America Must Reauthorize CISA 2015 to Strengthen Its Cyber Defense Strategy for the AI Age

By Shreya Sampath

On August 6th, reportsof a significant cyberattack on the electronic case filing system used by the federal judiciary highlighted a growing trend of worrying trend of increased cyberattacks on the U.S. government. According to reporting, a Russian entity was likely responsible for the attack, demonstrating a pattern of increased cyber-aggression from foreign adversaries. As the frequency and impact of cyberattacks in the United States continues to rise, we must also acknowledge the changes to the cyberthreat landscape fueled by artificial intelligence, creating the capability for actors to streamline and expand attacks.A recent report by Google captured the extent of these threats, highlighting efforts by government-backed threat actors including China and Russia, who are increasingly misusing AI tools and generative AI to support malicious cyberattacks

Recognizing both the opportunities and threats in cybersecurity as a result of AI innovations, industry leaders and lawmakers acknowledge the urgent need for maintaining and strengthening robust cybersecurity infrastructure to navigate the new AI-based reality. Part of this will involve developing new, innovative approaches to incorporate AI into cyber defense and develop new capabilities to respond to AI-driven attacks. Another key component, however, is the preservation and improvement of the existing foundation for defending American cyberspace. A key component of the latter - and the subject of this piece - is public-private collaboration.

The Vital Role of CISA 2015: Safeguarding Cyberdefense Infrastructure

Increased public-private cooperation is essential to U.S. cybersecurity infrastructure. The White House's AI Action Plan recognizes this imperative. To counter adversarial threats, it calls for establishing an AI Information Sharing Analysis Center (AI-ISAC) led by the Department of Homeland Security (DHS) and other measures to promote collaboration with the private sector and support robust and resilient AI systems.

These initiatives encourage public-private collaboration, especially in sharing updated threat intelligence. However, this collaboration cannot flourish without a strong framework that addresses disincentives for the private sector such as liability concerns. Central to this effort is the Cybersecurity Information Sharing Act of 2015 (CISA 2015). CISA 2015 enables companies and government agencies to share cyber threat indicators and response measures in part by providing essential liability protections and antitrust exemptions that foster information sharing without liability risk. Under this legislation, relevant data can be shared through DHS to facilitate gathering of threat intelligence while also protecting civil liberties and privacy. Moreover, the law has advanced consumer privacy interests by establishing best practices for information sharing among private sector entities, enhancing efforts to counter cyberattacks. Without these collaborative efforts and data sharing, cybersecurity professionals in both the public and private sectors would struggle to respond swiftly to emerging threats-threats that are becoming increasingly complex in the era of AI.

Current Considerations and Recommendations

Unfortunately, CISA 2015 will expire if not reauthorized by September 30. It is imperative for Congress to act swiftly to reauthorize this legislation, which has garnered widespread support and recognition for its pivotal role in fortifying America's national cyber defense infrastructure. In a recent hearingby the House Subcommittee on Cybersecurity and Infrastructure Protection, technology industry leaders, cybersecurity officials, and policy experts emphasized its indispensability in supporting national cyber-defense efforts as adversarial attacks become more frequent.

The original CISA 2015 was written in an era before AI-fueled attacks reshaped the cyber landscape. Renewing it now is more important than ever to meet today's realities, however, legislators should also take time to consider enhancements to CISA 2015 - drawing on a decade of experience with the law - to enhance collaboration and response to the emerging threat landscape. . For example, Congress could expand liability protections to incentivize broader information sharing by revisiting definitions of key terms such as "cyber threat indicators," "defensive measures," "cybersecurity purpose," and "cybersecurity threat". Consideration should also be given to extending liability protections for direct sharing with agencies beyond DHS, which would enhance regulatory and enforcement frameworks while encouraging public-private collaboration. Lastly, further information sharing from the government to the private sector about cyberattacks on critical infrastructure would accelerate cyber defense innovation. Congress can address this by providing statutory guidance and direction to the Cybersecurity and Infrastructure Security Agency.

In light of the emerging threats from adversarial countries seeking to stem American innovation and these countries' ever-expanding access to AI tools, Congress must reauthorize CISA 2015.