What is CISA 2015?

CISA 2015 is a Barack Obama-era law that enacted legal protections and safeguards for organisations to share threat intelligence and other critical cyber security data with one another, and with the government.

Cynthia Kaiser, senior vice-president of the Ransomware Research Center at Halcyon Security, and until recently deputy assistant director for cyber policy, intelligence and research at the FBI’s cyber division, described CISA 2015 as the “backbone” of cyber defence, and said it had helped ward off innumerable cyber attacks in the past decade by providing timely intelligence to potential victims, as well as helping enable multinational law enforcement operations targeting cyber criminality.

Speaking to Computer Weekly this week, Kaiser said that when CISA 2015 was enacted, it was driven by a recognition that there needed to be protections in place to enable people to share cyber intelligence without fear of legal repercussions.

For example, with CISA 2015 in place, a hypothetical managed service provider that was compromised in a supply chain attack affecting its downstream customers is protected from being held liable for handing victim data over to the FBI or other agencies as part of the investigation.

“What I used to tell people at the FBI all the time is that we can’t protect you and we can’t protect others if we don’t hear from you,” said Kaiser.

“If a company is doing the right thing and coming to the federal government to provide information about a malicious cyber campaign that’s occurring, then they have certain protections in place that enable them to do that [and] that lowers the risk for them to be able to come to the government.

“There’s a second aspect where it also provides antitrust protection for industry-to-industry sharing,” she added. “Now I run the Halcyon Ransomware Research Center – we want different companies to come together and share cyber intelligence together, but if we do that there could be potential for someone to say, ‘if you all are getting together, it’s a monopoly’.”

Potential threat to global cyber collaboration

CISA 2015 was enacted with a 10-year sunset clause – which is not uncommon – to enable lawmakers to establish if it had been effective, and according to Kaiser, also partly due to concerns that the federal government could use it as a means to gather more private data.

In the first regard, she said, it has been an unequivocal success, and, thankfully, there is strong bipartisan support from both Democrats and Republicans for getting Wimwig over the finish line.

But absent the passage of Wimwig, the imminent expiration of CISA 2015 was beginning to raise significant concerns among cyber and national security experts in Washington.

“What we can’t have is these conversations still being arbitrated and then have it [CISA 2015] expire on 30 September, because even a month’s lapse would cause problems,” said Kaiser.

“I’ve spoken with lawyers who are outside breach counsels, and they’ve indicated that if this act lapses, they will likely have to change the advice they give to companies when considering whether they’re going to contact the federal government,” she said.

But beyond the US’s borders, if CISA 2015 was to lapse without continuity in place, the security sector could expect to see worldwide impacts, said Kaiser. Almost immediately, the timely threat information and updates coming out of federal agencies such as CISA would begin to ease off, and this would likely mean bulletins such as the late-August advisory on China’s Salt Typhoon – co-signed by the US and British authorities, and counterparts across Europe and in Australia, Canada and New Zealand – would either reduce in their cadence or cease altogether.

Furthermore, the ability of frontline cyber cops, such as those at the UK’s National Crime Agency to conduct effective operations against cyber criminals, would also be hit, while user organisations would also see less information coming from their own governments because they are in turn receiving less data from the US.

The second concern, she said, is that the frequency and quality of information sharing among cyber security suppliers and across industries would reduce based on antitrust and other compliance and liability concerns.

“We’re all competitors, but we’re also very collaborative, especially on cyber threat intelligence,” said Kaiser. “We’ve gotten so used to that over the last 10 years that it now just really underpins how we do business. Overall, I think information sharing globally would deteriorate if this isn’t reauthorised.”

Updates welcomed

The draft version of Wimwig contains much to be positive about, said Kaiser. Importantly, it clarifies some areas around liability protections that were left somewhat vague by CISA 2015.

“Some took a more sweeping, broad read of it, and some took more narrow reads of it,” she said. “The broad read is I think what we wanted people and companies to have, so clarifying those liability protections is a great edit moving forward.”

Wimwig also includes updated definitions to encompass emergent cyber attack tactics, techniques and procedures, like artificial intelligence (AI), which have advanced apace since 2015, and procedural updates to preserve protections for civil liberties and privacy.

The act additionally ensures private sector organisations – especially small to medium-sized enterprises – receive more information through mechanisms such as one-time read-ins for at-risk organisations such as critical infrastructure operators; directs federal bodies to provide technical assistance to the private sector on a voluntary basis; and encourages the use of secure AI.

It also enhances Congress’s oversight, and the effectiveness, of the Automated Indicator Sharing programme – a real-time data-sharing capability developed by the Department of Homeland Security.