Two U.S. senators, Gary Peters and Mike Rounds, have introduced the Cybersecurity Information Sharing Extension Act. This bill aims to extend the Cybersecurity Information Sharing Act of 2015 for another decade, a law that encourages businesses to share cybersecurity threat data with the federal government. The new bill seeks to renew provisions that incentivize companies to voluntarily share threat indicators like software vulnerabilities and malware with the Department of Homeland Security (DHS). By renewing the law, the senators hope to improve collaboration between the private sector and government to address rising cybersecurity threats.
The original 2015 law, set to expire in September, was instrumental in enhancing national cybersecurity efforts.
It provided legal protections for companies that shared threat information, helping federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) respond to cyberattacks. This sharing of data, which includes malicious IP addresses and software vulnerabilities, also helped CISA assist victims of cyberattacks, including high-profile incidents like the SolarWinds attack and Chinese cyber campaigns. The new bill aims to continue this protection and prevent legal risks for companies participating in cybersecurity data sharing.
Peters emphasized that the renewal is critical for national security, given the increasing sophistication of cyber threats. By renewing the law, both government agencies and businesses will continue to collaborate to prevent data breaches and defend against cybercriminals. Rounds, who chairs the Armed Services Subcommittee on Cybersecurity, echoed these concerns, stressing that allowing the law to expire would weaken the cybersecurity ecosystem and undermine defense efforts across critical sectors.
The bill’s passage would ensure vital protections for information sharing, which many experts believe is essential for effective cybersecurity.
The proposed extension also includes measures to maintain privacy protections. The law prohibits the inclusion of personally identifiable information in threat reports and ensures that threat data is shared with appropriate entities, such as the Joint Cyber Defense Collaborative (JCDC) and industry-specific Information Sharing and Analysis Centers (ISACs). Cybersecurity experts, such as Deepwatch CISO Chad Cragle, support the renewal but suggest that the law should be updated to better reflect today’s privacy concerns, operational challenges, and supply chain realities.
Reference: