Government funding wasn’t the only thing to lapse on Wednesday — the Cybersecurity Information Act of 2015 also expired, leaving a gaping hole in a pillar of U.S. cyber defense.
Ironically, as the U.S. marked the first day of National Cybersecurity Month, this failure was already weakening the U.S. cyber posture and eroding 10 years of productive partnership between the private and public sectors. Worst of all, it sent a signal to malicious actors that the U.S. is distracted and vulnerable, encouraging adversarial cyber threat actors — including Chinese-backed entities — to ramp up their efforts to hack U.S. networks.
The Cybersecurity Information Act of 2015 — not to be confused with the similarly-named federal agency within the Department of Homeland Security — is a foundational cybersecurity law that promotes and incentivizes real-time cybersecurity threat information-sharing among and between private-to-private entities; private entities-to-governments at all levels; and government-to-government.
This multi-directional sharing is enabled by granting critical liability protections to promote faster information sharing among entities without the concern of whether or not they may face potential litigation. In cybersecurity, nobody has all the answers, making this information sharing function essential to putting the whole picture together to properly address the situation.
Without the Cybersecurity Information Act’s liability protections, private sector organizations now face legal uncertainty, which could cause hesitation in reporting cyber threats. Concerns over potential conflicts with laws such as the Computer Fraud and Abuse Act or the Stored Communications Act, as well as antitrust and privacy law violations, threaten to slow cyber threat detection and reduce information flows.
Since its enactment, the Cybersecurity Information Act has been the catalyst for advancing cybersecurity information sharing efforts such as within the Information Sharing Analysis Centers, which are grouped by industry sectors such as electricity, health care, oil and natural energy, and water. Information Sharing Analysis Centers support critical infrastructure sectors by sharing threat information to increase situational awareness, incident reporting and response.
Despite repeated efforts to reauthorize this critical statute, the lapse occurred in the midst of escalating cyberattacks. Recently, the FBI issued a warning on several Chinese cyber hacking operations, including Salt Typhoon, that are increasingly attempting to breach global networks to gain access to sensitive government communications, personal data and intellectual property.
Salt Typhoon and other Advanced Persistent Threat actors exploit network vulnerabilities and install malware to gain indefinite access to critical systems. Once inside, they can monitor and exfiltrate sensitive information — like operational data and classified government documents — then use that intelligence to influence political processes and expose national vulnerabilities. Due to the lapse of the Cybersecurity Information Act, the U.S. has even less ability to respond to, coordinate, and mitigate the impacts of these nefarious attacks, effectively opening the door for bad actors to access American networks and steal sensitive data.
The act has served as a reliable framework for the private sector to share and receive real-time cyber threat information with and from the federal government for over a decade. Before this framework existed, the private sector had no trusted way of sharing cyber threat information at scale without risking liability or exposing sensitive information.
In the years since its implementation, the act has become a bedrock of modern U.S. cybersecurity, allowing non-federal entities, including businesses, tribal governments and local, state and federal agencies, to securely report cyber threats, and to leverage the widespread dissemination of this information for detection and threat mitigation.
The Cybersecurity Information Act grants the opportunity for faster information sharing leading to a quicker response and remediation of cybersecurity attacks. The U.S. government, across all levels, critical infrastructure entities, and American industries need a reauthorization that extends the act for another decade to continue real-time information sharing between the private and public sectors and bolster cybersecurity defenses.
Without reauthorization, cybersecurity stakeholders will face uncertainty and questions about whether they can continue to share and benefit from the cyber threat information sharing spurred by the Cybersecurity Information Act.
Chinese-backed cyberattacks are ongoing and continue to escalate. U.S. industries need certainty and can’t risk any gaps in critical protections. While Congress works to pass a funding bill and reopen the government, it must also act quickly to cement a long-term legislative solution to restore U.S. cyber information-sharing protections.
Jason Oxman is president and chief executive officer of the Information Technology Industry Council, the global trade association for the tech sector, representing the world’s most innovative companies.