Two federal lawmakers introduced a bipartisan bill on Wednesday that preserves key regulation that facilitates the sharing of cyber-threat data between private companies and the federal government.
The Cybersecurity Information Sharing Extension Act, introduced by U.S. Sens. Gary Peters (D-MI) and Mike Rounds (R-SD), would extend provisions of the Cybersecurity Information Sharing Act of 2015, which is due to expire in September.
The law encourages businesses to share information about ongoing cybersecurity threats with the federal government and is one of few legislative actions that has actually had an impact on real-world cybersecurity, security experts said.
Specifically, the Cybersecurity Information Sharing Act of 2015 gives incentives to companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS).
The law does this by providing legal protections for companies that do so by providing federal antitrust exemptions and precluding them from being held accountable for state and federal disclosure laws.
“From a defender’s standpoint, the Cybersecurity Information Sharing Act has been one of the few legislative tools that truly moved the needle,” Chad Cragle, CISO at cybersecurity resilience technology firm Deepwatch, told Cybersecurity Dive via email. “It gave the industry the legal clarity to share threat intel quickly, directly and without second-guessing the lawyers.”
Indeed, the law has been instrumental in investigations of major cybersecurity incidents, including the widespread SolarWinds supply chain attack, which affected both government agencies and private sector companies such as Microsoft. The law also provides support for Information Sharing and Analysis Centers (ISACs), member-driven organizations that collaborate on threat info-sharing to help critical infrastructure owners and operators protect their facilities.
“Cybersecurity is a team sport, and the truth of this idea is only becoming more obvious in a progressively more hostile global environment,” said Casey Ellis, founder of crowdsourced cybersecurity firm Bugcrowd. “The Cybersecurity Information Sharing Act provides a safe framework for information sharing, and underpins both public/private partnership sharing that powers U.S.-based ISACs.”
Strong case for extending the law
In separate statements, both senators also stressed the importance of maintaining the act’s protections, particularly in the current cybersecurity climate, where both the public and private sectors face constant security threats from both state-sponsored bad actors and others.
“As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable — it remains essential for our national security,” said Sen. Peters.
Meanwhile, Sen. Rounds said that allowing the Cybersecurity Information Sharing Act of 2015 to lapse “would significantly weaken our cybersecurity ecosystem,” especially as the act “has been instrumental in strengthening our nation’s cyber defenses.”
At the same time, however, the new act should be crafted to take into consideration the evolution of the threat landscape since the 2015 act was drafted and not just be a “rubber stamp” that doesn’t add anything new to the legislation, Cragle noted.
“This is an opportunity to fine-tune the law, preserving its core strength while ensuring it reflects today’s privacy expectations, supply chain realities, and operational complexity,” he said. “Getting this right means building on what works while adapting to what has changed.”
