Reauthorizing Cybersecurity Information Sharing Activities that Underpin U.S. National Cyber Defense

Cybersecurity and Infrastructure Protection

2025-05-15

Loading video...

Source: Congress.gov

Summary

The meeting convened to discuss the critical need for reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), which established a crucial framework for voluntary cybersecurity information sharing between the private sector and the federal government. <citation data-start-id="1.3" data-end-id="1.4"></citation><citation data-start-id="1.11" data-end-id="1.12"></citation> The discussion highlighted the law's success in fostering collaboration and the potential risks if it is allowed to lapse in September. <citation data-id="1.19"></citation><citation data-id="1.22"></citation>

Importance of CISA 2015 Reauthorization

The Cybersecurity Information Sharing Act of 2015 is considered a critical component of the nation's defense against cyber threats, establishing a voluntary framework for information exchange. <citation data-id="1.7"></citation><citation data-start-id="1.11" data-end-id="1.12"></citation> It has been vital in fostering trust and facilitating significant cyber threat intelligence sharing between industry and government. <citation data-id="1.15"></citation><citation data-id="1.16"></citation> There is wide consensus among stakeholders that CISA 2015 should not be allowed to lapse, as its protections have drastically improved public-private collaboration. <citation data-start-id="2.14" data-end-id="2.16"></citation> Failure to reauthorize the act would make the nation more vulnerable, as companies would hesitate to share information without legal protections. <citation data-id="10.25"></citation><citation data-id="10.17"></citation> This hesitation would be a significant advantage to adversaries and undermine existing trusted partnerships. <citation data-id="10.19"></citation><citation data-start-id="52.2" data-end-id="52.3"></citation>

Evolution of Cyber Threats

The threat landscape has evolved significantly over the past decade, becoming more complex with sophisticated nation-state and criminal actors. <citation data-id="1.13"></citation><citation data-start-id="8.6" data-end-id="8.7"></citation> These threats now include ransomware, operational technology vulnerabilities, and challenges posed by generative artificial intelligence. <citation data-start-id="16.2" data-end-id="16.5"></citation> Chinese cyber-enabled espionage, in particular, is cited as a persistent and strategically dangerous national security threat, aiming to steal intellectual property and fuel economic ambitions. <citation data-start-id="8.13" data-end-id="8.17"></citation> The attacks target not only large government agencies and corporations but also small and medium-sized businesses and local critical infrastructure. <citation data-start-id="32.3" data-end-id="32.5"></citation><citation data-start-id="31.9" data-end-id="31.10"></citation>

Role of CISA and Public-Private Partnerships

The Cybersecurity and Infrastructure Security Agency (CISA) plays a crucial role in securing critical infrastructure, businesses, and government entities from cyber threats. <citation data-start-id="30.4" data-end-id="30.7"></citation> CISA 2015 has enabled strong partnerships and close coordination between industry and government, reinforcing national resilience. <citation data-id="1.9"></citation><citation data-id="1.10"></citation> Initiatives like the Joint Cyber Defense Collaborative (JCDC), though newer, are critical for rapid information distribution between industry and government, leveraging CISA 2015's legal framework. <citation data-start-id="13.4" data-end-id="13.5"></citation><citation data-start-id="44.1" data-end-id="44.2"></citation> Concerns were raised about potential budget cuts to CISA, which could compromise its ability to support and educate vital, smaller entities. <citation data-start-id="30.13" data-end-id="30.14"></citation> The importance of public-private collaboration is especially high given that critical infrastructure is largely managed by private companies. <citation data-start-id="13.8" data-end-id="13.9"></citation>

Privacy and Liability Protections

CISA 2015 provides essential liability and privacy protections, encouraging private organizations to share cybersecurity information without fear of legal repercussions. <citation data-id="1.12"></citation><citation data-id="10.17"></citation> The law's development involved extensive debate and negotiation to balance privacy and security concerns, resulting in provisions for anonymizing shared information. <citation data-start-id="8.29" data-end-id="8.32"></citation><citation data-start-id="92.6" data-end-id="92.7"></citation> A key protection involves DHS serving as a central hub for information sharing, mitigating concerns about direct sharing with intelligence agencies. <citation data-start-id="94.2" data-end-id="94.5"></citation> Notably, after nearly 10 years, there have been no reported privacy breaches or improper sharing of personal identifiable information, validating the effectiveness of the statutory safeguards. <citation data-start-id="10.20" data-end-id="10.23"></citation><citation data-id="92.8"></citation><citation data-id="94.1"></citation>

Tone of the Meeting

The tone of the meeting was largely one of unanimous support and urgency for the reauthorization of CISA 2015. <citation data-id="1.24"></citation><citation data-id="2.15"></citation> Speakers emphasized the law's proven success and the severe consequences of its lapse, fostering a serious and focused discussion. <citation data-start-id="10.37" data-end-id="10.39"></citation> While there was an openness to future improvements, a "clean reauthorization" was prioritized to avoid delays. <citation data-id="2.23"></citation><citation data-start-id="48.1" data-end-id="48.2"></citation> The overall sentiment was collaborative and appreciative of the foundational work established by CISA 2015, coupled with a vigilant awareness of evolving cyber threats. <citation data-id="1.9"></citation><citation data-start-id="1.13" data-end-id="1.14"></citation>

