Congress puts up last-minute roadblocks for cyber threat info-sharing
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
All eyes are on the government's short-term federal funding deal as efforts to renew a decade-old cyber threat information-sharing program have hit major roadblocks.
Why it matters: The law underpins cyber threat coordination between the federal government and the private sector by providing liability protections for companies sharing threat intelligence with the government.
- Lawmakers and cybersecurity companies fear a last-minute legislative push to completely overhaul the program will delay reauthorization and cause it to expire on Sept. 30.
Driving the news: Senate Homeland Security Chair Rand Paul (R-Ky.) is drafting a bill that would renew the Cybersecurity Information Sharing Act of 2015 for two years. The bill is slated for consideration in the committee on Thursday.
- According to draft language first reported by Politico and also obtained by Axios, the bill would remove liability protections for companies if their security incidents are found to have violated their own user agreements and privacy policies.
- The draft also removes the explicit protections that exempt shared threat intelligence from FOIA laws.
- Companies would also be required to notify customers within 30 days if their personal data was included in these shared threat indicators.
State of play: With exactly two weeks until the law expires, Paul has yet to formally introduce his bill. His office did not respond to a request for comment.
Zoom in: Industry stakeholders are in an uproar over the last-minute changes — especially after House Republicans and a bipartisan pair of senators already introduced bills that would renew the program with few changes.
- Paul's "edits just show a complete misunderstanding of the basic principle of information sharing," one industry source, who requested anonymity to speak freely about their complaints, told Axios.
- Another industry source, granted anonymity for similar reasons, told Axios that Paul's office had yet to show Senate Republican leadership, or other committee members, a full bill as of last week.
- Senate Majority Leader John Thune's office did not respond to a request for comment.
The big picture: Industry stakeholders and many lawmakers were pushing for a clean reauthorization of the program.
- Their argument is that the government has limited visibility into private networks on its own, and companies are reticent to share details about what hackers are targeting if they face potential lawsuits or regulatory investigations.
- Nick Andersen, the new top cyber official at the Cybersecurity and Infrastructure Security Agency (CISA), called the program a "fantastic authority" that underpins the agency's ability to collect threat intelligence from the private sector in remarks Thursday at the Billington CyberSecurity Summit in D.C.
Between the lines: Paul has been highly critical of the agency and even called for its elimination last year.
- The two industry sources told Axios they believe the senator's draft seems to be about his concerns with the agency — not the information-sharing law that shares the same acronym.
The intrigue: The draft, which is believed to be just part of a longer bill, includes sections that also look to rein in the Department of Homeland Security's foreign disinformation work. It calls for:
- Banning federal employees from taking "any action" to censor protected speech, including by labeling it disinformation or false.
- Officially terminating the Disinformation Governance Board, a Biden-era DHS entity that was short-lived and much-loathed by Republicans.
- Banning agencies from awarding grants "related to programming on misinformation or disinformation."
What they're saying: House Homeland Security Chair Andrew Garbarino (R-N.Y.) said in a statement that the "voluntary exchange of information between the private and public sectors under CISA 2015 has been successful largely due to the liability, privacy, and civil liberties protections this statute provides."
- Sen. Gary Peters (D-Mich.), ranking member of the homeland security committee, criticized Paul's revisions, saying the law "has a proven track record of success from the last 10 years, and if it's allowed to expire, we will lose a cornerstone of national cybersecurity strategy that will leave us vulnerable to security breaches."
- An aide in the Senate Homeland Security Committee said Peters is continuing to talk with Paul to get a bipartisan, bicameral agreement.
What to watch: The White House has included a clean reauthorization of the program in the upcoming short-term federal funding deal.
- The hitch: Many lawmakers are calling for a "clean" deal, and it's unclear if anomalies like reauthorizing the CISA program will qualify for inclusion.
Go deeper: House GOP releases stopgap bill to fund government through Nov. 20
