Congress moved one step closer to reauthorizing a key cyber threat information-sharing law on Thursday during a hearing that highlighted both the act’s value and potential shortcomings.
The House Homeland Security Committee’s cyber subcommittee held the hearing to evaluate the private sector’s satisfaction with the 2015 Cybersecurity Information Sharing Act, which expires on Sept. 30. Witnesses from the tech industry praised the law for encouraging companies to share cyber threat indicators with each other and with federal agencies, but they also offered lawmakers suggestions for how to improve the program.
“Any lapse in CISA ’15 authorities would be an unfortunate step backwards, an unforced error that only stands to benefit cybercriminals, including sophisticated nation-state threat actors such as China, Iran and Russia,” said John Miller, senior vice president of policy for trust, data and technology at the Information Technology Industry Council (ITI), a major tech trade group.
Without the liability protections that the law offers for information sharing, “it puts it in the hands of the lawyers,” said Kate Kuehn, the CISO in residence at the National Technology Security Coalition (NTSC), a trade group that represents corporate cyber and privacy officers. “And the reality is that with AI coming in, with what we're seeing with the rapid spread of threats, we don't have time for it to go to the lawyers at this point. We have to be able to share information quickly.”
Still, ITI’s Miller said, Congress should update the law to reflect changes in the threat environment over the past decade. He encouraged lawmakers to consider expanding the definition of the term “cyber threat indicator” to encompass AI-related issues like training data anomalies and to allow companies to warn each other about potentially suspicious suppliers (something that currently entails the risk of retaliatory lawsuits by those suppliers).
Other terms might need updating too, Miller said in his written testimony. “CISA 15 defines a ‘cybersecurity threat’ primarily as an action ‘on or through an information system’ that may harm the security or data of that information system,” Miller wrote. “This framing made sense at the time but might not explicitly encompass threats that exploit machine-learning models in the cloud, corrupt software components before they ever reach a victim’s network, or target IoT and OT devices that fall outside the classic notion of an IT system.”
Diane Rinaldo, who helped write the law as a House Intelligence Committee staffer, testified that lawmakers should “expand and clarify liability protections to encourage broader information sharing.”
Democrats cite cybersecurity agency cuts
With Congress’s attention on information sharing, Democratic lawmakers said they want their colleagues to focus on improving other related government programs as well, using the hearing as an opportunity to criticize the Trump administration for paring back those efforts.
Rep. Eric Swalwell (D-Calif.), the subcommittee’s ranking member, called on the Cybersecurity and Infrastructure Security Agency (CISA) to reestablish a governing framework for information sharing that the Trump administration shut down. He also asked his colleagues to support his bill to codify CISA’s Joint Cyber Defense Collaborative.
Rep. Seth Magaziner (D-R.I.) said it was important for Congress to block Trump’s proposed $491 million cut to CISA’s budget, saying, “We should be investing in this space, not cutting back, because our adversaries are not cutting back.”
NTSC’s Kuehn concurred that CISA played “a critical role” in protecting critical infrastructure through guidance and assessments.
Privacy worries
Critics of the CISA law have raised the same privacy concerns about its reauthorization that they raised when Congress was first considering it, but now they are connecting those warnings with the far-reaching and potentially illegal data collection of Elon Musk’s U.S. DOGE Service.
The CISA law “raises important privacy concerns for users,” Jake Laperruque, deputy director of the Security and Surveillance Project at the Center for Democracy and Technology, a digital-rights nonprofit, told Cybersecurity Dive via email. Given DOGE’s actions and the trend of data brokers selling information to law enforcement, he said, “Congress needs to show it’s prioritizing Americans’ privacy and working to safeguard their private information.”
But the witnesses at Thursday’s hearing, all of whom represented the perspective of the tech industry, said privacy fears related to the information-sharing act had not materialized in the first decade of the law’s implementation.
“I think that's pretty compelling evidence that the bill itself and the structure and the protections that were put in place to protect privacy and civil liberties worked,” Miller said.
All of the witnesses agreed that they saw no need to change the law’s privacy-related language.
With bipartisan congressional support and backing from both the Trump administration and the private sector, CISA appears to be on a glide path to reauthorization.
“It's rare that these days we see such a wide consensus on any topic,” Swalwell said, “but on the issue of reauthorizing CISA 2015, I've received a very clear message from everyone I've talked to: Do not let it lapse.”
