Cyber threat information-sharing slows as lawyers get involved
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Companies are slowing down the rate at which they share threat intelligence with the federal government after a lapse in key liability protections.
Why it matters: Companies aren't doing this by choice. Since decade-old protections expired two weeks ago, business leaders have been involving their legal teams more in discussions about sharing threat intelligence, slowing down the process, industry sources tell Axios.
Catch up quick: Protections in the Cybersecurity Information Sharing Act of 2015 ran through Sept. 30 — right as the government shut down after Congress failed to pass a short-term funding deal.
- While the House passed its own bill reauthorizing the program, Senate Homeland Security Committee Chair Rand Paul (R-Ky.) pushed for massive last-minute changes to the program that slowed down negotiations.
The big picture: When the protections were in place, companies tended to make their legal teams generally aware they were engaging in information sharing, but they would not consult them before sharing every single piece of intelligence.
- Now that's changed as companies get more nervous about what legal pushback they could face if they share information that exposes any flaws or potential fault for a cyberattack.
Zoom in: "The lapse of the Cybersecurity Information Sharing Act of 2015 has reinserted lawyers into the conversation, which is going to slow down information sharing," Henry Young, senior director of policy at the Business Software Alliance, told Axios.
- Some major companies, including CrowdStrike and Halcyon, promised to keep sharing threat intelligence quickly even after the law expired, Politico reports.
- But another industry source — who asked for anonymity to protect the organizations they work with — told Axios that cyber lawyers are getting inundated with questions about information sharing and that the level of sharing varies across large and small companies.
Threat level: The vast majority of U.S. critical infrastructure is privately owned — meaning federal cyber investigators have to lean heavily on their private sector partners to understand active threats on digital networks.
- "Without these protections in place, we are in an incredibly vulnerable position," Sen. Gary Peters (D-Mich.), ranking member of the Homeland Security Committee, told reporters last week. "I believe that our national and economic security are at risk for as long as these safeguards are not available."
What to watch: Peters introduced a bill Thursday that would reauthorize the information-sharing protections for another decade, rename the program to avoid overlap with the DHS agency that shares the same acronym, and retroactively protect companies that shared information during the lapse period.
- Majority Leader Sen. John Thune (R-S.D.) could choose to bring the bill, co-sponsored by fellow South Dakota Republican Mike Rounds, to the floor without Paul's support.
- "We are in a much better position than we were a week ago because there is now a path," Young said, but he noted it still isn't a "clean" one.
Yes, but: A source familiar with ongoing reauthorization negotiations told Axios that a clean, 10-year extension is a "non-starter in the House."
- Instead, House lawmakers would rather push for a one- or two-year extension to provide additional time to review potential changes to the authorities.
