The Cybersecurity Information Sharing Act (CISA), a cornerstone of U.S. cybersecurity policy passed in 2015, now faces expiration on September 30, unless Congress renews it. The legislation facilitates the sharing of cyber threat intelligence (CTI) between the federal government and the private sector. It specifically provides legal cover to companies that voluntarily share threat information, encouraging collaboration and transparency without fear of regulatory or legal consequences. The faster, free exchange of information enables better detection of cyber threats, say experts, quickening response and recovery time after an attack.
In August, the FBI released a warning about two hacker groups targeting Salesforce platforms to access sensitive customer data. Over 700 companies are believed to have been affected so far. Other attacks continue to plague utilities, critical infrastructure and businesses across the private sector, with experts warning there will be no let up any time soon.
There is wide consensus of the law’s importance. The House of Representatives is considering the Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act, which calls for the reauthorization of CISA 2015 for another decade.
The White House has also signaled that it is a near-term priority. National Cyber Director Sean Cairncross said earlier this month, “This law galvanized our collaboration a decade ago, and the White House understands the advantages and liability protections this legislation provides.” He added that he is “actively working” with Congress on reauthorization.
House Republicans have included a short-term extension of CISA 2015 to a stopgap government funding bill that would sustain the law through November 21, giving a little more time to finalize longer-term reauthorization.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
A Pillar to Public-Private Collaboration
A number of notable cybersecurity experts with experience spanning multiple administrations noted at this week’s Cyber Initiatives Group Fall Summit that the measure is critical to U.S. cybersecurity. Executive Assistant Director for Cyber at CISA, Nick Andersen described the legislation as “foundational” for information sharing. He warned that without the liability protections provided under the law, private companies may hesitate to share critical threat intelligence information with the government.
“[If] we’re not able to provide some assurance that somebody can share information with us, whether it is a threat indicator or as a defensive measure, that their exercise within their own environment … won’t expose them to regulatory or legal risk, that makes it a lot harder for us to all do our jobs,” Andersen said.
“Getting CISA 2015 reauthorized is such a key priority for us as an agency and should really be a priority for all of us interacting with the critical infrastructure owner and operator community day to day,” said Andersen.
The bulk of the U.S. cyberattack surface is privately owned, leaving companies on the front lines of defense. Gloria Glaubman, who served as Senior Cyber Advisor at the U.S. Embassy in Tokyo, noted that “most of the target surface is owned by private industry… So they're the ones that first detect the state sponsored campaigns and we are relying on them to have robust security architecture.”
Experts also stress that private companies are often not equipped with the cyber expertise needed to respond quickly enough to an intrusion. And the threats are getting even harder to spot. Speaking on threats from China, like Volt and Salt Typhoon, Glaubman noted: “They’re using legitimate tools, routers, vendor gear rather than noisy custom malware. And that’s completely different from what we’ve seen in the past, which allows them again to live off the land, which makes it hard to detect.”
Matt Hayden, former Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at DHS, said companies need to ask themselves: “Can they react when given nuanced threat intel dynamically, quickly … Can you actually generate a time to detect, a time to respond when provided with authentic CTI-based data on the enterprises you manage and control?”
“If we’re talking in days or weeks of CTI data being provided to a CISO, and they’re still checking patches and assessing their environment, they’re the ‘have nots’,” Hayden said. “You really have a preparedness challenge from the defender’s perspective.”
It is here that CISA 2015 comes in, say the experts, allowing private companies to share the needed information to enable the government to counter and publicize the threat.
Beyond Information Sharing
Experts say the conversation must extend beyond sharing threat intelligence to include rethinking how we view targeted companies. There are still fears that companies will be penalized for having systems that are vulnerable to cyber intrusions, which creates conflicting pressure that may stop them from sharing information with the government and asking for help. John Carlin, former Acting Deputy U.S. Attorney General, emphasized that when a U.S. company is targeted by a nation-state actor, “we must treat the U.S. company as a victim … but it is not baked into our legal regulatory framework.”
“It’s still too often the case that at the same time they’re getting help from some government agencies, others are looking to punish the victim,” Carlin said. “The cost of that in terms of impeding… sharing information is too high given the threat that we face.”
General Timothy Haugh (Ret.), former NSA Director and Commander of U.S. Cyber Command, argued during an interview at the summit that true cybersecurity resilience requires more than rapid information sharing, but real whole-of-society cooperation. “We need to evaluate public-private partnerships not just by how much information is shared, but by how they make us more secure as a nation,” he said. “Where can industry receive assurances that if they collaborate with the federal government for a nation state hacking activity, how can they get some form of protection when they share that information that won't be used for a response from certain regulatory bodies?”
“There's that conversation not about information sharing as a metric,” Haugh said, “but as security of our nation and security of intellectual property, denial of foreign intelligence collection, and securing our critical infrastructure.”
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
