Guest: Megan Brown
Title: Partner at Wiley Rein
Summary: The Cybersecurity Information Sharing Act passed on a bipartisan basis a decade ago. But to get consensus, a lot of provisions got left behind. Now it's time to reauthorize, and with that comes the opportunity to modernize and fix the original provisions.
Interview transcript:
Terry Gerton: Megan, the Cybersecurity Information Sharing Act, which was passed in 2015, sunsets on September 30th of this year. Lots of authorizing legislation has lapsed and most of the practices that they authorize have continued on through appropriations. Why would or should this particular one be different?
Megan Brown: Well, CISA 2015, as I referred to it, has several key parts that the private sector relies on. And so its sunset would eliminate some of those key protections. And so I think there's a real interest in keeping this baseline going forward. Congress passed it 10 years ago. It might be a good time to look at what's worked and what didn't. But the law is important to a lot of key basic cybersecurity practices that happen right now.
Terry Gerton: So what are some of those practices and some of these protections?
Megan Brown: Yeah, so the legislation kind of has two main focuses. They wanted to encourage information sharing between the private sector and the government, CISA of the agency, not CISA of the law, and between the public sector sort of company to company, industry to industry. And to do that, they created some protections for that. They took away some of the barriers that were in the law. That exist in sort of our baseline privacy and other statutes. And they authorized the sharing of cyber threat indicators, using and sharing defensive measures. And so that was the goal was to sort of give this incentive and this protective structure to the private sector to share either with other private companies or organizations or with the government.
Terry Gerton: So they'd be sharing things that they experienced, right? Threats that they experience or practices they put in place that made them more cyber secure.
Megan Brown: That was the goal, yes, get the threat indicators shared widely so people can understand what's happening and then share some of the steps that have worked to be protective.
Terry Gerton: But doesn't the data show that that kind of information sharing is really kind of faded over since the institution of the statute?
Megan Brown: Well, I think you might be referring to the inspector general report that looked at the government-focused sharing, right? That set that other prong of private to government. And they found that, yeah, information sharing has dropped off. I don't think there's been studies on private to private. In my personal experience is there is robust information sharing between private companies.
Terry Gerton: And so the information sharing that you're worried about is between the government and the private sector. If that's fallen off, doesn't that open some cyber risk?
Megan Brown: Well, let me just clarify, I think since the statute protects both kinds of sharing, the reauthorization is necessary to keep a good thing going, which is the private to private, and perhaps look at how they can make the private-to-government information sharing more effective, more attractive to get more people to participate.
Terry Gerton: So that might be one of the things they'd want to take up when they consider the reauthorization of this bill. Are there other things that they might want to include there?
Megan Brown: I mean, lots of people have made suggestions about some of the areas that could be tweaked in the statute to make it broader, to encourage more information sharing. I have looked and worked with several of the definitions and I'm not going to bore your listeners with the definitions. But I think there are ways that those could be adjusted if there was the appetite for it.
Terry Gerton: Well, it seems like the cyber technology itself has changed so much in the last decade. There would be lots of places where coverage could be modernized, as you say, definitions could be updated, maybe even funding or engagement or back to the information sharing.
Megan Brown: Yeah, and I think there's ways you could broaden the kinds of behaviors that are protected in the law, right? The law is pretty good as it stands now. I think it's important. I don't think there's big problems with it. But in the definitions, they could be expanded a bit to just make it clear that more things can be shared perhaps beyond cyber threat indicators as defined, maybe collaboration encouraged that is a little bit beyond what's currently authorized by the statute. But the baseline is pretty good in the definitions right now.
Terry Gerton: I'm speaking with Megan Brown. She's a partner at Wiley Rein. So I think what I hear you saying is, if the law wasn't reauthorized right away, it's still functional and still provides a good framework.
Megan Brown: No, I mean, if the law sunsets, the liability protections that are in there and the other authorizations will not continue to exist. And I think that's important and there really is interest in getting this reauthorized timely so there's not a gap.
Terry Gerton: How should private sector firms then prepare for what might be an extended limbo period?
Megan Brown: Well, they may need to look at the baseline authorizations that existed before CISA 2015, which were more complicated and didn't clearly allow some of this information sharing. But in the meantime, you're seeing activity in Congress, you are seeing folks up on the Hill explaining why this law is very important, explaining what may happen if it does sunset and if people are exposed to that risk from sharing, if it's not clearly protected, so I think you may see a retrenchment. So for companies that rely on the law, I would say, get up to Congress and explain why it's important that the law be reauthorized and in the meantime, take stock of the information sharing that you currently engage in and see what would be risky if the law went away.
Terry Gerton: So if a private sector firm does sort of have to retrench to that 2015 level, what capabilities would they be giving up? What risks might they be incurring?
Megan Brown: Well it really comes down to a more complicated analysis of how the preexisting statutes, which remain, the Wiretap Act, the Stored Communications Act, etc. How they would apply to the activities that the companies and the organizations want to do. And to be clear, a lot of the sharing that occurs is between these Information Sharing and Analysis Centers, these ISACs, that are set up to support critical infrastructure sectors. Most sectors have one, and CISA 2015, the law, protects some of the information sharing that happens in those settings. And I think that's why it's really important to keep this kind of protective bubble over that information sharing.
Terry Gerton: And what would this mean for CISA itself?
Megan Brown: What's a good question? I mean, CISA right now has some questions about sort of its mission. And Congress is looking at a lot of different things, including what role CISA might be able to play in harmonizing existing cyber security requirements. That's a big topic for policymakers right now. But I think if CISA gets reauthorized, this is 2015, I should say, the law, not the agency. CISA, the agency, can look at how to better encourage information sharing, how to make that value proposition more obvious, how to share out. That's a big criticism of the government side of the sharing is it's unidirectional. Government takes in, but isn't giving out as much. So that would all be things that CISA the agency could look at and how to better use the tools that are in this law.
Terry Gerton: So they could be engaging with the private sector right now to be having these kinds of conversations about what if, right? What if it doesn't get reauthorized? What if the protections change in a new authorization?
Megan Brown: And I believe they are. And I think there are some really good folks within CISA that are very mission focused on the critical infrastructure security mission, sort of the vulnerability programs, some of the partnership issues. So I think those conversations certainly can and are happening.
Terry Gerton: So September is only about six months away and Congress sort of has a full plate dealing with budgetary issues. What are you hearing on the Hill? Is there interest in moving this forward in a timely reauthorization?
Megan Brown: I think so. Everyone seems to understand this is a very important thing. This foundational cyber legislation, 10 years out, seems to be working, maybe could be better, but at a minimum needs to go forward. And I think you're hearing a wide cross-section of private organizations telling the government that, telling Congress, and that is very well received in many parts of Congress.
Terry Gerton: So the window is now to be talking with members on the Hill?
Megan Brown: And I understand they are hearing loud and clear from lots of folks. But yes, the window is now.
The Federal Drive with Terry Gerton provides expert insights on current events in the federal community. Read more interviews to keep up with daily news and analysis that affect the federal workforce. Reach out to Terry and the Federal Drive producers with feedback and story ideas at FederalDrive@federalnewsnetwork.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.