Cyber ResiliencePublic SectorData Protection & Cyber RecoveryCybersecurity Risk & StrategyData CenterSecurity
News3 minute read

Vital cyber data-sharing law appears likely to expire amid looming government shutdown

Nextgov/FCW: Law firms are advising clients to prepare for this possibility, although the extent of information sharing that will cease if the law lapses remains unclear.

by David DiMolfetta, Cybersecurity Reporter, Nextgov/FCW

It's becoming increasingly more likely that a longstanding bedrock cybersecurity law will expire in tandem with a government shutdown anticipated next week, potentially slowing exchanges of timely cyber threat information between the private sector and government agencies.

The 2015 Cybersecurity Information Sharing Act lets private sector providers transmit cyber threat intelligence with government partners with key legal protections in place. As of now, companies are essentially shielded from lawsuits and regulatory penalties when circulating threat data. But the law is set to lapse Sept. 30 unless renewed by Congress. 

For months, industry leaders and senior administration officials have pressed for renewal. Congress remains at an impasse.

Last week, House appropriators unveiled a temporary funding plan that would keep the law alive through Nov. 21 and fund the government until the same date. That would have given Congress simultaneous time to work out broader federal funding snags and reconcile any debate about changes needed for the cyber law that was first enacted 10 years ago. But that continuing resolution failed to pass in the Senate.

Several cyber industry representatives that Nextgov/FCW has spoken to in recent weeks don't expect all information sharing to halt if the law expires, though they agree its tenure has created an optimal legal environment for transmitting data. 

That said, it's difficult to measure the effectiveness of current cyber threat-sharing mechanisms in comparison to their absence, one of the industry sources said.

Cybersecurity and technology companies largely support an extension, especially with the advent of advanced artificial intelligence systems and their cybersecurity uses.

"A decade on, as the volume and sophistication of threats continue to rise, it is important to reauthorize the statute and update it for new challenges across critical infrastructure, operational technology and AI enabled attacks — challenges that only defenders operating at the speed of artificial intelligence can address," said Marcus Fowler, who heads the U.S. federal unit of cybersecurity firm Darktrace.

"One of the biggest concerns that I have is, if CISA 2015 expires, those protections and those safe harbors that currently exist are going to have a chilling effect on AI development in cybersecurity," McLaughlin said.

Many are frustrated that Congress took too long to get the extension measure finalized. 

"I think once the government reopens, this [extension] will be part of it. I just don't know what [the Senate's] plan is to get this done," the congressional aide said. "We knew that this bill was going to expire at the end of the fiscal year. We've known the year for a long time, for ten years."

 

 

Read full article