Security coalition urges Congress to renew 2015 CISA law

Congress must reauthorize a cybersecurity threat information sharing law before it expires in October, a group of leading technology companies told lawmakers on Monday.

The 2015 Cybersecurity Information Sharing Act “has enabled rapid dissemination of actionable threat intelligence to protect networks before an incident occurs, more coordinated responses to cyber incidents; and improved situational awareness across multiple sectors,” the Hacking Policy Council said in a letter to House and Senate homeland-security committee leaders.

The council’s members include tech giants Google, Microsoft and Intel; security firm Trend Micro; and bug bounty platforms Bugcrowd, HackerOne and Intigriti. The group advocates for policies that improve vulnerability management, security research and penetration testing.

The CISA law, which offers legal protections for companies that share threat information, is set to expire on Sept. 30. There is bipartisan support on Capitol Hill for renewing the law, but lingering questions could complicate its prospects, including whether any lawmakers will press for changes to the program and whether the reauthorization will be attached to a larger must-pass bill or proceed on its own.

The law’s protections give companies “the confidence necessary to share sensitive information promptly — without fear of legal repercussions or ambiguity about their actions,” Hacking Policy Council members told lawmakers. If the law expires, it would “jeopardize over a decade of progress in enhancing our collective cybersecurity posture,” because companies might “hesitate to report vulnerabilities, leaving private sector and government networks exposed to exploitation.”

The Hacking Policy Council isn’t the first tech coalition to urge Congress to reauthorize the CISA law. In May, a group of 52 organizations representing nearly every critical infrastructure sector told lawmakers that it was “a cornerstone of American cybersecurity.” Many other cyber policy experts have echoed the call for reauthorization.

The Trump administration has signaled its support for the law as well. In remarks at the RSAC Conference in April, Secretary of Homeland Security Kristi Noem said the information sharing program was part of the administration’s strategy of shifting more cybersecurity work from the government to the private sector.