Senate Bill to End Shutdown Includes Extension to Cyber-Information Sharing Protections

The Cybersecurity Information Sharing Act was passed in 2015 to give companies legal cover to transmit cyber threat data that includes sensitive information on companies and individual victims to the government. The exemptions were scheduled to sunset in 2025, however, unless renewed via new legislation. When the government shutdown on October 1 without such legislation passing the exemptions expired.

According to Nextgov, the Senate measure extends the exemptions through January 30.

The law has been a critical tool for federal agencies like the FBI to track nation-state cyber threats and criminal hackers. Industry, as well as senior government officials had pressed for its extension in the months leading up to the shutdown, per Nextgov. Its lapse potentially opened the door for adversaries by causing companies to grow shy over sharing threat information with the government.

In an October news release, the Cybersecurity and Infrastructure Security Agency called the lapse, “a serious blow” to U.S. cyber defenses.

Beginning October 1, corporate legal departments and outside attorneys scrambled to help companies navigate the loss of legal protections for data sharing, Nextgov reported last month.

“You needed to have a lawful basis to process data like this in the United States, and CISA 2015 provided that lawful basis,” Sofia Herrera of the boutique cyber-law firm Omnian Legal told the Washington-insider publication. “Now, with it gone, companies need to find another lawful basis in order to process the data. But the problem is that the other options come with additional requirements.”

According to former acting national cyber director Kemba Walden, companies and government agencies would likely have to rely on contractual arrangements to try to preserve some of the protections lost with the law’s expiration.

“Information sharing and collaboration is key to achieving a secure and resilient digital infrastructure. It may take more effort now that CISA 2015 has lapsed, but enterprises will likely have to ensure legal protections through contractual arrangements,” she said. This slows the process down a bit, but “it’s what we’ve got” until Congress reauthorizes or extends the measure, Walden added.

While the Senate passed the short-term extension with seven Democrats and one Independent voting with Republicans, an end to the shutdown is not guaranteed. The Senate CR must still be approved by the House, which passed its own, separate short-term funding bill ahead of the shutdown that expires at the end of November. Some provisions in the Senate bill, including an agreement to vote on an extension of the lapsed Affordable Care Act (ACA) subsidies, have already been rejected by House Speaker Rep. Mike Johnson (R-LA), setting up a potential showdown between the chambers.

Even if the differences between the House and Senate CRs are ironed out, moreover, the proposed extension, including the cyber-information law, runs only through the end of January. If no long-term funding can be negotiated and passed by then the cyber protections could lapse again, barring separate legislation to renew them.