Industry trade groups are speaking up to preserve a 10-year-old threat intelligence law that may be up on the chopping block come September.
The law in question is the Cybersecurity Information Sharing Act of 2015, more commonly known as CISA 2015 (not to be confused with the federal agency that shares the same acronym). The main purpose of CISA 2015, passed under the Obama administration, is to provide liability protection to public and private entities to promote the sharing of cyber threat information within the industry.
Not on my watch! The act is scheduled to sunset on Sept. 30. However, some aren’t quite ready to see it go. On July 7, the Hacking Policy Council penned a letter to members of the House Committee on Homeland Security advocating for the reauthorization of CISA 2015, as reported by Cybersecurity Dive. The council—whose members include Google, Microsoft, and Intel—said a lapse of the CISA 2015 could cause some companies to “hesitate” when reporting vulnerabilities and “jeopardize” the decade’s worth of progress made on the country’s cybersecurity posture.
“At a time when cyber adversaries are accelerating their operations and rapidly exploiting vulnerabilities, we cannot afford to lose the proven framework that underpins public–private sector collaboration,” the coalition wrote.
Joint effort. The Hacking Policy Council is not the only industry group to voice its concerns about the lapse of the 2015 law. In May, the Protecting America’s Cyber Networks Coalition wrote a letter to Congress calling CISA 2015 a “cornerstone of American cybersecurity” and stating that reauthorizing the law was a “top policy priority.”. The letter was signed by more than 50 entities, including the Cybersecurity Coalition, the Software & Information Industry Association, and the Internet Security Alliance.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Lawmakers must send the CISA 2015 reauthorization legislation to the president to continue ensuring that businesses have legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators and taking steps to mitigate cyberattacks,” the Coalition wrote.
Other groups have also shared written testimonies in favor of reauthorizing CISA 2015. In a statement to the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, the Operational Technology Cybersecurity Coalition said that CISA 2015 is “foundational” to other cybersecurity laws. The coalition, which comprises a group of cybersecurity vendors focused on advancing cybersecurity for operational tech, added that CISA 2015’s reauthorization is crucial to maintain the “stability” of the “larger cybersecurity legislative landscape.”
In the grand scheme of things. Cory Simpson, founder and CEO of Gray Space Strategies, a professional services and strategic advisory company, gave IT Brew the rundown of what’s potentially at stake if CISA 2015 lapses in September. Simpson said the law’s sunset combined with budget and workforce cuts to the federal agency that bears its name could leave the US vulnerable to cyberattacks from adversaries.
“If our past is any indication of our future, we should expect more cyberattacks from China and we’re going to be going into that period with less national level cyber defense capability and less ability to share information at this law if this law lapses,” Simpson said. “That’s not ideal.”