With the expiration of the Cybersecurity Information Sharing Act (CISA) of 2015 on the horizon, House intelligence committees have recently received briefings on the efficacy of the law, detailing to what extent private businesses have been willing to share cyber threat data with the government. However, new developments have placed the Act’s reauthorization into question, including the pending retirement of one committee chairman, Mark Green, who has been a strong proponent of a bipartisan bill that would extend the Act another 10 years. That renewal bill was brought forward by Mike Rounds and Gary Peters who argue that this bill has been—and will continue to be—vital for US national security defenses.
Some key notes on the The Cybersecurity Act of 2015: first, as aforementioned, it calls on public and private entities to share relevant cybersecurity information with The Department of Homeland Security. In return, the DHS has built a database that distributes information between these entities and has shared with them the best cybersecurity practices before and after breaches occur. This Act neither forces compliance from these businesses nor exposes the personal information of their customers; instead, businesses have the option of participation, and any information disseminated must be free from all consumer (and company) personal identifiable information. Finally, companies that do choose to be compliant with their data-sharing practices are granted immunity. The success of this Act, as a result, can not only be attributed to the centralized database of breach information but also because it has opened the lines of communication between businesses and federal agencies.
However, there are those who believe that changes to the bill are required, including another committee chairman, Rick Crawford, who argues that the law does not adequately address advancements in cyberattacks since 2015. This means that the bill would require additional rounds of negotiation between lawmakers to ensure that this voluntary information-sharing framework continues to strengthen our national defense against cybersecurity threats. The question, therefore, is not whether the bill is beneficial or ought to be renewed—it is instead whether lawmakers will have enough time to shepherd the passage of the renewal. Given that Rounds and Peters have yet to identify the proper vehicle to bring this bill on the floor of the House and get it passed, this question is still up in the air. However, we will continue to provide updates to this story as they arise.
