Trump Cuts Imperil Private Sector Cybersecurity Cooperation

Companies are facing the risk that they will be left alone to fend off cyber attacks.

Even as authorities warn of relentless cyber threats, a key tool companies use to safely share information with other businesses and the government is set to expire. Meanwhile, the Cybersecurity and Infrastructure Security Agency, the federal body that oversees public-private sharing of cyber data, has had its funding cut by the Trump administration, which has blasted it for allegedly targeting conservative speech.

The Cybersecurity Information Sharing Act of 2015 shielded companies from lawsuits and liability if they were willing to share details about threats and vulnerabilities with each other and with federal agencies. That law and its immunity protection have encouraged industry to disclose threat intelligence for the last decade, but they’ll expire at the end of the month unless Congress takes action.

The expiration of CISA 2015 would force companies to rely on themselves or industry groups to meet new cyber attacks bolstered by emerging technologies, like agentic artificial intelligence, while leaving smaller organizations in the dark.

Sean Plankey, Trump’s pick to lead CISA, has said CISA 2015 is critical to industry and has committed to seek more resources for the agency. On Sept. 3, the Homeland Security Committee unanimously approved a bill extending protections for companies sharing cyberattack information. That legislation must pass the full House and Senate to make it to Trump’s desk and become law.

The threatened loss of the law comes amid cuts to cybersecurity budgets and workforce reductions that have reduced the government’s engagement with the private sector—raising concerns about the future of the public-private cyber dialogue.

“We’ve already taken away a lot of cyber resources in the forms of funding, diminishing international partnerships and agencies and capacity building efforts,” said Carole House, a senior fellow at the Atlantic Council GeoEconomics Center.

“Taking away the liability protection would be devastating—this is the last line of defense for industry to be their own last line of defense,” added House, a former White House cybersecurity advisor.

Getting Lawyers to Talk Cyber

Convincing companies to share cybersecurity information is a longstanding goal, because much of US critical infrastructure is privately owned.

In the 1990s, the Clinton administration called for the creation of information sharing and analysis centers—ISACs—to encourage communication among critical sectors. Many companies remained reluctant to discuss cyber vulnerabilities, however, often because of legal concerns.

Information sharing is essential for corporate security officers to strengthen defenses. But general counsel are more “concerned about the liability,” said David Anderson, deputy chief information security officer at Travel + Leisure Co. “There is this major tension between, how can I respond tactically to a threat that is evolving very rapidly, and maintain our legal protection?”

CISA 2015 sought to bridge that gap by providing liability protection against privacy, antitrust, and other enforcement actions.

Losing those assurances would move the decision from security officers back to the general counsel—potentially curtailing information sharing. Conducting the needed legal reviews can take months or years, if companies decide to share at all, said Ari Schwartz, managing director of cyber services at Venable LLP.

“We’d just have to go back to those days of lots of legal vetting, projects being slowed down, maybe not actually happening the way they’re supposed to,” said Schwartz, who was cybersecurity director for the National Security Council in the Obama White House.

Going Quiet

The administration’s attacks on the Cybersecurity and Infrastructure Security Agency are having an effect.

“I’m seeing fewer people around. The ones that are around aren’t participating as heavily as they were,” said Errol Weiss, chief security officer at Health-ISAC. Weiss said meetings with HHS and CISA personnel have gotten more rare in recent months.

The Trump administration has terminated hundreds of CISA employees, diverted funding, and proposed significant budget cuts to refocus the agency on protecting critical infrastructure.

Both CISA and companies constantly rely on CISA 2015 to defend against cyber attacks, CISA’s Acting Director Madhu Gottumukkala said in an emailed statement. The act “fuels the trust, speed, and collaboration that make us stronger together,” he said, and the agency is ready to assist Congress to “ensure that these critical protections remain in place.”

CISA provides free vulnerability scanning and counseling alongside its information sharing work to shore up the defenses of organizations with less robust capabilities.

“The beneficiary of this sharing regime is absolutely the small hospital or the small company, or the medium-sized company that doesn’t have the resources to buy every cyber tool out there on the market,” said Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center and former deputy assistant director of the FBI’s Cyber Division. “They need to get the information on the adversaries and the actors.”

Plan B?

There are now at least 28 industry-focused ISACs in the US, and some say they’ll continue working regardless of CISA’s fate.

“They’re very concerned about the loss of this law and what would happen,” Schwartz said. To motivate companies, “they would have to come up with these complicated legal agreements.”

Some ISACs already offer members protection. The IT sector’s ISAC, which includes AT&T Inc., Booz Allen Hamilton Holding Corp., and IBM Corp., provides non-disclosure agreements and guarantees that information will only be shared anonymously, for example.

“We’re hopeful that we’re going to continue to see a lot of engagement,” said Scott C. Algeier, executive director of the IT-ISAC. “But you run the risk of some companies making the determination that it’s too risky for them now.”