Cyber information sharing deadline approaches for the 'critical' law extension
The reauthorization process for the Cybersecurity Information Sharing Act (CISA) of 2015 is currently underway in Congress, with the statute's provisions set to expire on September 30, 2025.
The need to reauthorize CISA is widely recognized due to its foundational role in enabling cyber defense activities across public and private sectors. However, with the approaching expiration date and the lengthy legislative process, time is tight for Congress to pass the reauthorization.
In the House, the newest chairman of the House Homeland Security Committee, Andrew Garbarino (R-N.Y.), has proposed changes to the reauthorization process. While specific details about his proposed modifications are limited, the emphasis generally expressed by many stakeholders favors a straightforward reauthorization without expansive changes that could delay the process.
The House is leaving Washington for its August recess, leaving little time for lawmakers to debate and pass a reauthorization measure before the end of September. Despite the tight timeline, the emphasis is on maintaining existing liability protections and operational frameworks that encourage voluntary threat information sharing.
On the Senate side, bills have been introduced to extend CISA largely as is. Senate Homeland Security Chair Rand Paul, however, wants to keep CISA from involving the Cybersecurity and Infrastructure Security Agency (CISA) in combating disinformation, reflecting a broader tension about agency scope unrelated to core cybersecurity sharing.
Alexandra Seymour, majority staff director for the cybersecurity and infrastructure protection subcommittee, stated that the committee recognizes the criticality of CISA in cybersecurity information sharing. She also mentioned that Garbarino is interested in making some changes to the decade-old law, but emphasized that not allowing it to lapse is the top priority.
John Miller, senior vice president of policy at the Information Technology Industry Council, urged lawmakers to prioritize extending the law above any potential improvements. He also recommended considering "targeted improvements" to CISA, including re-examining definitions like "cyber threat indicator" to account for new threats.
Diane Rinaldo, former acting administrator of the National Telecommunications and Information Administration, urged improving the sharing of cyber data from government agencies to the private sector, but said it might not require a statutory change to CISA.
Karl Schimmeck, chief information security officer at Northern Trust, urged the committee to reauthorize CISA, stating that "Cyber threats don't take breaks, and they don't wait for legislative calendars."
The Cybersecurity and Infrastructure Agency has had challenges in carrying out the information-sharing authorities, such as getting organizations to participate in its "Automated Indicator Sharing" program. Despite these challenges, CISA is widely recognized as central to how industry and government share data about cyber threats.
Moira Bergin, minority staff director for the Homeland Security Committee's Cybersecurity and Infrastructure Protection Subcommittee, stated that full committee Ranking Member Bennie Thompson (D-Miss.) is concerned that opening up the House's re-authorization to potential changes will bog down the process.
In summary, the House under Andrew Garbarino is progressing towards reauthorization, with a likely preference for minimal changes to ensure timely passage. Expanding the threat indicator scope or liability protections could be points of discussion but risk complicating negotiations. Stakeholders broadly support maintaining CISA’s current framework given its critical role in national cybersecurity.
- The policy-and-legislation concerning the reauthorization of the Cybersecurity Information Sharing Act (CISA) is a subject of ongoing discussions in both the House and the Senate, as the current statute is set to expire in 2025.
- In the current political climate, there is a general consensus among stakeholders that maintaining CISA's existing framework, which enables cyber defense activities and encourages voluntary threat information sharing, is crucial for national cybersecurity, while potential improvements are also being considered.
