The Impact of CISA 2015 on Cyber Threat Sharing Practices

As the expiration of a pivotal statute that shields companies from liability for sharing cyberthreat indicators approaches, experts are raising concerns about the implications for corporate cyber defense initiatives. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is set to lapse at 12:01 a.m. Wednesday, barring urgent congressional action, which would dismantle a liability shield that has been in place for nearly a decade.

Legal professionals and cybersecurity leaders are contemplating the fallout of this legislative change. Analysts at Information Security Media Group have indicated that the fate of threat information sharing will hinge on interpretations of legal nuances rather than purely technological considerations.

“The central issue here has always revolved around legal considerations,” stated Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology and former Director of International Cyber Policy at the White House. She expressed hope that companies continue to share anonymized cybersecurity data despite potential legal risks.

Established under CISA 2015, the current legal framework permits corporations to share cyberthreat information with the federal government and among themselves through the Department of Homeland Security, facilitating better intelligence sharing. However, without the protection guaranteed by the law, businesses may be hesitant to exchange information, fearing the potential for litigation.

Errol Weiss, Chief Security Officer at the Health Information Sharing and Analysis Center, highlighted the chilling effect the law’s expiration could foster. He warned that the absence of liability protections might deter voluntary information sharing among organizations, particularly in the healthcare sector, though groups like Health-ISAC aim to maintain vital intelligence exchanges within their networks.

Scott Algeier, Executive Director of the IT-ISAC, underscored the importance of information sharing among technology firms and indicated that his organization would strive to continue these efforts. Nonetheless, he cautioned that even a temporary lapse in CISA 2015 could significantly influence the nature and scope of information exchanges, especially involving government agencies.

Looking ahead, cybersecurity authorities agree that short-term disruptions may be manageable; however, if the situation extends, concerns about liability could reshape organizational risk assessments and slow down information sharing dynamics. Michael Daniel, President and CEO of the Cyber Threat Alliance, emphasized that persistent uncertainty could present far more serious challenges.

The urgency surrounding CISA 2015 has become intertwined with ongoing political negotiations. House Republicans have proposed a short-term extension as part of a broader government funding bill, as July marks the end of the federal fiscal year and a potential government shutdown looms. Senate Democrats have signaled that they will not support a funding bill without specific conditions that address various concerns.

The hurdles to reauthorizing CISA 2015 are further complicated by political divides, notably those led by Senate Homeland Security Chairman Rand Paul, who advocates for amendments to limit the Cybersecurity and Infrastructure Security Agency’s authority, an issue that has garnered attention since the 2020 elections.

Despite these challenges, a bill recently advanced by the House Homeland Security Committee proposes reauthorizing CISA 2015 for another decade, including provisions for enhanced technology sharing with artificial intelligence developers and critical infrastructure operators. As industry stakeholders navigate this uncertain landscape, the future of cyberthreat information sharing will remain a focal point for maintaining robust defenses against cyber adversaries.