The new leader of the powerful House Homeland Security Committee is committed to meeting a tight deadline for reauthorizing a pivotal cybersecurity information sharing law, but wants to see “some changes” to the statute, according to a top aide.
Questions around the process for reauthorizing the Cybersecurity Information Sharing Act of 2015 have developed into a crucial early test for new House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.). He was selected to replace former Chairman Mark Green (R-Tenn.) this week.
As chairman of the committee’s cybersecurity and infrastructure protection subcommittee, Garbarino called reauthorizing CISA 2015 a “top priority.” The law expires Sept. 30.
Re-authorization continues to be a top priority now that Garbarino helms the full committee, according to Alexandra Seymour, majority staff director for the cybersecurity and infrastructure protection subcommittee.
“First and foremost, we are committed to making sure that this authority does not lapse,” Seymour said during a Wednesday event in Washington hosted by the Homeland Security and Defense Forum.
“We recognize the criticality of how it underpins everything that we do in cybersecurity, all of the information sharing, whether it’s private sector to private sector or private sector to government,” she said.
But Garbarino “is interested in looking at some changes” to the decade-old law, she added.
“It has been 10 years, and so that is a natural time where we’re supposed to look in and reassess and reevaluate to see what has changed and if there is language that needs to be updated,” Seymour said.
With the House leaving Washington on Wednesday night for its lengthy August recess, however, little time remains on the legislative calendar for lawmakers to debate and pass a reauthorization measure before the end of September.
Rep. Eric Swalwell (D-Calif.), ranking member of the cybersecurity subcommittee, made that point during a hearing on Tuesday.
“It’s essential that we act promptly to reauthorize it in a clean way, and I’m open to any reforms that we could discuss down the road under the chairman’s leadership of the full committee,” Swalwell said. “But I think there is a wide consensus that we don’t have time to do that now.”
Information sharing boon
CISA 2015 is widely recognized as central to how industry and government share data about cyber threats. The law provides liability protections and privacy guardrails to especially encourage private sector organizations to voluntarily share data with each other and government agencies.
The information-sharing regime is considered critical to both identifying cyber threats and preventing them from spreading.
During a May hearing held by the Homeland Security committee to examine CISA 2015, Garbarino said a “significant amount of cyber threat information has been exchanged between industry and government” under the law.
“There are valid concerns that without these protections, the private sector would be less willing to share cybersecurity information either amongst themselves or with the federal government,” Garbarino said.
Industry experts who testified at the May hearing urged lawmakers to prioritize extending the law above any potential improvements.
“We cannot allow the perfect to be the enemy of the good,” John Miller, senior vice president of policy at the Information Technology Industry Council, said during the hearing. “Please do not jeopardize the cybersecurity improvements and partnerships that CISA 15 has catalyzed and that many now likely take for granted by letting the law lapse if that is the price of making changes”
But with major changes in cybersecurity and technology over the past decade, Miller acknowledged “targeted improvements” to CISA 2015 would be worth considering. He specifically recommended re-examining definitions such as “cyber threat indicator” to account for new threats like software supply chain attacks.
Miller also recommended codifying other authorities related to CISA 2015, such as public-private collaborations like the currently suspended Critical Infrastructure Partnership Advisory Council.
Industry has also criticized government agencies for not sharing enough cyber data back with the private sector. Diane Rinaldo, former acting administrator of the National Telecommunications and Information Administration, raised that issue at the hearing, but said it didn’t necessarily require a statutory change to CISA 2015.
“Just oversight,” Rinaldo said. “How could we stay on top of the agencies to make sure that they’re pushing out information?”
While privacy was a major issue during the debate around the information sharing law in 2015, Rinaldo and other witnesses said those concerns have not come to fruition. She pointed to a recent Homeland Security inspector general report that found no personal information violations under CISA 2015.
“The language and all the protections that we put in have been working,” Rinaldo said.
The IG report did highlight challenges that the Cybersecurity and Information Security Agency has had in carrying out the information-sharing authorities, such as getting organizations to participate in its “Automated Indicator Sharing” program.
But those testifying before the Homeland Security committee in May urged the committee to reauthorize CISA 2015 and then consider potential tweaks afterward.
“Cyber threats don’t take breaks, and they don’t wait for legislative calendars,” Karl Schimmeck, chief information security officer at Northern Trust, told the committee. “If we hesitate, we expose ourselves.”
‘Bird in the hand’
With the Sept. 30 expiration quickly approaching, House lawmakers have yet to introduce a re-authorization measure or even circulate potential edits to the law.
But last week, the Senate Select Committee on Intelligence, as part of its fiscal 2026 intelligence authorization bill, passed a “clean” CISA 2015 reauthorization that extends the law for another 10 years without changes.
Moira Bergin, minority staff director for the Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee, said full committee Ranking Member Bennie Thompson (D-Miss.) is concerned that opening up the House’s re-authorization to potential changes will bog down the process.
“Mr. Thompson continues to believe pretty strongly that a clean extension is something that we must pass, and the SSCI mark is sort of a bird in the hand,” Bergin said alongside Seymour at the Homeland Security and Defense Forum event.
Meanwhile, Seymour encouraged industry to reach out to the committee with any recommendations on changes to the law. But she said not allowing it to lapse is the top priority.
“I think we’ve heard resoundingly from industry that the law has worked,” Seymour said. “We’ve also heard that there are tweaks that would be helpful if we were able to clarify them. So that’s something that we are exploring. Now, not at the expense of the law lapsing — I want to be very clear about that. … For those who might have changes that they might want to see, please feel free to reach out to us. That’s something that we’re looking at actively. And we are looking at all of the vehicles that might exist for us to make sure that CISA 2015 does not lapse.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
