President Trump’s AI Action Plan emphasizes the importance of bolstering cybersecurity of critical infrastructure. One of the recommendations would create an AI Information Sharing and Analysis Center (AI-ISAC) to share AI security threat information in real-time among U.S. critical infrastructure to mitigate risk and report incidents. However, a key law that enables the sharing of threat information in real-time is set to expire in less than 2 months.
The Cybersecurity Information Sharing Act of 2015 (CISA 15) is set to lapse on September 30. With less than four weeks left on the legislative calendar before the statute’s expiration, Congress must act urgently.
Over the last decade, CISA 15 has strengthened America’s cyber defenses by incentivizing and facilitating the sharing of cyber threat information. Any lapse of CISA 15 would create significant uncertainty, weaken the U.S. cybersecurity posture, and undermine a decade of progress in building trust between national security professionals, law enforcement, critical infrastructure owners and operators and others in industry.
No single entity has the full picture of the cybersecurity threat landscape. To stay at the forefront, collaboration across public to private and private to private entities is crucial to the recognition, response, and remediation of new attacks. These protections improve the rate of sharing cyber threat information which strengthens U.S. cybersecurity across the federal government, businesses, critical infrastructure, and state, local, and tribal governments.
CISA 15 protections are a foundational underpinning across the Joint Cyber Defense Collaborative (JCDC) and Automated Indicator Sharing (AIS) program while also advancing the Information Sharing and Analysis Centers (ISACs) to provide real time threat intelligence to entities. With CISA 15 laying the groundwork, these collaborative efforts have flourished, increasing both the capacity and response rate to cybersecurity threats. Reauthorization of CISA 15 will help maintain these collaborative public-private efforts.
Since the law’s enactment, the cybersecurity threat landscape and technology have changed drastically. While this may warrant certain additions or modifications to the law, there likely won’t be enough time to reach consensus in time to avoid a lapse. Efforts to update CISA 15 should allow for sufficient time for robust stakeholder engagement, and the tech industry is ready to engage. However, we do not want perfection to get in the way of a productive law’s reauthorization and, unintentionally, allow malicious actors to gain a leg up by letting the critical protections lapse.
A lapse in authorities would impact the speed and capacity of sharing and responding to cybersecurity threat information. Companies would face legal uncertainty when deciding whether to share threat information. Additionally, information sharing capabilities would likely decrease, and signal to adversaries that the U.S. has a weakened cyber posture.
While there are several reauthorization pathways Congress can take, the quickest and most effective would be to pass a clean reauthorization to avoid a gap in these critical authorities. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced a bipartisan bill to do just that. S. 1337, the Cybersecurity Information Sharing Extension Act would reauthorize CISA 15 for ten years.
While there are avenues for the administration to include an extension of CISA15 in the anomalies package, Congress' consideration of a Continuing Resolution (CR) is the only known legislative vehicle to ensure the liability protections don't lapse. Congress should leverage the upcoming CR and attach S.1337 to the moving vehicle. Doing so would avoid an unforced error in today's evolving and increasingly complex cyber threat environment.
As cybersecurity threats continue to grow, the time to act is now. To avoid greater risk to the cybersecurity of the federal government, industry, and state, local, and tribal governments and Americans across the nation, we encourage Congress to act swiftly on a clean CISA 15 reauthorization to prevent a lapse in these crucial authorities.