The US Cybersecurity and Information Sharing Act (CISA) of 2015 has expired with no replacement or extension in place amid a chaotic shutdown of the federal government, leaving cyber pros in legal limbo and putting global collaboration on threat intelligence at risk of stalling.
The shutdown took effect at the stroke of midnight on 1 October after late-night attempts to get a Continuing Resolution – which would have funded the US government for a few more weeks – failed to get through a deeply-divided Congress.
The Continuing Resolution would have included an extension to CISA 2015 to give politicians sufficient time to finalise its proposed replacement, the Widespread Information Management for the Welfare of Infrastructure and Government (Wimwig) Act.
The Wimwig legislation was designed to replace CISA 2015 – not to be confused with the Cybersecurity and Infrastructure Security Agency, which takes the same abbreviation.
As previously reported by Computer Weekly, Wimwig advanced through the House Homeland Security Committee at the beginning of September. However, with just a few short weeks until the looming shutdown, and political differences still to be resolved, getting it onto the statute books in time was always going to be a tall order.
Nevertheless, Kyle Dewar, executive client advisor at Tanium Federal, an endpoint and cloud workload security specialist, said that there were positive signs that politicians on both sides of America’s political divide agreed on the need to extend or replace it.
“You can tell how important an issue is by its lateral movement across legislative actions,” he said. “What impressed me about the urgency was that they did include the provision to extend CISA 2015 in the Continuing Resolution options.
“That conveys an acceptance across the political landscape that this is important, even though there may be disagreement…. If it wasn’t important they would just let it lapse. To me it does indicate the significance of extending CISA 2015.”
Cynthia Kaiser, a former FBI cyber leader who now works as senior vice president at cyber company Halcyon’s Ransomware Research Center, said she hoped that the renewal of CISA 2015 – regardless of the name change – would be part of any future bill to reopen the American government.
She said there may even be an upside to the delay, as Congress could take additional steps to make more common sense edits, ranging from clarifying the law’s liability and privilege protections, to better protecting the civil liberties of individuals whose data may be shared under its auspices.
Kaiser also said more clarity was needed over which federal agencies are accountable for receiving and actioning information reported to the government under the law.
“It is imperative that we not lose sight of the spirit of what CISA 2015 was meant to achieve and absolutely has over the last decade: improving [the US’] overall security posture and protecting our most vulnerable from potentially devastating attacks,” she said.
Immediate impacts
Nevertheless, the fact remains that CISA 2015 is, for now, no more, and security professionals will begin to notice its absence within the next 72 hours, according to James Faxon, managing director and CISO at NukuDo, a cyber skills and training company.
A core provision of the lapsed law was liability protection, meaning that private sector organisations sharing threat data and intelligence in the interests of public service could do so without fear of facing legal action should someone, such as a victim, object.
With these protections evaporating overnight, Faxon said security leaders can expect to see organisations being markedly more cautious about what they share, which will create barriers to effective incident response.
“[This] can create conditions where one company is aware of [an] adversary’s attempt to exploit critical systems, but hesitant to share information with others due to a lack of liability shielding,” he said.
Faxon said the added pressure of a government shutdown will also strain speed and coordination on government agency responses to cyber incidents, which will spill into the private sector.
“Federal teams may be slower to validate and redistribute intel, so companies will lean more on ISACs, ISAOs, and vendor platforms to keep threat information moving,” he said. “But not all companies participate in ISACs or ISAOs and as a result, may be slower to respond giving an adversary more time to execute an attack strategy.”
Dewar said he too expected to see an impact to collaboration between the government and private sector.
“If something happens in the wild we can ingest the vulnerability from open sources but we can also compare that data with announcements from CISA. That correlation is going to be degraded. I don’t think it will go away altogether, it’ll just be different,” he said.
“It’s certainly more convenient when you have that trusted source, and CISA is an amazing organisation that does a lot of good work, so it’s really helpful when they can validate. That carries a lot of weight.”
