Renewal of cyber information-sharing law must mind the gap, senator says

The latest proposal to reinstate a key cyber information-sharing law that expired last month includes a provision to protect companies that are still providing threat data to the government despite the lapse in authority.

The Protecting America from Cyber Threats Act from Sens. Gary Peters (D-MI) and Mike Rounds (R-SD) would extend the Cybersecurity Information Sharing Act of 2015 for a decade. It also includes a retroactive provision to ensure that there is no gap in the liability protections afforded to private entities that have continued to share threat information.

“We have to continue to get real-time information on threats in order to stand up against persistent cybersecurity attacks,” Peters, who previously introduced a bipartisan bill that made no changes to the original legislation beyond extending it for another 10 years, told reporters during a call on Thursday. 

“But we want folks to know that, when this bill passes, that anything that happened during that gap will also be protected” from potential liability, said Peters, the top Democrat on the Senate Homeland Security Committee.

The fate of the 2015 law and the State and Local Cybersecurity Grant Program, another bedrock digital security statute, had been murky for much of the year before both went dark when the government closed its doors on October 1 due to gridlock in Congress on spending legislation. 

The House Homeland Security Committee advanced bills to renew both efforts last month. Short-term extensions were attached to a stopgap government funding measure that failed in the Senate and triggered the shutdown.

The Senate has since failed multiple times to advance dueling Republican and Democratic funding bills to end the shutdown, with both sides trading blame for the impasse.

Meanwhile, Peters and his colleagues have repeatedly gone to the Senate floor for a quick voice vote to extend the 2015 law for 10 years with no other changes — only to be blocked every time by Homeland Security Committee Chairman Rand Paul (R-KY).

Peters conceded there are a “number of procedures” the new bill would have to go through before receiving a vote and that he has no timeline in mind. Peters said he had spoken directly with Senate Majority Leader John Thune (R-SD) about the measure but declined to offer additional details.

He also declined to comment on if his office had observed any changes in behavior by industry in sharing information with the government. 

However, Peters said he has “heard from a number of folks that the uncertainty regarding the liability protection is making them very nervous and I suspect that what we have heard so far will only increase in the days ahead.”

Peters also downplayed the idea of a short-term extension, like the one that rode on the proposed government funding stopgap.

“One thing that is very clear from all of the stakeholders is that they need long term certainty when it comes to these protections. You can't operate with just a few week patch and then another few week patch,” he said. “That's no way to run a business. It's no way to run a sophisticated cyber security operation.”

Gabrielle Lipsky, a Paul spokesperson, said the “authority will be turned back on when Democrats, including the bill sponsor, vote to reopen the government.” 

“The senator has made it clear that a longer-term reauthorization will need robust free speech protections included.”