Congress has temporarily extended a landmark cyber information sharing law, but industry representatives and cyber experts are urging lawmakers to act quickly to enact a more long-term solution.

The continuing resolution signed into law Wednesday night extends the provisions of the Cybersecurity Information Sharing Act of 2015 through the end of January. The law had expired Oct. 1.

CISA 2015 provides privacy and liability protections to encourage companies to share data about cyber vulnerabilities and threats. Cybersecurity leaders say those protections provide a critical underpinning to facilitate collaboration across government and industry.

Despite the temporary reprieve, the path forward for a long-term CISA 2015 extension in Congress remains unclear, with divergent reauthorization bills in the House and the Senate.

The White House has called for a “clean” 10-year reauthorization of CISA 2015. But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has opposed efforts to move forward such a bill in the Senate.

The long-term extension of the information sharing law, meanwhile, remains a chief concern for the technology industry.

Mike Flynn, senior vice president of government affairs for the Information Technology Industry Council, called the short-term extension “a step in the right direction.”

“Without a long-term CISA 2015 fix, cybersecurity stakeholders will continue to face uncertainty and questions that will undermine the network of information-sharing organizations and programs that have been built over the last decade,” Flynn said in a statement.

Henry Young, senior director of policy at BSA The Software Alliance, said he hopes to see a “sense of urgency” in Congress to extend the law long term.

“While we’re pleased that the law is hopefully going to be extended, we remain concerned that if the CR lapses, we’ll return to a world where cybersecurity information sharing is slowed or stopped, and that really leaves everyone at risk,” Young told Federal News Network.

CISA 2015 lapses

When the law lapsed Oct. 1, some cyber policy experts worried industry would stop sharing information about cyber threats affecting their products or networks.

But Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said information sharing between government and industry was “holding steady” through the end of October.

The cooperation “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” Andersen told reporters at the Palo Alto Networks public sector conference in Tysons Corner, Va., on Oct. 30.

“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen added.

While companies continued to share information during the lapse, Young said the process slowed down.

“It started to slowly reintroduce the legal review into each one of these individual decisions, which isn’t going to necessarily stop all information sharing, but is going to slow it, and it also might reduce it in increments,” Young said.

“People wanted to work together and continue to share information, and they did, to some extent, but it also created more risk for them to do,” he added.

Cynthia Kaiser, former deputy director of the FBI’s cyber division and now senior vice president of Halycon’s Ransomware Research Center, said the lapse showed the need for a long-term solution to reauthorizing the law.

“It’s critical that protecting cybersecurity information sharing is considered a priority in Congress upon the government’s reopening in order to maintain a strong national security posture,” Kaiser said.

Debate in Congress

While Congress has just over two months to extend the law, the path forward for reauthorization remains murky.

In September, the House Homeland Security Committee passed the Widespread Information Management for the Welfare of Infrastructure and Government Act. The bill was led by Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.).

Garbarino’s bill would extend the CISA 2015 protections for another 10 years, while updating definitions to account for advances in artificial intelligence. It would also require the Department of Homeland Security to improve its outreach on emerging cyber threats.

In a statement released after the House passed the CR, Garbarino called for reauthorizing multiple expired DHS authorities, including CISA 2015.

“With the federal government reopening, I look forward to continuing this Committee’s important work alongside our colleagues in both the House and Senate to find long-term solutions for reauthorizing these vital DHS authorities, bolster our nation’s cyber defenses, maintain President Trump’s secure borders, and ensure the safety of America’s skies and the traveling public,” Garbarino said.

It’s unclear, however, if and when Garbarino’s bill will be called for a vote on the House floor.

In the Senate, meanwhile, Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-Mich.) and Sen. Mike Rounds (R-S.D) have put forward a bill that would extend CISA 2015 for an additional 10 years without modifying the provisions in the law.

“This short-term extension is an important stopgap, but it is set to expire in just two months unless we pass bipartisan legislation to provide more long-term certainty,” Peters said in a statement. “That’s why I’m pushing to pass my Protecting America from Cyber Threats Act with Senator Rounds, which would renew these critical protections for a full decade so that companies know they can count on them in the event of a cyberattack.”

A HSGAC aide said Peters “remains committed to getting this across the finish line and will continue working with colleagues across the aisle to make sure these protections are fully restored.”

However, Paul has blocked efforts to pass a “clean” CISA 2015 extension. He has pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.

Paul has said the agency’s work in that area infringed on free speech rights. Cyber experts counter that reauthorizing the CISA 2015 law has nothing to do with CISA the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.

Officials have also lamented how the shared names between the information-sharing law and the cyber agency has muddied the waters in the debate over reauthorizing the law.

“They happen to share that same acronym, which is a fluke,” White House National Cyber Director Sean Cairncross said at the Palo Alto Networks conference last month.

A key question is whether the White House will throw its weight more forcefully behind any congressional efforts to reauthorize the bill. In public comments, Trump administration officials have advocated for a 10-year reauthorization without further modifications to the law.

“It’s a common-sense law,” Cairncross said. “The White House is pushing for a 10-year, clean reauthorization of this authority. It’s something that we want to see done. It’s important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that’s vital.”

The post Congress extends CISA 2015, but path to long-term reauthorization remains murky first appeared on Federal News Network.

© Federal News Network