Participants

Transcript

Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will come to order.  If I have objection, the chair may declare the committee in recess at any point.  Purpose of this hearing is to examine the Cybersecurity Information Sharing Act of 2015 or CISA 2015, which is up for reauthorization this year.  We will evaluate the voluntary cybersecurity information sharing framework established by this legislation, assessing how it has influenced the way private entities share information today.   This hearing will highlight the need to continue cybersecurity information sharing, given an increasingly complex threat environment, and will consider improvements to the legislation.  I now recognize myself for an opening statement.  Information sharing is a critical component of our nation's defense against global cyber threats.  From utility companies in rural areas to major banks on Wall Street, the private sector is on the front lines of the digital battlefield, frequently defending itself from malicious cyber actors.   Securing the United States in cyberspace requires a whole society approach, strong partnerships, and close coordination between industry and government at all levels.  Our national resilience against cyber threats is reinforced by sharing threat information and best practices amongst all stakeholders.  Nearly 10 years ago, Congress passed the Cybersecurity Information Sharing Act of 2015, establishing a framework for the voluntary exchange of cybersecurity information between private entities and the federal government.   By providing liability and privacy protections for information shared in accordance with the statute, CISA 2015 removed long-standing barriers to public-private collaboration in cybersecurity.  Over the past decade, the threat landscape has evolved significantly, with sophisticated nation-state and criminal actors increasingly exploiting cyberspace to target infrastructure and individuals.  As these threats continue to rise, CISA 2015 has become more vital than ever.   The law has fostered a foundation of trust among cybersecurity stakeholders, making information sharing the default rather than an exception.
A significant volume of critical cyber threat intelligence has been exchanged between industry and government under this law.  For instance, just this year, a major organization shared 84 formal reports reaching thousands of partner organizations.  This doesn't include the numerous informal daily exchanges that are also protected by the law.   This September, CISA 2015 is set to expire unless Congress reauthorizes it.  As we've heard from many stakeholders, the liability and privacy protections provided by the law have facilitated better information sharing, helped secure networks, and improved our overall cybersecurity posture.  The Cybersecurity Infrastructure Security Agency, which this subcommittee oversees, has played a crucial role in fostering these information sharing partnerships, a mission I look forward to continuing of the new administration.   There are valid concerns that without these protections, the private sector would be less willing to share cybersecurity information either amongst themselves or with the federal government.  Without these safeguards, we can be certain that our nation would be more vulnerable to cyber threats.  I strongly support reauthorizing CISA 2015.  I've made it a top priority this year.  I'm encouraged that just yesterday, Secretary Noem voiced similar support before the full committee.  This hearing is a crucial step forward in the reauthorization process, and I look forward to incorporating feedback into a reauthorization bill.   I'd like to thank our expert panel for being here.  Your insights on how this law has been implemented across industry are invaluable.  Some of you tracked or worked directly on this law since its inception.   I look forward to exploring ways to maintain and potentially improve voluntary cybersecurity information sharing between the public and private sectors.  I now recognize the ranking member, the gentleman from California, Mrs. Swalwell, for his opening statement.
Thank you, Chairman.  And I was a member of the Intelligence Committee back in 2015 when the CISA 15 was enacted, and it was apparent to me then   even in the midst of very intense, vigorous debate, that we needed greater public-private cybersecurity collaboration.  So I want to first just thank the witnesses for coming today and sharing their perspective, their members' positions, their industry's concerns, because we want to get this right, and we want to build on the success that we have.   So we're hearing about new cyber security attacks every day, yet the federal government at the time had very little visibility into what was happening on private networks.  And the private sector is receiving very little information from the federal government on cyber threats.  I would say that is probably still happening today.  And the biggest complaint I hear from you all, especially on JCDC, is it's a one-way relationship.  And I know we want to do more to increase what is shared with you in the private sector.   laid out in the 2015 debate that there was at the time almost no cyber sharing between the public sector and the private sector.  And CISA 2015 sought to change that, and it has changed that.  It's provided the legal framework to facilitate cyber information sharing between the federal government and the private sector.   It gives companies the confidence that they'll be legally protected if they voluntarily share cyber threat information with the Department of Homeland Security or with their competitors.  It's rare that these days we see such a wide consensus on any topic, but on the issue of reauthorizing CISA 2015, I've received a very clear message from everyone I've talked to.  Do not let it lapse.   Stakeholders have consistently stated that CISA 2015 has drastically improved public-private collaboration, helping our cyber defenders better do their job.
Of particular importance to me was that in 2015, that we addressed privacy and civil liberty protections and demonstrated that their effectiveness was ensuring information shared with the government is protected and always used properly.   As CISA 2015 was developed, I advocated for strong privacy protections, and I'm glad to see those statutory requirements have achieved their outcomes.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.

Sign up