Marc van Zadelhoff, CEO of email security leader Mimecast, expressed similar concerns. “Without CISA 2015’s protections, many companies will hesitate to share critical threat intelligence,” he said.
“That could leave CISOs unfairly shouldering blame for attacks beyond their control. We wouldn’t expect someone at reception to stop an actual army from storming a building, so why do we think the person running IT security can stop nation state attackers online? Yet, that’s the position CISOs could face in the event of an attack.”
Van Zadelhoff also said this risk to information sharing extends beyond US borders, and indicated that the disruption will affect businesses and governments worldwide.
“Amid escalating nation-state campaigns, slower information sharing will directly impact global trust. As an industry, we can expect slower responses to attacks, reduced collaboration across sectors, and more opportunities for adversaries to exploit. This should concern every organisation across the globe,” he said.
Filling in the gaps
Nevertheless, there are ways in which the cyber community can still fill in the gaps that the expiry of CISA 2015 is exposing. Dewar at Tanium pointed to CISA’s partner agencies, such as the UK’s own National Cyber Security Centre (NCSC), ENISA in the European Union, and so on, as sources of ongoing intelligence.
“There is an opportunity here. [Given] the global nature of cyber warfare it would be arrogant to say that the NCSC or others are deficient or not up to CISA’s standard – they all are,” he said.
“I would expect all agencies that relate to rise to the occasion and do the best they can with their resources. It’s certainly a challenge having this period of disruption but I don’t have any reason to doubt that agencies across the globe couldn’t step up and fill that gap.”
And Halcyon’s Kaiser said that as a private sector cyber practitioner, she intended to conduct business as usual for the time being.
“Halcyon specifically intends to continue information sharing for now as though the protections of CISA 2015 are still in place, in good faith anticipation of some sort of renewal, and we hope other industry partners will similarly continue their sharing posture to ensure collective protection,” she told Computer Weekly.
Shutdown increases wider cyber risk
Even without the expiry of CISA 2015, the wider government shutdown in Washington DC will be a risk multiplier for cyber pros everywhere, with organisations that contract with and supply the federal government – no matter where they are located – in the firing line of threat actors looking to exploit the disruption.
Brandon Potter, chief technology and compliance officer at cyber consultancy ProCircular, said: “One standout risk we’re anticipating is payment delays or even contract suspensions with contractors or partners of federal agencies. The downside is that vendors may need to cut their budgets, and that typically means cyber security investments decrease in the short term.
“The larger issue is that these third-parties often hold elevated access in government environments, and are frequently targeted as a means of gaining backdoor access to these more protected entities.”
Within the US specifically, Potter also highlighted the likely targeting of furloughed government employees by fraudsters exploiting the uncertainty now surrounding their pay and benefits, and by nation state actors bent on exploiting their discontent.
He said he expected to see an increase in ransomware attacks targeting critical infrastructure and government bodies, originating from countries like Russia that have actively worked to undermine American democracy in the past decade.
“It’s a long game with low and slow persistence. If I am a nation state threat actor with a reasonable foothold on the network, my goal would be to continue deeper penetration and establish multiple forms of persistence to increase mission longevity and success,” said Potter.
More votes needed
Although government shutdowns are not uncommon in the US, the country has avoided such an occurrence for almost seven years, with the last such incident taking place during president Trump’s first administration in December 2018.
The latest shutdown comes as America struggles to contend with deep-rooted political and social problems and reflects the increasingly fractious nature of the country’s national discourse, with politicians on both sides of the aisle quick to blame one another.
One particularly volatile area of disagreement is on healthcare, Congressional Democrats are staking their votes on maintaining funding subsidies for health insurance bought under former president Obama’s landmark Affordable Care Act, and reversing cuts to the Medicaid programme made by the Trump administration, upon which millions of the president’s own voters rely.
Previous shutdowns have caused disruption across the US, with government programmes and processes thrown into chaos, flights delayed, and National Parks forced to lock their gates.
