Legal professionals are working to help clients navigate the lapse of a longstanding cybersecurity information-sharing law that gave companies various forms of legal cover when they transmitted cyber threat data to the government.
The Cybersecurity Information Sharing Act of 2015 lapsed when the government shut down at midnight. Federal funding for a state and local cybersecurity grant program also suffered at the time of the shutdown.
The 2015 law’s expiration now opens the door wider for adversaries, as it disincentivizes the exchange of information that can help stop hacking threats, experts say. Public and private sector entities would also have to rework their current approaches to keep data exchanges afloat.
With the lapse, federal and non-federal entities will likely enter into contractual arrangements to preserve some of the legal protections provided in the law, Kemba Walden, the former acting national cyber director, told Nextgov/FCW.
“Information sharing and collaboration is key to achieving a secure and resilient digital infrastructure. It may take more effort now that CISA 2015 has lapsed, but enterprises will likely have to ensure legal protections through contractual arrangements,” she said. This slows the process down a bit, but “it’s what we’ve got” until Congress reauthorizes or extends the measure, Walden added.
A media statement provided by the Cybersecurity and Infrastructure Security Agency said the lapse of the information-sharing law deals “a serious blow” to U.S. cyberdefenses.
Legal exemptions were made a core feature of the 2015 regulation because cyber threat information often contains sensitive data about victims and companies. To help agencies like the FBI track nation-state cyber threats and criminal hackers, those datasets often need to be shared with government analysts.
Sofia Herrera, managing attorney at boutique cyber law firm Omnian Legal, has been taking several last-minute calls with clients amid the lapse. She’s especially concerned about the downstream effects on managed service providers and security operations centers, which serve as major exchange points in the cyber data-sharing ecosystem.
Any work that has been done in the past ten years should be reviewed to see if there’s any additional contractual provisions that need to be put into current data-sharing agreements, she said. Herrera also expects lawsuits to arise now that certain legal guardrails have been lifted.
“You needed to have a lawful basis to process data like this in the United States, and CISA 2015 provided that lawful basis,” she told Nextgov/FCW. “Now, with it gone, companies need to find another lawful basis in order to process the data. But the problem is that the other options come with additional requirements.”
A Venable LLP blog posted on Monday said companies should carefully review information-sharing practices by ensuring agreements protect sensitive data and establish internal legal reviews before sharing threat data with the government to avoid risks under transparency laws like the Freedom of Information Act.
Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon, said her company intends to continue standard information-sharing in good faith anticipation of the law being renewed.
“As a new solution is formalized, information sharing needs to continue to be a top priority across the private sector,” said Kasier, a former deputy assistant director in the FBI’s Cyber Division. “Our hope is that a renewal of CISA 2015 — whether or not the name of the statute stays the same — will be part of a bill to reopen the federal government.”
