Democratic members of the U.S. House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a Thursday hearing addressing the reauthorization of cybersecurity information sharing activities that underpin the nation’s national cyber defense. Ten years ago, Congress enacted the Cybersecurity Information Sharing Act of 2015, which transformed how the government and private sector collaborate to defend the nation against cyber threats.
The witnesses at the hearing include Kate Kuehn, member and CISO-in-residence at the National Technology Security Coalition, John Miller, senior vice president of policy for Trust, Data, & Technology, General Counsel at the Information Technology Industry Council, Diane Rinaldo, a private citizen, and Karl Schimmeck, executive vice president and chief information security officer at Northern Trust.
The Cybersecurity Information Sharing Act of 2015 is set to expire on Sept. 30, 2025, prompting bipartisan efforts to reauthorize it. It facilitates the sharing of cyber threat indicators between federal and non-federal entities, providing legal protections to encourage participation.
Industry leaders and organizations, including the Protecting America’s Cyber Networks Coalition, emphasize their role in safeguarding critical infrastructure and urge Congress to act promptly. A bipartisan bill proposes a 10-year extension to ensure continued collaboration against escalating cyber threats. Lawmakers and stakeholders stress that reauthorization is vital to maintain national cybersecurity resilience.
Andrew Garbarino, a New York Republican and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, said in his opening statement at the hearing that by providing liability and privacy protections for information shared under the statute, the Cybersecurity Information Sharing Act removed longstanding barriers to public-private collaboration in cybersecurity. “Over the past decade, the threat landscape has evolved significantly, with sophisticated nation-state and criminal actors increasingly exploiting cyberspace to target infrastructure and individuals. As these threats continue to rise, CISA 2015 has become more vital than ever.”
The law has fostered a foundation of trust among cybersecurity stakeholders, making information sharing the default rather than an exception.
“A significant volume of critical cyber threat intelligence has been exchanged between industry and government under this law,” Garbarino said. “For instance, just this year, a major organization shared 84 formal reports, reaching thousands of partner organizations. This doesn’t include the numerous informal daily exchanges that are also protected by the law.”
He noted that there are valid concerns that, without these protections, the private sector would be less willing to share cybersecurity information, either amongst themselves or with the federal government. “Without these safeguards, we can be certain that our nation would be more vulnerable to cyber threats. I strongly support reauthorizing CISA 2015, and I’ve made it a top priority this year. I’m encouraged that just yesterday, Secretary Noem voiced similar support before the full committee. This hearing is a crucial step forward in the reauthorization process, and I look forward to incorporating feedback into a reauthorization bill.”
“Many of the witnesses testifying today worked with Congress over the multi-year authorization effort to ensure the bill included protections for privacy and civil liberties and establish appropriate mechanisms for information sharing,” Bennie G. Thompson, a Democrat from Mississippi and ranking member of the Committee on Homeland Security, wrote in his hearing statement. “I’d like to thank you for your efforts to get CISA 2015 enacted then and to get it reauthorized now.”
Today, he added that the Cybersecurity Information Sharing Act 2015 serves as the foundational authority for critical public-private collaboration programs – from CISA’s Ransomware Task Force and Notification Initiative to the Joint Cyber Defense Collaborative – as well as private sector information sharing organizations like information sharing and analysis centers (ISACs).
More broadly, Thompson noted that the Cybersecurity Information Sharing Act transformed security culture, creating within the private sector a bias toward sharing information with the government and each other through both formal and informal mechanisms. As a result, the government has been able to work with the private sector to more dynamically respond to a range of cyber threats from our most sophisticated adversaries and cyber criminals.
“While I recognize that there is room to improve and modernize the Cybersecurity Information Sharing Act, we cannot allow efforts to rethink the bill to interfere with its timely reauthorization. This critical authority expires in just 44 legislative days,” Thompson mentioned. “If history is any guide, changes to CISA 2015 – however minor – will involve multiple stakeholders and multiple rounds of careful negotiation. I recommend, in the strongest terms, that this Committee move a clean, ten-year extension of CISA 2015 as soon as possible to ensure continuity of the collaboration programs that both government and the private sector rely on.”
He added that doing so will send a strong message to the security community that, despite the current upheaval across government, Congress remains committed to ensuring the federal government is a strong security partner. It will also make clear to adversaries that political divisions will not distract from the obligation to defend the critical infrastructure relied on every day by Americans against cyberattacks.
Eric Swalwell, a Democrat Senator from California and ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, noted that the Cybersecurity Information Sharing Act provided the legal framework to facilitate cyber information sharing between the Federal government and the private sector, as well as between private sector entities. It gives companies the confidence that they will be legally protected if they voluntarily share cyber threat information with the Department of Homeland Security or with their competitors.
“It is rare these days that we see such a wide consensus on any topic, but on the issue of reauthorizing CISA 2015, I have received a very clear message from everyone I have talked to—we cannot let this authority lapse,” Swalwell mentioned in his statement. “Stakeholders have consistently stated that CISA 2015 has drastically improved public-private collaboration, helping our cyber defenders better do their job.”
He added that of particular importance to him, CISA 2015’s privacy and civil liberties protections have demonstrated their effectiveness in ensuring information shared with the government is protected and used properly. “As CISA 2015 was developed, I advocated for strong privacy protections, and I am glad to see those statutory requirements have achieved their desired outcomes. We must move quickly to reauthorize CISA 2015 before it expires in September.”
Kuehn wrote in her testimony that the Cybersecurity Information Sharing Act has been pivotal in addressing some of the most significant cybersecurity threats over the past decade, including high-profile incidents like the SolarWinds breach and the more recent Volt Typhoon and Salt Typhoon campaigns. “These attacks underscore the growing sophistication and scale of cyber threats we face today.”
She added that, as Senators Gary Peters and Mike Rounds have emphasized, allowing the Cybersecurity Information Sharing Act 2015 to lapse would ‘significantly weaken our cybersecurity ecosystem’ and impair the nation’s ability to counter increasingly sophisticated threats. Furthermore, its expiration would eliminate critical liability protections and disrupt defensive cyber operations across critical infrastructure sectors.
She further highlighted that the recent termination of the Critical Infrastructure Partnership Advisory Council, the disbandment of the Cyber Safety Review Board, and the dismissal of members of the Cybersecurity Advisory Committee have undermined public-private cooperation in cybersecurity. These advisory bodies played a crucial role in fostering dialogue and sharing best practices between the government and industry. Their loss has created a gap in collaboration that must be addressed.
“The importance of these public-private partnerships is further emphasized by the fact that critical infrastructure sectors—such as energy, finance, and healthcare—are predominantly managed by private companies,” according to Kuehn. “These industries rely on timely and accurate information to protect themselves against attacks from nation-state actors and cybercriminals. Information sharing is crucial for defending against complex, state-sponsored cyberattacks, such as those originating from Russia, China, and North Korea.
In conclusion, Kuehn said that the reauthorization of CISA 2015 is crucial for maintaining the nation’s security and strengthening public-private partnerships in cybersecurity. The law has fostered a collaborative environment that enables the real-time sharing of cyber threat intelligence, helping to defend against attacks from sophisticated adversaries.
“We urge Congress to prioritize a clean reauthorization of CISA 2015 to ensure the continued effectiveness of these public-private partnerships and the legal protections they provide,” she added. “Furthermore, we urge Congress and the Administration to reinstate advisory bodies, such as CIPAC, CSRB, and CSAC, to strengthen public-private cybersecurity collaborations.”
Last month, a Congressional Research Service (CRS) report warned that failing to renew the act could undermine threat intelligence coordination at a critical time.
