Reauthorizing Cybersecurity Information Sharing Activities that Underpin U.S. National Cyber Defense
Cybersecurity and Infrastructure Protection
2025-05-15
Loading video...
Source: Congress.gov
Participants
Transcript
The Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will come to order. If I have objection, the chair may declare the committee in recess at any point. Purpose of this hearing is to examine the Cybersecurity Information Sharing Act of 2015, or CISA 2015, which is up for reauthorization this year. We will evaluate the voluntary cybersecurity information sharing framework established by this legislation, assessing how it has influenced the way private entities share information today. This hearing will highlight the need to continue cybersecurity information sharing, given an increasingly complex threat environment, and will consider improvements to the legislation. I now recognize myself for an opening statement. Information sharing is a critical component of our nation's defense against global cyber threats. From utility companies in rural areas to major banks on Wall Street, the private sector is on the front lines of the digital battlefield, frequently defending itself from malicious cyber actors. Securing the United States in cyberspace requires a whole society approach, strong partnerships, and close coordination between industry and government at all levels. Our national resilience against cyber threats is reinforced by sharing threat information and best practices amongst all stakeholders. Nearly 10 years ago, Congress passed the Cybersecurity Information Sharing Act of 2015, establishing a framework for the voluntary exchange of cybersecurity information between private entities and the federal government. By providing liability and privacy protections for information shared in accordance with the statute, CISA 2015 removed long-standing barriers to public-private collaboration in cybersecurity. Over the past decade, the threat landscape has evolved significantly, with sophisticated nation-state and criminal actors increasingly exploiting cyberspace to target infrastructure and individuals. As these threats continue to rise, CISA 2015 has become more vital than ever. The law has fostered a foundation of trust among cybersecurity stakeholders, making information sharing the default rather than an exception.
A significant volume of critical cyber threat intelligence has been exchanged between industry and government under this law. For instance, just this year, a major organization shared 84 formal reports reaching thousands of partner organizations. This doesn't include the numerous informal daily exchanges that are also protected by the law. This September, CISA 2015 is set to expire unless Congress reauthorizes it. As we've heard from many stakeholders, the liability and privacy protections provided by the law have facilitated better information sharing, helped secure networks, and improved our overall cybersecurity posture. The Cybersecurity Infrastructure Security Agency, which this subcommittee oversees, has played a crucial role in fostering these information sharing partnerships, a mission I look forward to continuing of the new administration. There are valid concerns that without these protections, the private sector would be less willing to share cybersecurity information either amongst themselves or with the federal government. Without these safeguards, we can be certain that our nation would be more vulnerable to cyber threats. I strongly support reauthorizing CISA 2015. I've made it a top priority this year. I'm encouraged that just yesterday, Secretary Noem voiced similar support before the full committee. This hearing is a crucial step forward in the reauthorization process, and I look forward to incorporating feedback into a reauthorization bill. I'd like to thank our expert panel for being here. Your insights on how this law has been implemented across industry are invaluable. Some of you tracked or worked directly on this law since its inception. I look forward to exploring ways to maintain and potentially improve voluntary cybersecurity information sharing between the public and private sectors. I now recognize the ranking member, the gentleman from California, Mrs. Swalwell, for his opening statement. Thank you, Chairman. And I was a member of the Intelligence Committee back in 2015 when the CISA 15 was enacted, and it was apparent to me then even in the midst of very intense, vigorous debate, that we needed greater public-private cybersecurity collaboration.
So I want to first just thank the witnesses for coming today and sharing their perspective, their members' positions, their industry's concerns, because we want to get this right, and we want to build on the success that we have. So we're hearing about new cyber security attacks every day, yet the federal government at the time had very little visibility into what was happening on private networks. And the private sector is receiving very little information from the federal government on cyber threats. I would say that is probably still happening today. And the biggest complaint I hear from you all, especially on JCDC, is it's a one-way relationship. And I know we want to do more to increase what is shared with you in the private sector, but I laid out in the 2015 debate that there was at the time almost no cyber sharing between the public sector and the private sector. And CISA 2015 sought to change that, and it has changed that. It's provided the legal framework to facilitate cyber information sharing between the federal government and the private sector. It gives companies the confidence that they'll be legally protected if they voluntarily share cyber threat information with the Department of Homeland Security or with their competitors. It's rare that these days we see such a wide consensus on any topic, but on the issue of reauthorizing CISA 2015, I've received a very clear message from everyone I've talked to. Do not let it lapse. Stakeholders have consistently stated that CISA 2015 has drastically improved public-private collaboration, helping our cyber defenders better do their job. Of particular importance to me was that in 2015 that we addressed privacy and civil liberty protections and demonstrated that their effectiveness was ensuring information shared with the government is protected and always used properly. As CISA 2015 was developed, I advocated for strong privacy protections, and I'm glad to see those statutory requirements have achieved their outcomes.
Sign up for free to see the full transcript
Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.