As Congress prepares to turn its attention to reauthorizing the Cybersecurity Information Sharing Act, lawmakers and experts are saying that while the statute has positively impacted the nation’s cybersecurity posture it also needs improvements in information sharing going forward.
“The Cybersecurity Information Sharing Act, which was passed …10 years ago, [was] quite controversial at the time,” said Rep. Jim Himes, D-Conn., who serves as the ranking member on the House Intelligence Committee, during remarks on April 23 at a National Security Institute and Center for the National Interest event on Capitol Hill.
The Cybersecurity Information Sharing Act was approved by Congress in 2015 and provided companies with protections to share cybersecurity threat information with the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative, and with each other through formal and informal channels.
The law is set to expire on Sept. 30 absent congressional action to renew it.
Reflecting on the legislation, Rep. Himes noted the importance of the legislation but added he thinks it could be tweaked to improve communication between the public and private sectors.
“I still think we can do a much better job of creating a partnership,” he said, criticizing a lack of coordination during the Colonial Pipeline attack in 2021 by a Russian cybercriminal group that led to an emergency declaration after 5,500 miles of East Coast petroleum pipelines experienced a week-long shutdown.
“Our people did not have any meaningful communication with the company that was maneuvering the probably single most visible cyber attack on the private sector … That’s not okay,” the congressman said.
Rep. Himes stressed the need to improve information sharing, saying that “we need to set up a safe space where information can travel back and forth better than it does.”
Kelli Andrews, senior director for cybersecurity and lawful access policy at Microsoft, agreed with Himes, saying that “there hasn’t really been a great mechanism yet that we’ve kind of figured out with the government to do this sharing in a way that is sharing with the right group and that’s actionable.”
A reauthorization of the act should also align incentives across government and the private sector, shared Jamil Jaffer, founder and executive director of NSI, explaining that existing incentives push industry to only comply with bare minimums which doesn’t provide all the information needed to improve cybersecurity.
“If you want to line the lawyers, the shareholders, up – you have to give them liability protection and regulatory protection for what they share,” said Jaffer. “You do that and you will have too much information. They will literally share everything, because they want the line of protection.”
“Once the government has the information they need, they have to actually be willing to defend the networks, defend critical infrastructure, and take action that can be the form of deterrence by threatening our adversaries,” he added.
Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Cybersecurity Information Sharing Extension Act last week, which would extend the existing act to 2035.