Consensus forms on reauthorizing 2015 cyber info-sharing law now, upgrading it later

The message was consistent at a House cybersecurity hearing Thursday: pass legislation extending an expiring information-sharing law before it lapses in September, and worry about improving it later.

Both lawmakers and witnesses at the hearing of the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection shared that view about the pending expiration of the 2015 Cybersecurity Information Sharing Act, which provides legal protections for organizations to share cyber threat data with the federal government and each other.

A “clean authorization is just critical,” said Kate Kuehn, who represented the National Technology Security Coalition. “We can change what we need to change later.”

Rep. Eric Swalwell, D-Calif., the subcommittee’s ranking member, shared that view, saying lawmakers could open up the law after re-upping it for updates and upgrades.

“It’s rare that these days we see such a wide consensus on any topic, but on the issue of reauthorizing CISA 2015, I’ve received a very clear message from everyone I’ve talked to: Do. Not. Let. It. Lapse,” he said. “We must move quickly to reauthorize CISA 2015 before it expires in September. While it’s reasonable to discuss if there are ways to change the law going forward, we cannot allow such discussions with such an imminent timeline to delay reauthorization.”

A bipartisan Senate bill would take the approach of a “clean” reauthorization, changing nothing other than the expiration date from this year to 10 years into the future.

The chairman of the subcommittee, Rep. Andrew Garbarino, R-N.Y., asked witnesses what would happen if the law lapsed. The consensus was that it would harm cyber defenses.

“You’re taking the decision from the CISO to the general counsel’s office, and that is going to slow everything,” said Diane Rinaldo, who testified as a “private citizen” but was a former House Intelligence Committee staffer during the years the 2015 law was being written, and is the executive director of the Open RAN Policy Coalition.

John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council, said if the law expired there “would be an immediate chilling effect at least for some organizations on their ability and willingness to share.”

Karl Schimmeck, executive vice president and chief information security officer at Northern Trust, said a lapse would be particularly hard on small- and mid-sized businesses.

Sen. Rand Paul, R-Ky., was an opponent of the 2015 law, citing privacy worries, and now chairs the Homeland Security and Governmental Affairs Committee that could help decide the law’s fate. 

“Privacy concerns might be the biggest obstacle to getting this reauthorized,” Garbarino said, observing that the lack of any reported privacy violations related to the law should mitigate those concerns.

More than 50 organizations sent a letter to Congress this week asking lawmakers to re-up the information-sharing law.

“CISA 2015 is a cornerstone of American cybersecurity. It enhances businesses’ ability to respond swiftly to today’s cyber threats, including tackling cybersecurity issues and addressing them at scale,” they wrote. “Lawmakers must send the CISA 2015 reauthorization legislation to the president to continue ensuring that businesses have legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators and taking steps to mitigate cyberattacks.”