02-04-2025
9 Reasons Why CSA 2015 Is Vital For CISA's Success
CEO of Axon Global : an expert in AI & effective Cyber ERM. A recognized leader in his field by the U.S. Secret Service, NACD, and the WSJ. getty
In October of 2025, the Cybersecurity Act of 2015 is due to expire, unless Congress extends the deadline or renews the Act. The Cybersecurity Act of 2015, Division N, has played a transformative role in the U.S. cybersecurity landscape. It is particularly crucial for the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which relies on the law's provisions to effectively protect the nation's critical infrastructure. It is the enabler by which the private sector can contribute indicators of compromises without liability. It fosters collaboration between the public and private sectors and enables the timely sharing of cyber threat intelligence.
A key element that makes this possible is the legal protections provided under Section 3.3 (B) v. of the Cybersecurity Information Sharing Act of 2015. These protections encourage companies to share information without fear of legal repercussions, ultimately strengthening national cybersecurity.
One of the main objectives of the Cybersecurity Act of 2015 is to promote better collaboration between the public and private sectors. In today's digital world, cyber threats are becoming more advanced, targeting sensitive data and disrupting critical infrastructure. No single entity can effectively counter these threats alone. And the government can do very little to help protect cybersecurity in the critical infrastructure without visibility into it.
The Act facilitates the exchange of cyber threat indicators, empowering CISA to develop a more comprehensive understanding of the threat landscape. It serves as the single point of entry where the private sector can report indicators of compromise without liability, ensuring the information reaches the appropriate U.S. government agency. This collective effort is crucial for defending sectors like energy, healthcare, finance and critical infrastructure, which are largely managed by private companies. Section 3.3 (B) v. – Legal Protections That Foster Information Sharing
Section 3.3 (B) v. of the Cybersecurity Information Sharing Act of 2015 offers strong legal protections to organizations that share cyber threat information responsibly. These protections help alleviate concerns about liability and regulatory exposure, encouraging more companies to participate. The key legal protections include:
1. Protection from lawsuits related to sharing cyber threat indicators, provided the information is shared responsibly (6 U.S.C. §1505(b)).
2. Exemption from state public records laws, ensuring that sensitive information shared with government entities remains confidential (6 U.S.C. § 1503(d)(4)(B)).
3. Protection from state regulatory actions, giving companies confidence that shared information won't be used against them (6 U.S.C. § 1503(d)(4)(C)).
4. Preservation of attorney-client privilege, ensuring that sharing information doesn't compromise legal confidentiality (6 U.S.C. § 1504(d)(1)).
5. Recognition of shared data as proprietary information, protecting trade secrets and sensitive business information (6 U.S.C. § 1504(d)(2)).
6. Exemption from federal public disclosure laws, maintaining the confidentiality of shared threat intelligence (6 U.S.C. § 1504(d)(3)).
7. Waiver of ex parte communication rules, allowing open and honest discussions without legal consequences (6 U.S.C. § 1504(d)(4)).
8. Protection from federal regulatory actions, ensuring that shared information isn't used for enforcement purposes (6 U.S.C. § 1504(d)(5)(D)).
9. Immunity from antitrust laws, enabling competitors to collaborate on cybersecurity without legal risks (6 U.S.C. § 1504(e)). Why These Legal Protections Matter To CISA
The legal protections provided by the Act are crucial for CISA's mission because they break down the barriers that previously discouraged companies from sharing vital cyber threat data.
By offering liability protection and ensuring confidentiality, the Act fosters a culture of trust and collaboration. This enables CISA to gather a wide range of threat intelligence, improving its ability to identify and respond to emerging cyber threats quickly and efficiently. This proactive approach is key to protecting national security and maintaining public trust. How Private Companies Benefit
The legal protections under Section 3.3 (B) v. aren't just good for national security, they also provide significant benefits to private companies.
By minimizing legal risks and safeguarding proprietary information, the Act creates a secure environment for sharing threat intelligence. This collaborative approach allows companies to stay ahead of cyber adversaries while protecting their business interests. Additionally, the antitrust exemptions enable industry competitors to work together on cybersecurity solutions without fear of legal repercussions. This collective defense strategy enhances the overall security posture of the private sector. Conclusion
The Cybersecurity Act of 2015, Division N, is a cornerstone of modern cybersecurity policy in the United States. By promoting public-private collaboration and providing robust legal protections, the Act enables CISA to build a more resilient and responsive cybersecurity infrastructure. The warranties offered under Section 3.3 (B) v. are particularly valuable, as they eliminate legal obstacles, encouraging companies to share critical threat intelligence. This collaborative framework not only strengthens national security but also empowers the private sector to better defend itself against cyber threats.
According to the Executive Director of the DHS CISA, Bridget Bean, 'My team on the ground across the nation has the responsibility and the wonderful opportunity to bring together stakeholders, critical infrastructure owners and operators, and state and local government officials, to really tackle the problems that are facing our nation in cyber and physical.'
If the CSA 2015 expires in October, the collaborative framework provided by CISA will no longer be viable, and this may have serious cybersecurity consequences for critical infrastructure and national security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
