indicator exchange platform, which costs roughly $1 million per month, if CISA 2015 expired and the agency began receiving far fewer threat indicators.
The IG’s office said CISA told it that “the decision on whether to maintain the capability will be based on available resources and leadership’s priorities.”
Tech industry leaders were unanimous in their expressions of dismay at the expiration of CISA 2015.
The lapse will “create significant legal uncertainty for the cybersecurity community, weaken the U.S. cybersecurity posture, and undermine a decade of progress in building trust between government and industry stakeholders,” said John Miller, senior vice president of policy for trust, data and technology at the Information Technology Industry Council, a major tech trade group.
“The one guarantee” now, Miller said, “is that attackers [are] in a better position to capitalize on any resulting confusion or hesitation from the private sector to share information” without the law’s protections.
