Cyber threat information is now being shared more extensively between the public and private sectors, as a result of the new bill passed.

Cyber threat information is now being shared more extensively between the public and private sectors, as a result of the new bill passed.

In the rapidly evolving landscape of cyber threats, U.S. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) have introduced a bipartisan bill, the Cybersecurity Information Sharing Extension Act, to strengthen the partnership between the private sector and the government in the fight against cybercrime.

The original Cybersecurity Information Sharing Act of 2015, a significant step forward in cybersecurity legislation, encouraged businesses to share information about ongoing cybersecurity threats with the federal government. This new bill aims to extend provisions of the 2015 act, which is due to expire in September, to ensure continued collaboration and protection.

Chad Cragle, a renowned cybersecurity expert, has praised the original act, stating that it has been one of the few legislative tools that has moved the needle in real-world cybersecurity. However, he emphasizes the need for the new act to be adapted to the evolution of the threat landscape since the 2015 act was drafted. This includes addressing changes in the supply chain realities, considering today's privacy expectations, and taking into account the operational complexity.

The proposed extension act primarily aims to enhance cyber threat sharing between the federal government and private sector entities to improve collective cybersecurity defenses. It mandates that the Department of Homeland Security (DHS) maintain an operational sharing system that provides liability protections for private companies sharing cyber threat information, encouraging wider participation without fear of legal repercussions.

The extension of this law is crucial for preserving and strengthening the legal framework that encourages and protects this critical information sharing. Without the extension, organizations might fear legal exposure or loss of confidentiality protections, reducing their willingness to share intelligence. Extension also provides more time for the government to explore legal and policy measures to further limit liability exposure, especially relating to state laws, thus promoting a more robust and multi-directional sharing environment.

The collaboration between the government and private sector supported by this act has proven beneficial in investigations of major cybersecurity incidents, such as the SolarWinds supply chain attack. By centralizing threat data and validating it to remove benign information and victim-identifying details, the act helps create actionable intelligence that benefits both government and industry partners. This collaboration supports improved detection, mitigation, and resilience to cyberattacks, which are increasingly sophisticated and cross-sectoral.

The new act should not be a "rubber stamp" that doesn't add anything new to the legislation, according to Cragle. Instead, it should be crafted to address the changes in the threat landscape since the 2015 act was drafted, while preserving its core strength and adapting to supply chain realities and operational complexity.

Casey Ellis, founder of crowdsourced cybersecurity firm Bugcrowd, echoes Cragle's sentiments, stating that cybersecurity is a team sport, and the Cybersecurity Information Sharing Act provides a safe framework for information sharing. Sen. Gary Peters emphasizes the value of information sharing for national security in the current cybersecurity climate, while Sen. Mike Rounds warns that letting the Cybersecurity Information Sharing Act of 2015 lapse would weaken the cybersecurity ecosystem.

In conclusion, the Cybersecurity Information Sharing Extension Act is a vital piece of legislation that fosters cooperation and trust between the private sector and government, enabling faster and more comprehensive cyber threat responses. Its extension is important to preserve these benefits and enhance legal protections that support ongoing information sharing efforts, as the fight against cybercrime continues to evolve.

[1] The bill also extends protections to state, local, tribal, and territorial entities, exempting shared information from certain disclosure laws to protect privacy. [2] The law provides legal protections for companies that share cybersecurity threat indicators with the Department of Homeland Security (DHS), including federal antitrust exemptions and protection from state and federal disclosure laws. [3] The new act should be designed to adapt to what has changed since the 2015 act was drafted, as observed by Cragle. [4] The Cybersecurity Information Sharing Act underpins public/private partnership sharing that powers U.S.-based ISACs. [5] The law supports Information Sharing and Analysis Centers (ISACs), member-driven organizations that collaborate on threat information sharing to help critical infrastructure owners and operators protect their facilities.

1. The Cybersecurity Information Sharing Extension Act not only strengthens the partnership between the government and private sector in the fight against cybercrime, but also extends protections to state, local, tribal, and territorial entities, exempting shared information from certain disclosure laws to protect privacy.
2. The law provides legal protections for companies that share cybersecurity threat indicators with the Department of Homeland Security (DHS), including federal antitrust exemptions and protection from state and federal disclosure laws.
3. Chad Cragle, a cybersecurity expert, stresses the need for the new bill to be adapted to the evolution of the threat landscape since the 2015 Act was drafted, addressing changes in the supply chain realities, considering today's privacy expectations, and taking into account the operational complexity.
4. The Cybersecurity Information Sharing Act underpins public/private partnership sharing that powers U.S.-based ISACs, member-driven organizations that collaborate on threat information sharing to help critical infrastructure owners and operators protect their facilities.
5. As the cyber threat landscape continually evolves, the extension of the Cybersecurity Information Sharing Act is crucial for preserving and strengthening the legal framework that encourages and protects this critical information sharing, enhancing collective cybersecurity defenses.

Read also: