Facing a Sept. 30 deadline, business and IT stakeholders see an appropriations package or a continuing resolution for the next fiscal year as the best candidate to get a reauthorization of the Cybersecurity Information Sharing Act of 2015, as work continues to reach agreement in a compressed time frame.
“We are quickly running out of time with the congressional calendar,” Business Roundtable’s Amy Shuart said in a May 20 webinar. Shuart said there will be “some floor action” in July on bills followed by an August recess and then lawmakers come back in September.
Shuart said, “This thing expires at the end of September so you are really talking about something that probably needs to catch a ride. Given that the way Senate rules work, you either need to have floor time for a bill to be considered or have a unanimous consent to get it passed.”
Amy Shuart, Vice President, Technology & Innovation, Business Roundtable
“The only other option is to catch a ride,” Shuart said, referring to the appropriations bill or the CR, “whatever happens there at the end of September as a really good candidate.”
There have also been some discussions on getting the reauthorization into the fiscal 2026 National Defense Authorization Act, according to Shuart, but she cautioned that the major defense policy is unlikely to be “wrapped up until December because it tends to be an end of the year exercise.”
“This could very well be a situation where there is a CR at the end of September, we get a short-term reauthorization and then we need to catch other ride to get it a little longer,” Shuart said.
She told webinar attendees, “So for folks who are following this, buckle up because it is certainly going to be something that has several steps along the way.”
Shuart, vice president of technology and innovation at Business Roundtable, participated in a webinar hosted by the Cyber Threat Alliance on the reauthorization of CISA 2015.
She was joined by Mike Flynn, vice president and counsel of government affairs at the Information Technology Industry Council; Ari Schwartz, managing director of cybersecurity services at Venable; former Acting National Cyber Director Kemba Walden; and moderator Michael Daniel, president and CEO of CTA.
Walden was working at the Department of Homeland Security when CISA 2015 was passed and is now president of Paladin Global Institute, while Daniel was White House cyber coordinator and Schwartz had just moved to the private sector after time working on cyber issues at the National Security Council under former President Obama.
Flynn called CISA 2015 a “cornerstone statute upon which so many cybersecurity programs and practices and organizations are reliant.” He said, “So if you remove that you are creating a great deal of uncertainty in this space, really upending how cybersecurity is done in the modern era as compared to 2010.”
“That message is being received by Congress. There is because it’s Congress a desire to revisit, to update and to change, to put their own stamp on this issue [and] certainly fair play to them,” Flynn said.
Flynn said industry partners have been urging lawmakers to make sure CISA 2015 doesn’t lapse and “raise the stakes” to help understand why it is important.
Flynn added that the “terminology could be updated to be more specific.” He said there could be “a two-track legislative approach where there is some kind of short-term extension of these authorities, of these liability protections and then a more wholesome conversation over the next two years or so” on potential "improvements to the law.”
Flynn and Shuart weighed on the path for the bill to go through the committee process and potential hurdles.
Flynn noted that CISA 2015 went through the House and Senate Intelligence committees, but Senate leadership has decided that the reauthorization will go through the chamber’s Homeland Security Committee.
Flynn said he expects the CISA 2015 reauthorization will also go through the House Homeland panel. However, he said that designation doesn’t mean that the bill couldn’t run “on other vehicles” if it is put in the jurisdiction is the homeland security committees.
In the House, Shuart said the reauthorization could have a secondary referral to House Intelligence and other committees could weigh in even if they don’t have a referral to try to “preserve their jurisdiction” moving forward.
Shuart said the chair and ranking member of the committees of jurisdiction will have “a lot of important sway here” because they are ones House and Senate leadership will look to say if it is ok if the reauthorization “hitches a ride” to another legislative vehicle.
Potential changes
Walden left DHS in 2019 to join Microsoft before coming back to government in 2022 at the Office of the National Cyber Director.
“As a lawyer implementing once I came out of government,” Walden said, “those carefully defined terms” in CISA 2015 for “‘cyber threat indicators’ and ‘defense measures’ were specific but at the same time they were general. They were too amorphous to explain to the client what they can and can’t do.”
Walden also pointed to CISA 2015’s definition for “cybersecurity purpose” as too general.
The next version of CISA 2015 “would have to do something about the definitions in order to make it more crisp about what entities can and can’t do, keeping in mind that this is a positive law authorizing private sector entities to share with each other,” Walden said.
Venable’s Schwartz reflected on the name of the law, CISA 2015, which was passed before Congress created the Cybersecurity and Infrastructure Security Agency in 2018.
Schwartz explained, “When I heard the name of the agency was going to be CISA, I said in 2025 we are going to have a major problem by the fact that this agency has the same name as the information sharing law. I take this extremely seriously, it was a huge mistake to make and we should have known it at the time.”
“And now we are paying the consequences for it which is people do not like the agency and they are going to take it out on this law which has almost nothing to do with the agency,” Schwartz said. The law is focused on information sharing with the Department of Homeland Security.
If CISA “went away,” Schwartz said the info-sharing law could still exist with “some slight changes to it.” He added, “If the law went away CISA has a problem, the agency has a problem so I do think the naming actually does matter and it did from the beginning.”
Walden said she also didn’t like naming the agency CISA and the name of its predecessor, the National Protection and Programs Directorate.
Schwartz and Walden backed a clean authorization of CISA 2015 and then revisiting certain areas like cyber fraud.
Walden suggested finding a way to address identifying, defining and sharing information related to cyber fraud, while Schwartz suggested using CISA 2015 to “kick off a discussion” on cyber fraud and supply chain issues as part of long-term conversations. -- Sara Friedman (sfriedman@iwpnews.com)