Bipartisan duo wants to renew 10-year-old cyberthreat information sharing law

Two senators have introduced a bill designed to extend for another decade the provisions of pivotal cybersecurity legislation from 2015 that encouraged businesses to share information about ongoing cybersecurity threats with the federal government. 

Gary Peters (D-MI) and Mike Rounds (R-SD) announced the Cybersecurity Information Sharing Extension Act, which would incentivize companies to voluntarily share cybersecurity threat indicators like software vulnerabilities, malware, or malicious IP addresses with the Department of Homeland Security (DHS). 

The original law —  the Cybersecurity Information Sharing Act of 2015 — expires in September. It was hailed by federal agencies and cybersecurity experts as key to protecting personal information and ensuring that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries.

Peters said in a statement that the legislation is “essential for our national security” as cyberthreats continue to grow more sophisticated. 

“For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries,” he said. Peters is 

The law provides companies with protection from legal and regulatory punishment in exchange for insight into malicious cyber activities. The senators said information sharing about security flaws has also helped the Cybersecurity and Infrastructure Security Agency (CISA) support victims of significant breaches. 

They noted that the law includes measures that stop companies from including personally identifiable information in threat reports. The threat information is typically spread to critical infrastructure organizations through CISA’s Joint Cyber Defense Collaborative (JCDC) and industry-specific Information Sharing and Analysis Centers (ISACs).

Information sharing protections have been used by organizations to help address multiple crises, including Russia’s SolarWinds attack, Chinese campaigns like Volt Typhoon and other prominent incidents, according to the senators. 

Rounds said allowing this legislation to lapse “would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.” Rounds is chairman of the Armed Services Subcommittee on Cybersecurity.

Multiple experts said the law has provided legal clarity for threat intelligence sharing efforts that have been amplified by subsequent federal government initiatives like the JCDC. Deepwatch CISO Chad Cragle said the law allowed him and other defenders to “work shoulder-to-shoulder with the government in an operational, rather than just performative, way.”

But he noted that the renewal effort is an opportunity to fine-tune the law, preserving its core strength “while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity.”