The American Public Power Association and other groups from various industry sectors are urging the U.S. Congress to extend the September 30, 2025, expiration date for the Cybersecurity Information Sharing Act.
“This bipartisan legislation passed in the wake of the 2015 OPM breach and sought to ‘encourage public and private sector entities to share cyber threat information, removing legal barriers and the threat of unnecessary litigation,’” the March 21 letter said.
“This voluntary information sharing framework has been instrumental in strengthening our collective defense against cybersecurity threats that continue to grow in sophistication and severity,” APPA and the other groups said in their letter.
The letter was sent to Sen. John Thune, R-SD, Senate Majority Leader, Sen. Charles Schumer, D-NY, Senate Minority Leader, Rep. Mike Johnson, R-La., House Speaker, and Rep. Hakeem Jeffries, D-N.Y., House Minority Leader.
“Recent events underscore the imperative of continuing to support both private-public information sharing and collaboration as well as providing the legal clarity that companies currently count on to share cyber threat information with other companies and across sectors,” the groups said in the letter.
“Nation-state hackers have launched numerous attacks on U.S. critical infrastructure including our communications systems – signaling they are positioning for bigger, more disruptive attacks.”
Federal agencies have similarly been targeted -- most recently the Treasury Department in the BeyondTrust breach, but also during the SolarWinds incident where nine agencies were compromised, the letter noted.
“In the decade since its enactment, the law has meaningfully improved the capacity and speed with which we can respond to large-scale cyber incidents while establishing clear expectations for privacy and confidentiality,” APPA and the other groups said.
“This includes building the structures used by private sector cyber defenders to inform government partners of ongoing cyber threats from malicious actors. Equally as important, the law’s antitrust exemption and associated protections have also facilitated broader cyber information sharing between private companies.”
Private sector cyber defenders, including those from critical infrastructure entities regularly targeted by foreign threat actors, “depend on threat indicator sharing from other companies to strengthen their defenses and protect their customers’ data. A lapse in the legal framework provided in the Act could limit this sharing.”
These communication channels “are essential for enhancing overall awareness of national security threats and quickly responding to incidents. Given that value, these statutory provisions have been incorporated by reference to other significant cyber laws like the Cyber Incident Reporting for Critical Infrastructure Act -- making their reauthorization all the more critical,” the letter said.
“The aforementioned attacks demonstrate the urgent need for increased collaboration and information sharing. The expiration of these protections risks creating a chilling effect on this critical information exchange -- leaving us all more vulnerable to nation-state attacks and cybercriminals moving forward.”
Along with APPA, groups signing onto the letter were:
- Alliance for Digital Innovation
- American Bankers Association
- Bank Policy Institute
- Business Software Alliance
- Edison Electric Institute
- Independent Community Bankers of America
- Information Technology Industry Council
- Institute of International Bankers
- National Rural Electric Cooperative Association
- Operational Technology Cybersecurity Coalition Securities Industry and
- Financial Markets Association