S 1337 Introduced – CISA Information Sharing
Back in April, Sen Peters (D,MI) introduced S 337, the Cybersecurity Information Sharing Extension Act. The bill would extend the authorization for 6 USC Chapter 1, Subchapter 6, Cybersecurity Information Sharing (6 USC 1500 thru 1510). That subchapter authorizes the Office of the Cyber Director, the development and sharing of cybersecurity information within the federal government (and with ‘non-Federal entities’), and allows for the use of non-Federal entities in the development of cybersecurity information. This bill extends the current ten-year authorization (which expires on September 30th, 2025) through 2035.
Definitions
While this bill does not contain any definitions (it is a very short piece – effectively on sentence – of legislation), it would extend the life of a set of very important, foundational definitions at 6 USC 1501.
Moving Forward
Peters is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill is assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I would expect that this bill would receive broad, bipartisan support. The big question here is whether the Chair, Sen Paul (R,KY), would support the reauthorization of these programs. Paul voted against the bill (HR 2029, the Consolidated Appropriations Act, 2016) that originally established this sub-chapter, but since that was a consolidated spending bill (which he opposes on principle) it is hard to tell if his vote included specific opposition to these information sharing policies.
Commentary
In an interesting bit of legislative legerdemain, the Office of the Cyber Director would not automatically cease to exist if the current authorization were to expire (as we saw in the CFATS program, for example). This bill would amend §1510(a). That subsection reads:
“Except as provided in subsection (b), this subchapter and the amendments made by this subchapter shall be effective during the period beginning on December 18, 2015 and ending on September 30, 2025.””
The kicker here is that ‘except as provided in subsection (b)’ statement. That subsection reads:
“With respect to any action authorized by this subchapter or information obtained pursuant to an action authorized by this subchapter, which occurred before the date on which the provisions referred to in subsection (a) cease to have effect, the provisions of this subchapter shall continue in effect.”
While lawyers could argue endlessly about the exact scope of the phrase “any action authorized by this subchapter or information obtained pursuant to an action authorized by this subchapter”, the authorization for the Office of the Cyber Director would continue to exist beyond September 30th. Whether the current Administration would continue to keep the Office in operation is an entirely different question.