On Jan. 20, lawmakers revealed a minibus package that would provide funding for departments of Defense, Education, Health and Human Services, Homeland Security, Labor, Transportation and Housing, and Urban Development. Included in this package would be a $20 million expansion for the Cybersecurity and Infrastructure Security Agency. This would also extend the Cybersecurity Information Sharing Act (CISA). 

Today, Jan. 30, is the deadline for the previously extended act. Renewing it would make it active through Sept. 30. 

These short-term negotiations can have an adverse effect on the industry, according to Andrew Grosso, former Assistant U.S. Attorney and current chair of the Subcommittee on Law for ACM’s U.S. Technology Policy Committee. He asserts that perpetual uncertainty surrounding the protections of CISA can hinder cyber threat reporting, and temporary extensions may not be enough to restore confidence. 

Here, Security magazine talks with Grosso about the effect of temporary extensions, the legal risks involved, and how Congress could reinstate confidence. 

Security: Why do stop-and-go authorizations undermine real-time threat sharing, even when retroactive immunity is proposed?

Grosso: There is more than one answer to this question.

First, if threats are not being reported, analyzed, and publicized in real time, then the threat information will be stale, and warnings will be ineffective.

Second, it undermines confidence in protections for the reporting system. There is no guarantee that when Congress re-enacts the reporting systems, it will have the same protections as before. And the longer that the protections are absent, the greater the possibility that someone will seek to seek compensation from an entity for harm, real or imagined, caused by the entity’s continued reporting and dissemination of suspicions of cyber threats.

Also, old information is forgotten information. If information goes unreported today, it may never be reported, whether or not some form of CISA is re-enacted. It will simply be viewed as yesterday’s news by the entity that held it back, and overlooked when reporting resumes (if it resumes), resulting in real threats being overlooked. 

Security: What are the legal risks companies face when CISA protections lapse, including concerns around liability, privacy, and antitrust exposure?

Grosso: One of the functions of CISA is to encourage the reporting of information concerning possible cyber threats. The information may not be complete, conclusive, or even accurate — but may nonetheless be useful when reported to the government in good faith and then placed into a fuller context by the government.

But because of not being complete, conclusive or accurate, the information may have the unintended result of harming the reputation of innocent third parties. Or the reported information may include items that invade the privacy of individuals or bring unwanted attention and (ultimately) unwarranted adverse effects upon an innocent party. These affected individuals and other parties may seek to hold the reporting entities liable for any harms including through the use of the courts. 

Anti-trust issues may also arise. By reporting adverse information concerning a competitor, a commercial entity may face the allegation that the motive behind the report was to injure a competitor in the marketplace.

So with all of these risks surrounding the reporting of information, which may or may not ever be analyzed by the government, why should an entity open itself to possible retaliation for trying to be a good citizen?

Unless and until Congress gets its Act together (pun intended), many entities simply won’t bother.  

Security: What could Congress do now to restore confidence and continuity for organizations expected to share cyber threat information?

Grosso: Put simply, the lapse has gone on long enough, and Congress needs to re-authorize CISA in some form. Preferably, CISA should be re-enacted in total, so that the public at large retains a level of confidence that the legal framework to which it is accustomed and has come to understand will continue to exist. Absent that, some other form of CISA, be it “CISA-light” or “CISA-plus,” should be passed promptly. While Congress may seek solace in “the stall,” technology does not stand still and neither do cyber threats.