Here’s what could happen if CISA 2015 expires next month

Expiration of a 2015 law at the end of September could dramatically reduce cyber threat information sharing within industry, as well as between companies and the federal government, almost to the point of eliminating it, some experts and industry officials warn.

The Cybersecurity Information Sharing Act, also known as CISA 2015, is due to end next month unless Congress extends it. Leaders of both of the House and Senate panels with the responsibility for reauthorizing it say they intend to act on legislation next month, but the law still stands to expire soon without a quick bicameral deal.

The original 2015 law provided legal safeguards for organizations to share threat data with other organizations and the federal government.

“We can expect, roughly, potentially, if this expires, maybe an 80 to 90% reduction in cyber threat information flows, like raw flows,” Emily Park, a Democratic staffer on the Senate Homeland Security and Governmental Affairs Committee, said at an event last month. “But that doesn’t say anything about the break in trust that will occur as well, because at its core, CISA 2015, as an authority, is about trust, and being able to trust the businesses and organizations around you, and being able to trust the federal government that it will use the information you share with it.”

That estimate — 80 to 90% — is on the high side of warnings issued by policymakers and others, and some reject the notion that the sky is catastrophically falling should it lapse. Additionally, some of the organizations warning about the fallout from the law’s lapse benefit from its provisions. But there’s near-unanimity that expiration of the law could largely shift decisions about cyber threat info sharing from organizations’ chief information security officers to the legal department.

“If you think about it from the company’s perspective, what a lapse would do would be to cause the ability to share information — to move the decision from the CISO to the general counsel’s office,”  said Amy Shuart, vice president of technology and innovation at Business Roundtable, which considered the issue important enough to fly in CISOs from member companies to meet with lawmakers this summer and persuade them to act. “And any good general counsel is going to say, ‘I used to have authority here that protects us from antitrust. We don’t have it anymore. Now I’ve got concerns.’ So we do anticipate that if this was to lapse, the vast majority of private sector information sharing would shut down just due to legal risk.”

A common expectation among watchers is that Congress is likely to pass a short-term extension that would be attached to an annual spending bill known as a continuing resolution before the end of the current fiscal year, which also is tied to the end of September. But that still gives lawmakers a short window, and even if a short-term extension passes, Hill appropriators are likely to be impatient about a long-term extension and unwilling to aid any extension past the end of December.

Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., said last month that he intends to hold a markup of CISA 2015 extension legislation in September. A critic of the Cybersecurity and Infrastructure Security Agency over allegations that it pushed social media outlets to censor election security and COVID-19 data — allegations that then-CISA leaders denied — Paul said he wants to include language in any extension prohibiting the agency known as CISA from censorship.

The new leader of the House Homeland Security Committee, Andrew Garbarino, R-N.Y., also has said reauthorization is a priority, but wants to make other changes to the law as well.

“Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said in a statement to CyberScoop. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”

Separate from the 2015 law, the Justice and Homeland Security departments have issued and updated legal guidance pertaining to cyber threat information sharing that sector-specific information sharing and analysis centers say undergird exchanges from company to company.

But a Supreme Court decision last year about federal regulatory authority could cast a shadow over that guidance should CISA 2015 expire, warned Michael Daniel, leader of the Cyber Threat Alliance. Furthermore, a failure from Congress to act could send a message to courts.

“A lack of congressional action to positively reauthorize private entities to monitor their networks, deploy defensive measures, and share information ‘notwithstanding any other provision of law’ introduces uncertainty about sharing information that could trigger certain criminal laws, such as the Computer Fraud and Abuse Act or the Stored Communications Act, or could violate antitrust laws when participating in collective cyber defense,” he recently wrote. “In short, the resulting uncertainty would reduce the amount of sharing that occurs, reintroduce friction into the system, and inhibit the ability to identify, detect, track, prepare for, or respond to cyber threats.”

Daniel told CyberScoop some of those discussions about expiration fallout are hypothetical at this point, but legal experts have told him they are realistic. 

Trump administration officials and nominees have said they support reauthorization of the 2015 law. There are links to its recent artificial intelligence action plan, which calls for establishment of an AI-ISAC.

“One piece we were happy to hear is the administration generally be supportive of a clean reauthorization,” Shuart said. “One of the things that we’ve heard the administration say pretty loud and clear about their approach with the [AI] action plan is that they were thinking about what they could do within their existing authorities. So CISA 2015 is a pretty important existing authority for the action plan to be successful.”

Still, the future of the 2015 law is uncertain.

‘There’s a lot of people kind of searching around for how to do this. I really couldn’t say I know that there’s a consensus,” said Larry Clinton, president of the Internet Security Alliance. “I know that there are people working in multiple different committees — Homeland Security, Armed Services, Appropriations, Intel — who are trying to figure out how to do this. And that’s a good thing, because we want all that support. It’s also a troubling thing because we wind up with too many cooks in the kitchen, and it’s harder to get things done without a consensus on the specifics of what needs to be done, given the tight timeline.”