A coalition of trade associations, including five that represent banks, are calling on Congress to protect companies' rights to share cyber threat information.
The groups recently sent a letter to congressional leaders requesting the reauthorization of 2015 legislation that enables voluntary information sharing about cybersecurity threats between government agencies, companies and other U.S. entities.
The Cybersecurity Information Sharing Act, or CISA, of 2015, set to expire on Sept. 30, encourages public and private sector entities to voluntarily share cyber threat information by indemnifying companies wishing to share such information with other companies or with U.S. agencies including the Department of Homeland Security, or DHS; the Department of the Treasury; and the director of national intelligence, who oversees the 18 federal intelligence agencies.
The act became law in 2015 as part of an omnibus spending bill. Its reauthorization by the September deadline is far from a foregone conclusion; as part of the efforts by President Donald Trump and Elon Musk, head of the Department of Government Efficiency, the administration has downsized many federal functions, and cybersecurity has been no exception.
Most recently, as part of the termination of a number of advisory committees, the administration eliminated the Critical Infrastructure Partnership Advisory Council. The council, housed within DHS, facilitated "interaction between governmental entities and representatives from the community of critical infrastructure owners and operators,"
That DHS agency shares the CISA acronym with the information sharing act. The agency helps implement the law, but it was established by a separate act and conducts other activities authorized by other laws, so it would continue to operate if the act is not reauthorized.
In their letter advocating for the reauthorization of CISA, sent to the minority and majority leaders of both chambers of Congress, the trade groups highlighted the critical role the act has played in protecting the government and private sector. The letter pointed out that CISA became law following the 2015 breach of the Office of Personnel Management, which involved the theft of security clearance records by an advanced threat actor based in China.
Financial trade groups representing a large portion of the sector signed onto the letter, including the Bank Policy Institute, which mainly represents larger banks; the Independent Community Bankers of America, which represents community banks; and the American Bankers Association, which represents banks of all sizes.
The Securities Industry and Financial Markets Association and Institute of International Bankers, both of which also represent banks, also signed onto the letter, as did seven other associations representing electrical utilities and other sectors.
The letter emphasized the increasing sophistication and severity of cyber threats, citing recent attacks by nation-state hackers against U.S. critical infrastructure, particularly telecommunications systems. Federal agencies have also been targeted, as seen in the BeyondTrust breach affecting the Treasury Department in 2024 and the 2020 incident involving SolarWinds, Microsoft and VMWare.
These events underscore the "imperative of continuing to support both private-public information sharing and collaboration as well as providing the legal clarity that companies currently count on to share cyber threat information with other companies and across sectors," the trade groups argued in the letter.
In the decade since its passage, CISA has "meaningfully improved the capacity and speed with which we can respond to large-scale cyber incidents while establishing clear expectations for privacy and confidentiality," the groups said in the letter. They specifically pointed to the law's role in "building the structures used by private sector cyber defenders to inform government partners of ongoing cyber threats from malicious actors."
Crucially, the letter underscored the importance of the law's liability protections and antitrust exemption, which have facilitated cyber information sharing between private companies.
Cybersecurity professionals who defend the private sector, including those in
The provisions of CISA have been incorporated by reference to other significant cyber laws like the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, making their reauthorization all the more critical, the groups argued.
The groups conclude by expressing their commitment to working with Congress to "preserve these key national security authorities" and warn that the expiration of these protections "risks creating a chilling effect on this critical information exchange — leaving us all more vulnerable to nation-state attacks and cybercriminals moving forward."
Critics of CISA said prior to the law's passage that the law looks to advance cybersecurity and national security by compromising users' privacy. For example, center-right think tank R Street Institute opposed the legislation in 2015 on the grounds that it was overly broad and had ill-defined language.
"In effect, the bill aims to sidestep search warrants and other pesky due-process limitations on government by giving technology companies a motive to 'share' what it calls 'cyber threat indicators' to the Department of Homeland Security," argued Mike Godwin, who at the time was a distinguished senior fellow at R Street, in
Others have criticized the act from the opposite flank, by saying the definition of shareable intelligence ought to be expanded. For example, Bert Lathrop, an attorney for law firm Holland & Knight, argued in a 2020 article for the law journal of the University of California at San Francisco that Congress should amend CISA to authorize private companies to share raw observational data among themselves rather than just cyber threat intelligence and defensive measures.
Raw observational data is the trace evidence of activity on an organization's systems and networks, without any judgement of risk or attribution. Threat intelligence is the result of detailed analyses of this data, sufficient to draw a judgement of potential risk or threats. Defensive measures are the details of how to defend against a particular threat.
Allowing private entities to share more raw cybersecurity data — rather than just defensive measures and threat intelligence — would enable them to train AI models on larger amounts of data that can more effectively identify and differentiate cyber threats, according to Lathrop.
Allowing private companies to share this data "would be tantamount to shining bright lights on all the footsteps in the snow left at or near all the castle defense systems of those choosing to share [raw data], thus allowing cyber-analysts to observe the movements of would-be cyber-criminals as they perform pre-attack surveillance," Lathrop
