Short-term extension of expiring cyber information-sharing law could be on the table
With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
“There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.
That might work, depending on how it’s constructed, Larry Clinton, president of the Internet Security Alliance, said.
“I’ve heard people talk about that,” he said, while suggesting it wasn’t ideal. “The other side of the short-term approach is that they would come back and do it again and do it in a more sophisticated fashion. If it really was a placeholder, well, that’s a different story. But if it’s, ‘OK, well, we did that now we’re moving on,’ and then do exactly this drill again in two years, that’s a problem.”
At a Hill briefing Wednesday, industry representatives touted the need to extend the law, which Clinton called “the most successful piece of cyber legislation that’s ever passed.” The legal protections it offers gives industry incentives to share threat data with less fear of lawsuits or public disclosure, which in turn bolsters security across industry sectors, advocates say.
In some ways, industry representatives said, the law has been a victim of its own success. Miller said that when the law was being developed, there was a lot of talk about the legislation and potential privacy ramifications.
“In the past five to 10 years, you probably haven’t heard a lot about cyber information sharing as a policy issue,” he said, indicating that the law “has struck the right balance.”
Renewal is especially helpful for small- and medium-sized businesses, and in light of the Trump administration killing a critical infrastructure committee meant to foster information sharing, industry representatives said.
