A top Cybersecurity and Infrastructure Security Agency official said the agency is prepared to accept any extension Congress authorizes for a fundamental cybersecurity threat intelligence-sharing law, which is set to expire Sept. 30 unless renewed by lawmakers.
“We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters Thursday on the sidelines of the Billington Cyber Summit.
The Cybersecurity Information Sharing Act of 2015 lets private sector providers freely transmit cyber threat information to government partners with key liability protections in place, shielding firms from lawsuits and regulatory penalties when sharing threat data with the government.
“So at this point, I think my primary concern is if it lapses,” Andersen added. “Give us 30 days for the Congress to do what they need to do. Give us two years. Give us ten years. Give us 50. Whatever you take, we’ll take it. Obviously, we love stability for the organization and stability for our partners to understand how we’re going to protect and exchange information. But really, that’s up to Congress.”
Last week, the House Homeland Security Committee approved a measure to extend the info-sharing law by another ten years. But its fate is uncertain as the panel’s counterpart committee in the Senate works through its own version of the legislation.
Industry stakeholders are concerned that Congress won’t be able to reconcile on a clean, ten-year extension in time, multiple people with knowledge of ongoing legislative discussions told Nextgov/FCW. Several believe it’s more likely that a shorter term extension, one or two years, is more probable than ten.
House Homeland staffers have discussed getting a ten-year extension into a broader stopgap bill that seeks to keep the government funded after the end of this month, according to two people familiar with the matter.
Senate Homeland Security Committee Chairman Rand Paul, R-Ky., has promised to insert his own language into the bill that would aim to prevent censorship of Americans’ free speech, a byproduct of years of GOP accusations tied to past CISA activities in and around the 2020 election.
A draft version of Paul’s extension bill, first reported by Politico, extends the law by just two years and jettisons a key legal clause that incentivizes companies to share threat information with the federal government.
In the early 2010s, legislative efforts to establish a cyber threat information sharing framework had been underway but faced major hurdles amid public skepticism over government privacy abuses following Edward Snowden’s 2013 global surveillance disclosures.
The view shifted after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.
“Whatever sharing we can do under safe harbors, particularly the 2015 act, is incredibly important,” Dave DeWalt, CEO of cybersecurity venture capital firm NightDragon told Nextgov/FCW in an interview.
“You want these provisions to share [data] more more appropriately,” he said, later adding that “sharing is quintessential to our success not just within the United States, but around the globe.”
