Lawmakers push for reauthorization of cyber information sharing bill as deadline looms

A bipartisan group of lawmakers sitting on a key cybersecurity subcommittee uniformly argued Thursday for an imminent reauthorization of a key cybersecurity information sharing bill originally enacted in 2015.

The Cybersecurity Information Sharing Act, known as CISA 2015, is set to expire on September 30, a deadline lawmakers on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection appeared to be keenly aware of, stressing the urgency of reauthorizing a bill that is seen as a cornerstone of U.S. cybersecurity efforts.

In recent weeks, Department of Homeland Security (DHS) Secretary Kristi Noem has publicly stated more than once that she wants to see the law reauthorized.

Despite Noem’s support, reauthorization of the legislation faces some obstacles, including a tight timeline and the fact that it is unclear who in House and Senate leadership will champion the legislation at a time when many other urgent competing bills are vying for attention.

Meanwhile, Subcommittee Chair Andrew Garbarino (R-NY) said at Thursday’s hearing that he believes concerns about privacy are the single biggest barrier to reauthorization.

Witness Diane Rinaldo, a cyber privacy expert and former Commerce Department official who helped draft the original legislation as a congressional staffer, testified that a recent DHS inspector general report cited no privacy violations resulting from the law in the decade since it was enacted.

“That's great, because I'll tell you, other than the name, privacy concerns might be the biggest obstacle to getting this reauthorized,” Garbarino responded. “So the fact that … that report has zero reports of privacy breaches is great.”

CISA 2015 is widely seen as having fueled cybersecurity collaboration between industry and government due to its statutory liability and privacy protections, allowing CISOs and not lawyers to dictate information sharing, as more than one witness put it.

In his opening remarks, Garbarino underscored how significant a role the law has played in helping to disrupt cyber attacks and protect national security.

“A significant volume of critical cyber threat intelligence has been exchanged between industry and government under this law,” he said, asserting that an unnamed “major organization” this year alone shared 84 formal threat reports with thousands of partners. 

“This doesn’t include the numerous informal daily exchanges that are also protected by the law,” Garbarino added.

Several members at the hearing called for a “clean authorization” of the law’s renewal, saying changes can be made later to perfect it.

Rep. Eric Swalwell (D-CA), the subcommittee’s ranking member, said he would like to see the legislation allow more players in the cybersecurity ecosystem gain security clearances in the future.

His district includes several high tech and biotech companies plus two nuclear labs, Swalwell said, and he often hears industry leaders complain that because only their company CEO is cleared to receive information it limits the effectiveness of the work.

“He's not the engineer,” Swalwell said. “He or she doesn't have the skill set to receive and understand the threat.”

“The problem on the government side is they're not really willing to clear that many individuals,” he said, noting that a major leak of Ukraine war plans emanated from a 21-year-old Air National Guardsman who had a top secret security clearance despite holding a relatively low position.

“We have 20-year professionals who we could give a one day pass for more information to better protect critical infrastructure, and we're cautious about that, so it just seems like we've got the priorities crosswise,” Swalwell said.

Rep. Andy Ogles (R-TN) concurred, saying “one of the things we need to look at is better information sharing, broadening the scope of who might be included.”