Credit: Cybersecurity and Infrastructure Security Agency
The Cybersecurity Information Sharing Act 2015 Expired: What That Means for U.S. Cyber Defense
The Cybersecurity Information Act 2015 (CISA 2015) expired on September 30 even as cyber threats continue to grow. It is imperative to reauthorize and strengthen this line of defense, which encourages real-time information sharing and provides liability protections that consolidates private-public sector participation across many industries.
Foreign adversaries persistently target U.S. government and private sector data systems to retrieve sensitive information. The 2013-2015 OPM breach, in which personal information, social security numbers, and fingerprints of 21.5 million people were stolen, solidified the understanding that partnership between the private and public sectors is essential to combat cyber threats and breaches. CISA 2015 authorizes the private sector to monitor their information systems and, with written consent, the information systems of other private or government entities. This allows for voluntary sharing of threat indicators, with liability protections for private entities that perform the actions above.
In April, Senators Mike Rounds (R-SD) and Gary Peters (D-MI) introduced legislation to extend CISA 2015 for an additional 10 years, noting that this legislation has been critical to defend against rapidly evolving cyber threats and bolster the nation’s security against a wide array of adversaries. One month later, fifty-two companies across several industries signed a joint letter imploring Congress to renew this legislation. Considering this legislation has now expired, there congressional action must be taken to restore the legal framework that incentivizes info-sharing across sectors.
The expiration of this act has consequences for the timeliness of cyber defense in our fast-paced world. The Automated Indicator Sharing (AIS) program, authorized by CISA 2015, enables the timely exchange of cyber threat indicators and defensive measures between federal and non-federal entities. Although reports have shown a decline in cyber threat indicator sharing by 96% from 2020 to 2022, this decline occurred due to a key federal agency halting the process of sharing cyber threat indicators due to unspecified security concerns.
Despite this setback, sharing cyber threat information remains vital and could be strengthened with key adjustments. The Department of Homeland Security (DHS), which facilitates and promotes the sharing of information, should enforce federal sharing and non-compliant agencies should face legal and financial consequences. Moreover, the United States government should enhance AIS by implementing an outreach strategy that engages federal and non-federal data producers and receivers.
The proliferation of AI in this decade has created an urgent need for a substantive response to AI-powered cyber threats from both the private and public sectors. Information sharing makes it easier to identify hackers and deploy defensive measures, raising the barriers for malicious actors including foreign adversaries. Although not authorized by CISA 2015, the expiration of the act means that other federal cybersecurity collaboration programs like the Joint Cyber Defense Collaborative (JCDC) team are less effective. JCDC is established by the cybersecurity and infrastructure security agency and is responsible for unifying cyber defense capabilities across government, industry, and international organizations. The JCDC Collaborative AI Playbook, which supports public-private partnerships for collective AI-cyber defense and encourages the sharing of AI related cyber threat indicators or defensive measures, relied on CISA 2015 for the legal protections and structured process, for voluntary sharing of information. Unfortunately, JCDC has weakened greatly due to the expiration of a contract resulting in a large loss of their workforce, but its mission is more important than ever.
Without this act, personal data being held across industries–including finance, healthcare, education, retail, and government–will be in jeopardy. Foreign adversaries would gain the upper hand in an era where cyber-attacks move quickly and often undetected. Weakening real-time response, efficiency, and transparency would create dangerous blind spots and disrupt critical systems. This would leave U.S. cybersecurity and the sensitive information of both U.S. citizens and the nation vulnerable and in the hands of others, rather than under our own protection.
