Good news can be rare in the cybersecurity world. Security professionals often feel like one of the four horsemen of the apocalypse, bringing word of breach, vulnerability, regulation, or fine. Headlines often highlight consequential cybersecurity attacks, and stories of cybersecurity successes few and far between.
The Cybersecurity Information Sharing Act of 2015, or CISA 2015, was one of those successes. This law enables threat information sharing, including details about specific cyberattack vectors and potential vulnerabilities, helping entities fortify their cyber defenses.
Unfortunately, this policy achievement will expire in September unless Congress votes to reauthorize it. We must not risk going backward 10 years by allowing this law to lapse.
CISA 2015 provided liability protections to companies sharing narrowly defined cyber threat information. By simplifying and lowering the burden on how organizations can share threat information with the federal government and private entities, the law fostered a vibrant information-sharing ecosystem that’s widely used today. CISA 2015 enhances both the public and private sectors’ ability to coordinate responses to threats and cyber incidents.
Prior to CISA 2015, companies prioritized complying with various regulations, including those around antitrust, privacy, and freedom of information. As a result, cybersecurity practitioners were not able to share the type of threat information that could help to stop emerging threats. The passage of CISA 2015 addressed these compliance concerns, enabling the development of a threat-sharing ecosystem.
In 2015, the main focus was on information sharing between private companies and the federal government. Today, the clearest wins are within the private-to-private information-sharing context. We saw CISA 2015’s success with the growth of the Cyber Threat Alliance, a nonprofit that enables prompt and high-quality cyber threat information sharing among its private-sector members.
The establishment of information sharing between the financial services sector and the retail sector through Information Sharing and Analysis Centers also demonstrated CISA 2015’s impact. Before the law’s guidance, this information sharing was discouraged, as it risked technical violations of antitrust rules. But after the law’s enactment, these industries initiated sharing valuable information to strengthen their cybersecurity, enabling them to react faster to new threats.
Before CISA 2015’s passage, stakeholders advocated for these cyber information-sharing liability protections that ultimately were included in the final law. When earlier versions of the legislation were introduced, opposition surfaced. Privacy groups were concerned, and then-President Barack Obama threatened to veto the earlier Cyber Intelligence Sharing and Protection Act if it made it to his desk. Senate Republicans also opposed the effort. Legislative negotiations ensued, changes were made to address privacy concerns, and the act eventually passed with strong bipartisan support.
Although privacy groups opposed CISA 2015 when it passed, many were less concerned by the implementation of the law after the Department of Homeland Security and the Department of Justice released guidance that narrowly followed congressional intent. Today, a number of privacy groups have not opposed reauthorization of CISA 2015, including the Center for Democracy and Technology.
CISA 2015 was a notable success in a space known for bad news. A decade ago, information sharing was a dominant topic of conversations around cybersecurity policy. Codifying information sharing was a top goal for policymakers to strengthen cybersecurity across the board. After CISA 2015’s enactment, successful information sharing became well-established and companies across sectors have relied on the legislation to help safeguard their networks.
The upcoming expiration of the act jeopardizes this progress. Many industry groups whose members rely on the landmark law are advocating for reauthorization, including the US Chamber of Commerce’s Protecting America’s Cyber Networks Coalition and the Business Roundtable.
Getting any piece of legislation through our current Congress can be a difficult task. But stakeholders must push for the reauthorization of CISA 2015, which has been a clear and rare victory in cybersecurity policy. We must continue this critical collaboration and help companies stay prepared against security threats.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Ari Schwartz is executive director of the Cybersecurity Coalition and managing director of cybersecurity services and policy at Venable.
Write for Us: Author Guidelines
(Updates fifth paragraph to add context. A previous version clarified that the Center for Democracy and Technology has not opposed reauthorization of CISA 2015.)
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.