Ten years ago, Congress enacted the
The voluntary and confidential information-sharing framework that this law established removes legal barriers to safe threat communications and provides vital protections and privacy guardrails preventing the use of data for other purposes. For instance, it preserves attorney-client privilege, bars cyber threat information shared under the law from use in regulatory enforcement actions and exempts the same information from public disclosure under the Freedom of Information Act. Importantly, the law also facilitates company-to-company information sharing through its antitrust exemption, which has fostered the ability of firms to share sensitive information that is useful in preventing attacks.
The authorities codified by this law have become essential to the underlying fabric of public-private collaboration to combat emerging cyber and national security threats. The private sector and government have enjoyed previously unavailable lines of communication that increase the speed and capacity by which they can respond to significant cyber incidents. The demonstrated value of these structures led lawmakers to incorporate these statutory provisions by reference in other key cybersecurity laws, including the Cyber Incident Reporting for Critical Infrastructure Act.
When Congress initially took up the CISA legislation, privacy concerns were primarily responsible for any objections to its eventual enactment. Nevertheless, the evidence suggests that the privacy and confidentiality requirements articulated in the law have worked as intended. A recent DHS Inspector General
A 2024 hospital ransomware breach highlights what Wyden calls Microsoft's systemic failures, urging the FTC to take action.
Given those benefits, it is no surprise that renewing these protections has drawn support from the vast majority of policymakers and the private sector. There is
All this support notwithstanding, and despite the best efforts of several lawmakers including House Homeland Security Chairman Garbarino, Cybersecurity Subcommittee Ranking Member Swalwell, Senator Peters and Senator Rounds, Congress was unable to get a reauthorization bill across the finish line. So where does this leave us?
We can say with confidence that sophisticated nation-state and cybercriminal attacks are unlikely to subside anytime soon — but we are now less well-positioned to combat them. Time is a critical factor in the incident response process, and this will slow down the speed at which private sector companies can close cyber vulnerabilities. Companies will have to decide for themselves what their tolerance is for any legal exposure created by sharing cyber threat information in the absence of these protections. Nevertheless, a general chilling effect on this critical information exchange seems likely — a win for those interested in degrading U.S. economic and national security. It is our sincere hope that Congress recognizes the urgency of this situation and moves to reauthorize the Cybersecurity Information Sharing Act in short order.
