As Democrats and Republicans in Congress struggle to pass a funding measure to reopen the federal government, leaders of one committee remain just as divided about the fate of a cyber defense law.
The Cyber Information Sharing Act of 2015 (CISA 2015) expired Sept. 30, after a last-minute attempt to bring a measure authorizing its renewal to the Senate floor failed. The law provided liability protections for entities that voluntarily share and receive cyber threat indicators and defensive measures with other entities or with the government.
It also set requirements for the departments of Homeland Security, Defense and Justice, along with the director of national intelligence, to share information on cybersecurity threats with private entities; state, local and tribal governments; and the general public. Cybersecurity professionals in the electric sector and other industries, as well as government officials, have warned that the expiration of the law would quickly erode the information-sharing environment that it fostered. (See Stakeholders Urge Cyber Info Sharing Act Renewal.)
Sen. Gary Peters (D-Mich.), ranking member of the Senate Homeland Security and Governmental Affairs Committee, took to the Senate floor Sept. 30 to urge that the Senate pass by unanimous consent a bill that he and Sen. Mike Rounds (R-S.D.) introduced in April to extend CISA 2015 another 10 years. Peters called the law “one of our most effective defenses against cyberattacks” and cited support from both parties in Congress, along with the Trump administration, to justify the emergency move.
However, Sen. Rand Paul (R-Ky.), chair of the Homeland Security Committee, blocked Peters’ request. Calling Peters’ warnings about the consequences of the law’s expiration “fake outrage,” Paul observed that the continuing resolution scheduled for a vote later that day would extend the law for two months and suggested that Democrats concerned about CISA 2015 vote for that. Peters and all but two of his fellow Democrats later voted against the resolution.
Responding to Paul, Peters said businesses needed assurance that the law would not run out again.
“Countless businesses in every industry across the country depend on these protections. Telling them they could be eliminated again in just two months … does not give them the certainty they need to work,” Peters said. “This is why they want the 10-year extension. … If my colleague doesn’t support clean authorization, well, he’s chair of the committee. He should have initiated a bipartisan process. He should have perhaps convened hearings like a chairman normally would, if they actually care about an issue.”
Paul has proposed his own bill that would renew CISA 2015 for two years while limiting protections against disclosure of cyber threat data shared with the federal government. He has also previously called for tying renewal of the law to legislation that would ban DHS’ Cybersecurity and Infrastructure Security Agency from working on cybersecurity in federal elections.
In a statement Oct. 1, NERC and the Electricity Information Sharing and Analysis Center (E-ISAC) said they “continue to follow developments” relating to CISA 2015’s expiration, while affirming that “E-ISAC information-sharing activities remain business as usual.”
“Information sharing with the E-ISAC is an essential component of the electricity sector’s cyber security posture, helping members identify and mitigate security risk, and defending against evolving threats,” NERC and E-ISAC staff wrote. “And, like many other ISACs, the E-ISAC offers significant protections to address legal and privacy concerns, having long been committed to confidentiality. … The industry should … continue sharing information across the sector and with other sectors through the E-ISAC and other trusted information-sharing partnerships.”