A pivotal United States cybersecurity law is just a few dozen working congressional days away from its expiration. The Cybersecurity Information Sharing Act of 2015, also known as CISA 2015, is currently set to expire September 30th. The law has broad bipartisan backing, strong support from the private sector, and is a top legislative priority. However, worried analysts now fret that the federal statute could expire or be renewed without any needed improvements. The House is set to meet on just twenty-seven of those days, while the Senate will meet on thirty-seven. During that time, Congress must also approve spending bills and grapple with a major new reconciliation proposal.
The biggest short-term impact of a potential lapse in CISA 2015 would be widespread uncertainty for businesses. Many private sector entities would need to reassess the legal basis for their information sharing security agreements. A former top cybersecurity official warned that some of these entities will have to stop sharing information. He stated that this unfortunate outcome will clearly make the United States much less secure against cyberattacks. The head of the Cyber Threat Alliance said a lapse could significantly raise legal and logistical burdens. He fears we could lose the ability for information about major threat actors to be shared in a timely manner.
Cybersecurity experts have called for modernizing key definitions, expanding liability protections, and strengthening all existing legal safe harbors.
They say the law needs to be updated with stronger definitions and much clearer guidance to improve our defenses. Panelists at a recent hearing pointed to outdated language that limits the law’s usefulness against all emerging threats. This includes threats like artificial intelligence manipulation, pre-deployment software tampering, and also attacks on many nontraditional targets. Experts urged lawmakers to update key definitions to reflect modern risks, including attacks on different machine-learning models.
They also want to address corrupted software supply chains and nontraditional devices like IoT and OT systems.
Should the cyber subcommittee opt for a full overhaul, reauthorization could stall amid several different potential roadblocks. This includes efforts to bundle in complex artificial intelligence and supply chain updates that may complicate voting. The process could also be delayed by strong objections from privacy advocates or other procedural scheduling hurdles. Lawmakers may resist a clean renewal if the bill lacks any of the updated safeguards needed to strengthen sharing. A lapse in the law could be further compounded by all of the recent cuts to cybersecurity teams. This situation is also worsened by a severe cyber talent gap and other disruptions to federal information sharing.
Reference:
