The House Homeland Security Committee on Wednesday approved a measure that would renew a cornerstone cybersecurity law designed to optimize the exchange of cyber threat information between the private sector and U.S. government.
The original law, the Cybersecurity and Information Sharing Act of 2015, lets private sector providers freely transmit cyber threat intelligence to government partners with key liability protections in place. It’s set to lapse Sept. 30 unless renewed by Congress.
The extension, dubbed the Widespread Information Management for the Welfare of Infrastructure and Government, or WIMWIG, Act, extends the law another ten years. It now moves to the full House for consideration.
Technical amendments were introduced to the bill, which were met with little pushback in committee, though Rep. Bennie Thompson, D-Miss., the panel’s ranking member, criticized the process undertaken by committee chairman Andrew Garbarino, R-N.Y., to vet changes to the legislation. Thompson said the process was “cut short unnecessarily” and that the text of the bill was made public for the first time only 48 hours before the markup.
Top of mind for some Republicans on the panel were concerns that the Cybersecurity and Infrastructure Security Agency would be enabled to censor Americans’ protected speech. That concern extends to the Senate Homeland Security Committee, where Chairman Rand Paul, R-Ky., a First Amendment hawk, has said he’d add language in the high chamber’s version of the reauthorization that would bar the cyber agency from carrying out alleged censorship of free speech.
CISA has faced mounting Republican criticism over allegations of censorship tied to its efforts to combat election-related disinformation in and around 2020. GOP lawmakers contend this amounted to unconstitutional government pressure on private companies to suppress speech, particularly conservative viewpoints.
Garbarino said he spoke with Paul on Tuesday night and that Paul was aware of the Wednesday markup. The senator discussed “a piece of legislation that he has that affects CISA, the agency,” Garbarino said, though he did not elaborate on the specifics. It’s not clear if Paul’s legislation pertains directly to censorship language in the information-sharing law renewal process, or if it’s an entirely separate measure.
In the early 2010s, legislative efforts to establish a cyber threat information sharing framework had been underway for several years but faced major hurdles amid public skepticism over government privacy abuses following Edward Snowden’s 2013 global surveillance disclosures.
The view shifted after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.
Stakeholders say the liability protections in the data-sharing law are critical because they shield companies from lawsuits and regulatory penalties when sharing cyber threat indicators with the government. Oftentimes, cyber threat data includes specific names of individuals or sensitive business information, depending on what hackers target.
“By reauthorizing the [law], this bill preserves the trusted framework that enables industry and government to share critical threat information quickly and securely,” said Robert Mayer, USTelecom’s senior vice president of cybersecurity and innovation. “For the telecommunications sector, where our networks are on the front lines of cyber defense, this legislation is essential to protecting the infrastructure Americans depend on every day.”
