Letting a cyber threat data sharing law expire could waste government efforts to find vulnerabilities, since companies would no longer be able to discuss these issues without fear of legal repercussions, a top senator said Tuesday.
Sen. Mike Rounds, R-S.D., made his remarks less than a week after the hotly contested legislation to end a government shutdown also temporarily extended the Cybersecurity Information Sharing Act of 2015 through the end of January. But the discussion from Rounds and another leading senator on the issue, Gary Peters, D-Mich., at the Aspen Cyber Summit also suggested the path forward to a permanent reauthorization is anything but clear.
Peters and Rounds are the sponsors of a bill to re-up the law, known as CISA 2015, for 10 years with no changes other than its name — the preferred route for the Trump administration.
Rounds, who chairs the Armed Services Subcommittee on Cybersecurity, said the law comes into play after U.S. Cyber Command teams go overseas to probe allies’ computer systems for flaws in what are called “hunt forward” missions, to the benefit of both that ally and the United States.
“We get that information, we share it with the companies or with the country where we found it so they can do the patches,” he said. “But then we also come back and we then make it available to all the other organizations so that they can patch it anyplace else in the world. It’s frustrating for the bad guys.”
Rounds told reporters afterward that the law’s legal protections for companies to share that data with one another are important for making use of that information.
“Once it comes back in and you have that patch now that it’s being made, they can talk to one another about how they’re patching it, or where else there might be risks and so forth associated with it — because we find one, they might find more than one, or they might be aware of more than one,” he said.
Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., has wanted to pair renewal of the 2015 law with changes to an agency that has the same acronym, the Cybersecurity and Infrastructure Security Agency, to curtail what some conservatives saw as online censorship during the Biden administration.
Agency officials at the time denied the accusations, but either way, Peters — the top Democrat on Paul’s panel — said the agency unit that did the work Paul objected to no longer exists. Getting around Paul’s objections could be difficult if he persists, as he already has blocked it from being included in the annual defense policy bill, Peters said.
“The problem will be a standalone bill,” Peters said, because of the time it takes to advance one in the Senate. “We’re looking at every avenue we can to get that in.”
Rounds said there could be 90-plus supporters for their bill in the Senate if it got a standalone vote. One possibility is to package it with some other legislation that has broad support, but he doesn’t know if anything like that is in the works.
Republicans have tried to win over Paul, Rounds said.
“We visited with him. You don’t put pressure on a member,” Rounds said. “What you have to do is to find a way to get it to the floor, to where you can overcome it with a 60-vote margin. … That means literally weeks in the process, and that’s what Senator Paul has chosen as the route forward is, to hold it until we include what he wants. Unfortunately, what he wants probably would kill the bill in either the House or the Senate.”
Peters said his office has seen at least one case of the law’s temporary expiration in September having a negative impact.
“We had one company that we talked to that said that they went from reporting cyber attacks to CISA … being able to do it in 30 minutes to doing it in 24 hours,” Peters said. “24 hours is a lifetime.”