The Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired at 12:01 a.m. on the morning of October 1.
CISA 2015 set up policies and procedures for the voluntary sharing of cybersecurity threat information between and among the federal government and private entities (the definition of which includes public power utilities) and provides limited liability and antitrust protection for these activities.
APPA strongly supported the enactment of CISA 2015 and supports a clean, long-term reauthorization of CISA 2015.
APPA on Sept. 4 joined a number of other trade associations in sending a letter to House and Senate leaders urging quick action to reauthorize CISA 2015 and the important authorities it includes before the September 30 expiration date. It also signed on to a Sept. 24 coalition letter in support of reauthorization.
While reauthorization of CISA 2015 had broad, bipartisan support in the House and the Senate, Senate Homeland Security & Government Affairs Committee (HSGAC) Chairman Rand Paul (R-KY) was – and continues to be – against a clean, long-term reauthorization, APPA noted.
Paul recently floated a draft bill to reauthorize CISA 2015 for two years with several significant changes – including removing Freedom of Information Act protections for information shared with the government (a key pillar of the legislation), removing federal preemption, and changing key definitions like those of cyber threat indicators and defensive measures.
Paul’s draft bill would have also added a new section restricting the federal government from censoring speech in an effort to counter misinformation.
Earlier this year, Senate HSGAC Ranking Member Gary Peters (D-MI) and Senate Armed Services Committee Chairman Mike Rounds (R-SD) introduced a bill (S. 1337) to extend CISA 2015 for an additional 10 years.
On September 3, the House Homeland Security Committee approved H.R. 5079, the Widespread Information Management for the Welfare of Infrastructure and Government Act, to reauthorize CISA 2015 for an additional 10 years. Sponsored by House Homeland Security Committee Chairman Andrew Garbarino (R-NY), the bill included some minor changes to the underlying text of CISA 2015 and was approved unanimously by the committee.
The North American Electric Reliability Corporation informed APPA earlier this year that the expiration of CISA 2015 does impact information shared with the E-ISAC and through CRISP.
Moreover, many states have laws in place to protect cybersecurity threat information shared by and among public power utilities.
That said, APPA said it continues to strongly support reauthorization of CISA 2015 as an additional layer of federal protection to ensure that public power utilities – and the broader ecosystem of critical infrastructure entities – can share critical cybersecurity information with each other and the federal government without fear of public disclosure or violating anti-trust laws.