Rest easy, IT pros—you’re (most likely) still covered.
Lawmakers in Washington moved to renew a ten-year-old rule that protects the sharing of breach information on September 3, earning praise from the cybersecurity industry.
Some industry figures had been concerned that the Cybersecurity Information Sharing Act might not be renewed, potentially throwing established cybersecurity norms into chaos. The law, first passed in 2015, allows the private sector to report breaches to the federal government without fear of liability, Rex Booth, CISO at Sailpoint, told IT Brew.
“Perhaps the most important thing is that it allows private entities to share threat indicators and cyber intelligence with the federal government without fear of liability,” Booth said. “If an organization has an indicator that it thinks would be useful to the broader cyber community, it’s able to share it, most likely with [the Cybersecurity and Infrastructure Security Agency], and not have to worry about that somehow coming back on it.”
Put it in line. House Homeland Security Committee Chairman Rep. Andrew Garbarino (R-NY), in comments ahead of the September 3 markup hearing, agreed, saying that the act has a role to play in the broader cybersecurity posture of the country.
“Over the last decade, the law has provided a framework for voluntary information sharing across the public and private sectors, and between private sector entities, regarding cyber threats facing our networks,” Garbarino said.
Industry players like Daniel Kroese, Palo Alto Networks VP of public policy and government affairs, praised the act’s reauthorization.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“The successful reauthorization of CISA 2015, with updates that take new and emerging technology like AI into account, will enhance our nation’s collective defense by protecting the free exchange of cyber threat information between network defenders,” Kroese said.
Clear and present danger. A number of lawmakers and industry professionals have cited threats from China as a reason for urgency in ensuring the act doesn’t expire. In July, Gray Space Strategies CEO Cory Simpson told IT Brew that those threats indicate that the reason for the act remains relevant.
“If our past is any indication of our future, we should expect more cyberattacks from China and we’re going to be going into that period with less national level cyber defense capability and less ability to share information at this law if this law lapses,” Simpson said. “That’s not ideal.”
Booth said he wasn’t quite so sure that was the main concern. The threat posed to US industry by any hostile nation state is more important than singling out China, and the act allows for dealing with all those dangers. But he could see why China might be deployed to get lawmakers onboard.
“I wouldn’t be surprised if people saw an opportunity to point to whatever is perceived to be the kind of the current national threat, and use that as leverage to help sway public opinion or the opinion of legislatures,” Booth said.