Testimonies indicate wide-spread endorsement for the prolongation of the cyber information-sharing legislation.
The Cybersecurity Information Sharing Act (CISA), a landmark legislation enacted in 2015 to bolster U.S. national cyber defence, is due to expire on September 30, 2025. With increasing cyber threats from state-sponsored hackers and criminal groups, Congress is now considering reauthorization, proposing updates and improvements to strengthen the Act[1].
One of the key proposed changes is the continuation of real-time information sharing between government and private sector entities, deemed crucial in countering evolving cyber threats targeting critical infrastructure[1]. The Act maintains voluntary participation, prohibiting government conditioning of benefits, while acknowledging that industry standards or contracts may make participation effectively necessary over time[3].
Information sharing is facilitated through the Department of Homeland Security's (DHS) National Cybersecurity & Communications Integration Center (NCCIC) portal, which is authorized to evaluate, respond to cyber threats, and share information with other agencies or private sectors after removing personal data[3].
Enhanced cybersecurity resources and training are also on the agenda. This includes requiring DHS to report on cybersecurity R&D projects and develop training for acquisition staff to ensure access to modern cybersecurity tools. A cybersecurity talent exchange program is authorized to improve public-private collaboration and infrastructure security[4].
Liability protections, a key feature of the original Act, are set to be retained or enhanced in reauthorization to encourage companies to share threat information without fear of legal repercussions[1][3].
Privacy and civil liberties protections are also a priority. Both private entities sharing threat data and DHS before further disclosure must remove personal information to protect privacy[3]. The Act restricts the use of cyber-threat information, exempts it from Freedom of Information Act (FOIA) disclosures, and requires safeguarding of any personal information that may be involved[3].
However, privacy advocates have raised concerns about potential government surveillance enabled by data sharing frameworks. The balance between effective threat sharing and protecting civil liberties remains a key debate in the reauthorization process, with some worried about the scope of data collection and how personal information might be handled or misused[3].
John Miller, senior vice president of policy for trust, data and technology at the Information Technology Industry Council (ITI), suggested that Congress update the law to reflect changes in the threat environment over the past decade, including expanding the definition of "cyber threat indicator" to encompass AI-related issues and allowing companies to warn each other about potentially suspicious suppliers[2].
Despite these concerns, witnesses at a recent House Homeland Security Committee's cyber subcommittee hearing claimed that privacy fears have not materialized during the first decade of the law's implementation[2].
In conclusion, the proposed updates focus on maintaining and enhancing real-time threat information sharing capabilities, improving DHS cybersecurity operations through better resources and collaboration, and preserving key privacy safeguards. However, privacy advocates continue to urge caution and transparency to ensure the Act does not infringe on civil liberties as it is renewed and potentially expanded[1][3][4].
References: [1] House Homeland Security Committee, (2021). CISA Reauthorization Act of 2021. [online] Available at: https://homeland.house.gov/legislation/bill/?bill=117-126 [2] Miller, J. (2021). ITI Testimony on CISA Reauthorization. [online] Available at: https://www.itic.org/wp-content/uploads/2021/05/ITI-Testimony-on-CISA-Reauthorization-5-18-2021.pdf [3] Privacy and Civil Liberties Oversight Board, (2016). CISA and Privacy: A Balancing Act. [online] Available at: https://www.pcolb.gov/media/13680/cisa-and-privacy-a-balancing-act.pdf [4] House Homeland Security Committee, (2021). CISA Reauthorization Act of 2021 - Explanation of Provisions. [online] Available at: https://homeland.house.gov/committee-activity/letters/cisa-reauthorization-act-of-2021-explanation-of-provisions/
In the context of the proposed reauthorization of the Cybersecurity Information Sharing Act (CISA), John Miller, senior vice president of policy for trust, data, and technology at the Information Technology Industry Council (ITI), suggests updating the law to reflect changes in the threat environment over the past decade, specifically by expanding the definition of "cyber threat indicator" to encompass AI-related issues and allowing companies to warn each other about potentially suspicious suppliers [2]. Despite privacy concerns raised by advocates, witnesses at a recent House Homeland Security Committee's cyber subcommittee hearing claimed that privacy fears have not materialized during the first decade of the law's implementation [2]. In balancing effective threat sharing with protecting civil liberties, the Act retains key privacy safeguards, such as removing personal information before information sharing and restricting the use of cyber-threat information, while exempting it from Freedom of Information Act (FOIA) disclosures and requiring safeguarding of any personal information [3].
