Cybersecurity protections have lapsed due to congressional inaction

Ten years ago, Congress enacted the Cybersecurity Information Sharing Act to help fortify our collective cyber defenses by enabling and incentivizing cyber threat information sharing between the government and critical infrastructure companies, including banks. Because these protections were not renewed before they expired on Sept. 30, cyber defenders are missing a critical weapon from their arsenal. These front-line responders must now confront sophisticated cyber adversaries without a key resource to better understand the tactics and techniques used to attack critical infrastructure and the sensitive data maintained by those entities. We know from recent incidents like the Salt Typhoon campaign that nation-state actors are embedding themselves in our critical infrastructure to serve broader geopolitical aims.

The voluntary and confidential information-sharing framework that this law established removes legal barriers to safe threat communications and provides vital protections and privacy guardrails preventing the use of data for other purposes. For instance, it preserves attorney-client privilege, bars cyber threat information shared under the law from use in regulatory enforcement actions and exempts the same information from public disclosure under the Freedom of Information Act. Importantly, the law also facilitates company-to-company information sharing through its antitrust exemption, which has fostered the ability of firms to share sensitive information that is useful in preventing attacks.

The authorities codified by this law have become essential to the underlying fabric of public-private collaboration to combat emerging cyber and national security threats. The private sector and government have enjoyed previously unavailable lines of communication that increase the speed and capacity by which they can respond to significant cyber incidents. The demonstrated value of these structures led lawmakers to incorporate these statutory provisions by reference in other key cybersecurity laws, including the Cyber Incident Reporting for Critical Infrastructure Act.

When Congress initially took up the CISA legislation, privacy concerns were primarily responsible for any objections to its eventual enactment. Nevertheless, the evidence suggests that the privacy and confidentiality requirements articulated in the law have worked as intended. A recent DHS Inspector General report noted the law had no adverse privacy effects and there have been no documented privacy violations since the law’s passage a decade ago.

Given those benefits, it is no surprise that renewing these protections has drawn support from the vast majority of policymakers and the private sector. There is near-universal support from industry, including the financial sector. The reauthorization effort also enjoys broad support from the Trump administration. DHS Secretary Kristi Noem and National Cyber Director Sean Cairncross have both publicly affirmed the importance of these information-sharing protections and the need for Congress to preserve them.

All this support notwithstanding, and despite the best efforts of several lawmakers including House Homeland Security Chairman Garbarino, Cybersecurity Subcommittee Ranking Member Swalwell, Senator Peters and Senator Rounds, Congress was unable to get a reauthorization bill across the finish line. So where does this leave us?

We can say with confidence that sophisticated nation-state and cybercriminal attacks are unlikely to subside anytime soon — but we are now less well-positioned to combat them. Time is a critical factor in the incident response process, and this will slow down the speed at which private sector companies can close cyber vulnerabilities. Companies will have to decide for themselves what their tolerance is for any legal exposure created by sharing cyber threat information in the absence of these protections. Nevertheless, a general chilling effect on this critical information exchange seems likely — a win for those interested in degrading U.S. economic and national security. It is our sincere hope that Congress recognizes the urgency of this situation and moves to reauthorize the Cybersecurity Information Sharing Act in short order.