Bill extends cyber threat info-sharing between public, private sector

Two federal lawmakers today introduced a bi-partisan bill that preserves key regulation that facilitates the sharing of cyber-threat data between private companies and the federal government.

The Cybersecurity Information Sharing Extension Act, introduced by U.S. Senators Gary Peters (D-MI) and Mike Rounds (R-SD), would extend provisions of the Cybersecurity Information Sharing Act of 2015, which is due to expire in September. The law encourages businesses to share information about ongoing cybersecurity threats with the federal government, and is one of few legislative actions that has actually had an impact on real-world cybersecurity, security experts said.

Specifically, the Cybersecurity Information Sharing Act of 2015 incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). It does this by providing legal protections for companies that do so by providing federal antitrust exemptions and precluding them from being held accountable from state and federal disclosure laws.

“From a defender’s standpoint, the Cybersecurity Information Sharing Act has been one of the few legislative tools that truly moved the needle,” Chad Cragle, CISO at cybersecurity resilience technology firm Deepwatch, told Cybersecurity Dive via email. “It gave the industry the legal clarity to share threat intel quickly, directly and without second-guessing the lawyers.”

Indeed, the law has been instrumental in investigations of major cybersecurity incidents, including the widespread SolarWinds supply-chain attack, which affected both government agencies and private-sector companies such as Microsoft. It also provides support for Information Sharing and Analysis Centers (ISACs), member-driven organizations that collaborate on threat info-sharing to help critical infrastructure owners and operators protect their facilities.

“Cybersecurity is a team sport, and the truth of this idea is only becoming more obvious in a progressively more hostile global environment,” said Casey Ellis, founder at crowdsourced cybersecurity firm Bugcrowd. “The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing that powers US-based ISACs.”

Strong case for extending the law

In separate statements, both senators also stressed the importance of maintaining the act’s protections particularly in the current cybersecurity climate, where both the public and private sector face constant security threats from both state-sponsored and other bad actors.

“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable — it remains essential for our national security,” said Sen. Peters.

Meanwhile, Sen. Rounds said that allowing the Cybersecurity Information Sharing Act of 2015 to lapse “would significantly weaken our cybersecurity ecosystem,” especially as the “has been instrumental in strengthening our nation’s cyber defenses.”

At the same time, however, the new act should be crafted to take into consideration the evolution of the threat landscape since the 2015 act was drafted, not just be a “rubber stamp” that does not add anything new to the legislation, Cragle noted.

“This is an opportunity to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply-chain realities, and operational complexity,” he observed. “Getting this right means building on what works while adapting to what has changed.”