The cybersecurity law that quietly underpins U.S. digital defenses is about to expire

Nearly a decade after Congress passed the Cybersecurity Information Sharing Act of 2015,  the law is facing an uncertain future. Not to be confused with the Cybersecurity and Infrastructure Security Agency (which shares the same acronym), the law—often referred to as “CISA 2015” to avoid confusion—was designed to clear the way between private companies and the federal government to more openly share cyber threat data. Supporters argued it would bolster national cybersecurity by speeding up the flow of information about emerging attacks. In ways that most people don’t see, the law has helped financial firms, hospitals, and major retailers spot and respond to threats faster—thwarting ransomware, phishing scams, and other attacks before they spiral.

But CISA 2015 came with a built-in expiration date—and that clock is now ticking. Key provisions of the law are scheduled to sunset at the end of September unless Congress acts to renew them. As lawmakers weigh the future of CISA 2015, they’ll have to navigate a tricky set of obstacles—namely skepticism from privacy advocates. 

Fast Company spoke with Matthew Eggers, vice president for cybersecurity policy at the U.S. Chamber of Commerce, about what’s at stake in the renewal process. The interview has been edited for length and clarity.

Broadly speaking, how has the Cybersecurity Information Sharing Act shaped the government’s relationship with the private sector?

The law, and the attitude that it’s built up over the years, has really provided government entities with a host of cyber threat data that they can’t get on their own. In a lot of ways, the information-sharing legislation has built a lot of connective tissue between the government and industry. What we’re trying to say to Congress is they need to pass the legislation by September 30, because not only is the law the cornerstone of U.S. cyber security, but it’s also to their benefit. They’ve got the public and private entities in their districts, in their state, that are under attack from cyber criminals and foreign nations—China, Russia, Iran, North Korea.

Can you give an example of a tangible impact the law has made?  

I look at something like the food and ag sector. They’ve got a new Information Sharing and Analysis Center, and I think that is definitely an outgrowth of CISA 2015. There was a very good paper that David Turetsky, a professor at the University of Albany, put out in 2020 that showcases cyber success stories. It basically hits on a small fraction of the incidents that were probably mitigated or prevented. That’s one of the things about cyber information sharing: It’s hard to prove or show situations where you probably stop attacks at the outset or mitigate them.

What is at stake, then, if the law lapses? 

It’s probably the case that information sharing would go down, and that’s in no one’s interest. There was information sharing happening before CISA 2015 passed, but what you’ve seen is an expansion of information-sharing bodies. And we don’t want to undercut that progress that’s been made. The other thing that’s at stake is trust. It takes a long time to build trust among individuals and organizations; at the end of day, it’s individuals within organizations who share information, and they have to know one another.

Is a straight reauthorization sufficient? Some folks have pushed to modernize the law to address new cyberthreats like AI-driven attacks.

It’s definitely part of the mix, and I can say that many leading organizations that are invested in this law are giving that a lot of thought. The law expires September 30; we definitely don’t want the law to lapse, but it only makes sense that we should be thinking about ways to improve the program, and I think that would likely entail new legislation. That can take time to consider. Do we have time to do that? I think that remains to be seen. Our priority is making sure that the program doesn’t lapse.

Groups like the Electronic Frontier Foundation have argued that the law doesn’t have sufficient safeguards for data. What is your response to those concerns?

I think those concerns were unfounded when the program was being considered. A Congressional Research Service report that just came out showed that industry and government have a strong record of safeguarding privacy and civil liberties under CISA 2015. And to my knowledge, there have not been any privacy incidents. Plus, sharing privacy information really doesn’t do an organization much good from a cyber standpoint. Typically, what you’re sharing are cyber threat indicators, which are things like domain names, log data, malware, date stamps, stuff like that.

Senator Rand Paul was a major opponent of the original bill, and he’s now chairing the Senate’s Homeland Security & Governmental Affairs Committee. Have you engaged with him directly?

We have been engaging his staff, and would be more than willing to engage him. I would say it’s just a matter of time before we try to meet with him. We’re always willing to talk. One thing we’re trying to do is more or less impress upon him the importance of the program to his state’s public and private entities.

President Trump hasn’t said anything on the law’s future, but there have been cuts to similar cyber initiatives.

The people he is putting into positions at the Cybersecurity and Infrastructure Security Agency, and likely the Office of the National Cyber Director and the National Security Council—they get the importance of information sharing. Probably between now and September, when you may see a statement of administration policy, I can’t help but think that there would be a thumbs-up in favor of this program. Someone like Sean Plankey, who is expected to head up CISA, I know personally that he believes in the importance of this kind of effort.

https://www.fastcompany.com/91315807/cybersecurity-information-sharing-act-of-2015-matthew-eggers-interview?partner=rss&utm_source=rss&utm_medium=feed&utm_campaign=rss+fastcompany&utm_content=rss