Time's running out on a key cyber info-sharing law

Politico

14 hours ago

Driving the day
— Despite widespread support from bipartisan members of Congress, the private sector and the Trump administration, the Cybersecurity and Information Sharing Act is in danger of expiring at the end of September.
HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Another week closer to Black Hat and DEF CON. I'm excited to see many of you there! Drop me a line at dnickel@politico.com if you want to connect at either conference — or if you have any Las Vegas recommendations for a first-timer like me.
Follow POLITICO's cybersecurity team on X at @RosiePerper, @johnnysaks130, @delizanickel and @magmill95, or reach out via email or text for tips. You can also follow @POLITICOPro on X.
Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You'll also receive daily policy news and other intelligence you need to act on the day's biggest stories.
CYBER POLICY
EXPIRATION DATE INCOMING — Lawmakers have until Sept. 30 to reauthorize the Cybersecurity Information Sharing Act, a 10-year-old law that's been described as 'the most successful piece of cyber legislation' in the country.
But despite widespread support from the Trump administration, the private sector and bipartisan members of Congress, the law often referred to as 'CISA 2015' faces an uncertain future as lawmakers stare down the start of the month-long August recess. As leaders in the private sectorurge lawmakers to renew it before it's too late, the ranking member of the House Homeland Security Committee expressed frustration at the slow movement.
'We have known for ten years the CISA 2015 would expire this September,' Rep. Bennie Thompson (D-Miss.) said in a statement Sunday. 'The time to begin discussing and circulating potential changes to CISA 2015 was six months ago, if not earlier.'
— Conflicting priorities: The law, which incentivizes information-sharing on cyber threats between the private sector and the federal government through legal safeguards, saw ramped-up renewal efforts earlier this year in the private and public sectors.
But in the House, Thompson said that former Rep. Mark Green (R-Tenn.) — the chair of the House Homeland Security Committee, who resigned from Congress earlier this month — did not prioritize renewing the cyber law.
'He held four markups and didn't see fit to include a CISA 2015 extension in any of them,' Thompson said. 'Instead, he has left us with fewer than 20 legislative days to get an extension out of Committee, through the House, and over to the Senate or, more likely, find a way to attach an extension to a [continuing resolution].'
Across chambers, Senate Homeland Security Chair Rand Paul (R-Ky.) hasn't signaled that renewal is a priority.
Maggie reported last month that Paul vowed to make sure the law's reauthorization includes a clause that would prevent disinformation work at the Cybersecurity and Infrastructure Security Agency. But Paul — who didn't support the legislation in 2015 — isn't among the senators who sponsored legislation to renew the law earlier this year.
A spokesperson for Paul did not respond to a request for comment.
— Legislative movement: In April, Sens. Mike Rounds (R-S.D.), the chair of the Senate Armed Services Committee's cyber panel, and Gary Peters (Mich.), the top Democrat on the Senate Homeland Security Committee, introduced a bill that would pass a clean reauthorization of the law.
'Allowing this authority to lapse would weaken our cybersecurity defenses and send the wrong message to foreign adversaries, cybercriminals, and hacktivists looking to exploit vulnerabilities,' Peters said in a statement Sunday.
A spokesperson for Rounds did not respond to a request for comment.
But momentum could pick up on the House Homeland Security Committee. With Green's resignation, cyber panel Chair Andrew Garbarino (R-N.Y.) threw his hat in the ring last week for full committee chairship. In a letter to colleagues laying out his priorities if selected as chair, he vowed to work with committee Democrats in the House and with his Senate counterparts to renew the law.
'This will remain a priority in the weeks and months ahead,' Garbarino said in a statement Friday, adding that he has held meetings with fellow lawmakers and industry experts to 'identify the best legislative vehicle to get it done.'
— An industry without CISA 2015? As the clock runs down, industry leaders, including trade organizations and cybersecurity companies, warned your host that crucial information-sharing could be lost if the law is allowed to lapse.
'[The law] remains one of the most effective methods for enabling real-time collaboration between the government and the private sector in the face of evolving cyber threats,' said James Hayes, senior vice president of global government affairs at cyber firm Tenable. He added that letting it lapse would be 'a step backward.'
John Miller, senior vice president of the Information Technology Industry Council, told your host that the law is 'arguably the most successful cyber law we've ever passed in this country. And so to just let it lapse for no reason would just be unfortunate, to say the least.'
On The Hill
FIRST IN MC: CYBER HEALTH — Sen. Ron Wyden (D-Ore.) is urging the Trump administration to address gaps in cybersecurity in rural hospitals caused by Medicaid funding cuts in the One Big Beautiful Bill.
In a letter sent on Friday and shared exclusively with your host, Wyden asked Health and Human Services Secretary Robert F. Kennedy, Jr. and Centers for Medicare and Medicaid Administrator Mehmet Oz about their plans to help hospitals protect themselves in cyberspace.
'As rural and small hospitals confront even lower operating margins due to Republican health care cuts, they will be less likely to prioritize spending on cybersecurity infrastructure,' Wyden wrote.
Wyden also asked Kennedy and Oz if HHS and CMS plan to provide resources, such as grant funding, to small and rural hospitals to meet Cybersecurity Performance Goals — a voluntary guideline by HHS to help the health care sector bolster cybersecurity practices.
At the Agencies
PENTAGON DEALS UNDER REVIEW — The Defense Department is looking into cloud contracts amid a report from ProPublica last week that revealed that Microsoft has bypassed a Pentagon policy that bans foreign citizens from accessing highly sensitive data.
Defense Secretary Pete Hegseth ordered the review on Friday in response to the investigation, which detailed Microsoft's use of Chinese engineers to work on U.S. military cloud computing systems under the supervision of American 'digital escorts' who have security clearances but often lacked the skills to determine whether the Chinese engineers' work posed a cybersecurity risk.
On Friday, Microsoft spokesperson Frank Shaw said in a post on X that 'in response to concerns raised earlier this week,' the firm 'made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.'
SHAREPOINT VULNERABILITY — CISA is warning about an active exploitation of a remote code execution vulnerability impacting Microsoft's on-site SharePoint servers.
The cyber agency issued an alert on Sunday, warning that the exploitation publicly known as 'ToolShell' provides unauthorized access to systems and enables hacker access to SharePoint content, like internal configurations and file systems.
Chris Butera, CISA's acting executive assistant director for cybersecurity, said in a statement that the agency is working with Microsoft to inform potentially affected groups about mitigation efforts.
Quick Bytes
'HONKERS' — WIRED's Kim Zetter breaks down how an early wave of Chinese hackers became the backbone of Beijing's espionage apparatus.
YOU'RE BREAKING UP — Cellphone internet shutdowns — which officials say are necessary to foil Ukrainian drones — have hit dozens of Russian regions, writes Dasha Litvinova for the Associated Press.
CYBER SCHOOL IN SESSION — CYBER.ORG, a cyber workforce development group for K-12 students, is launching a new program in D.C. schools.
Chat soon.
Stay in touch with the whole team: Rosie Perper (rperper@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com), and Dana Nickel (dnickel@politico.com).