[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]


                   IN DEFENSE OF DEFENSIVE MEASURES: 
                 REAUTHORIZING CYBERSECURITY INFORMA-
               TION-SHARING ACTIVITIES THAT UNDERPIN U.S.  
                          NATIONAL CYBER DEFENSE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                    CYBERSECURITY AND INFRASTRUCTURE
                               PROTECTION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED NINETEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 15, 2025

                               __________

                           Serial No. 119-15

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                   U.S. GOVERNMENT PUBLISHING OFFICE                    
61-338 PDF                  WASHINGTON : 2025                  
          
-----------------------------------------------------------------------------------     

                     COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas, Vice       Bennie G. Thompson, Mississippi, 
    Chair                                Ranking Member
Clay Higgins, Louisiana              Eric Swalwell, California
Michael Guest, Mississippi           J. Luis Correa, California
Carlos A. Gimenez, Florida           Shri Thanedar, Michigan
August Pfluger, Texas                Seth Magaziner, Rhode Island
Andrew R. Garbarino, New York        Daniel S. Goldman, New York
Marjorie Taylor Greene, Georgia      Delia C. Ramirez, Illinois
Tony Gonzales, Texas                 Timothy M. Kennedy, New York
Morgan Luttrell, Texas               LaMonica McIver, New Jersey
Dale W. Strong, Alabama              Julie Johnson, Texas, Vice Ranking 
Josh Brecheen, Oklahoma                  Member
Elijah Crane, Arizona                Pablo Jose Hernandez, Puerto Rico
Andrew Ogles, Tennessee              Nellie Pou, New Jersey
Sheri Biggs, South Carolina          Troy A. Carter, Louisiana
Gabe Evans, Colorado                 Robert Garcia, California
Ryan Mackenzie, Pennsylvania         Vacant
Brad Knott, North Carolina
                    Eric Heighberger, Staff Director
                  Hope Goins, Minority Staff Director
                       Sean Corcoran, Chief Clerk
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                Andrew R. Garbarino, New York, Chairman
Clay Higgins, Louisiana              Eric Swalwell, California, Ranking 
Carlos A. Gimenez, Florida               Member
Morgan Luttrell, Texas               Seth Magaziner, Rhode Island
Andrew Ogles, Tennessee              LaMonica McIver, New Jersey
Mark E. Green, MD, Tennessee (ex     Vacant
    officio)                         Bennie G. Thompson, Mississippi 
                                         (ex officio)
             Alexandra Seymour, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Eric Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     6

                               Witnesses

Mr. John Miller, Senior Vice President of Policy for Trust, Data, 
  and Technology, General Counsel, Information Technology 
  Industry Council:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Ms. Diane Rinaldo, Private Citizen:
  Oral Statement.................................................    17
  Prepared Statement.............................................    19
Mr. Karl Schimmeck, Executive Vice President and Chief 
  Information Security Officer, Northern Trust:
  Oral Statement.................................................    21
  Prepared Statement.............................................    22
Mr. Katherine Kuehn, Member and CISO-in-Residence, National 
  Technology Security Coalition:
  Oral Statement.................................................    26
  Prepared Statement.............................................    28

                             For the Record

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Letter From Business Roundtable................................    37
  Statement of the Protecting America's Cyber Networks Coalition.    38
  Letter From the Alliance for Automotive Innovation.............    40
  Joint Statement of Intrado Life & Safety, the National 
    Association of State 9-1-1 Administrators, and NENA--The 9-1-
    1 Association................................................    41
  Joint Letter From Multiple Associations........................    42
  Statement of the Operational Technology Cybersecurity Coalition 
    (OTCC).......................................................    43
  Statement of the National Retail Federation....................    44
  Letter From the Software & Information Industry Association 
    (SIIA).......................................................    47

                                Appendix

Questions From Chairman Andrew R. Garbarino for John Miller......    57
Questions From Chairman Andrew R. Garbarino for Diane Rinaldo....    59
Questions From Chairman Andrew R. Garbarino for Karl Schimmeck...    60
Questions From Chairman Andrew R. Garbarino for Katherine Kuehn..    61

 
                   IN DEFENSE OF DEFENSIVE MEASURES: 
    REAUTHORIZING CYBERSECURITY INFORMATION-SHARING ACTIVITIES THAT 
                  UNDERPIN U.S. NATIONAL CYBER DEFENSE

                              ----------                              


                         Thursday, May 15, 2025

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:04 p.m., in 
room 310, Cannon House Office Building, Hon. Andrew R. 
Garbarino (Chairman of the subcommittee) presiding.
    Present: Representatives Garbarino, Gimenez, Luttrell, 
Ogles, Swalwell, and Magaziner.
    Mr. Garbarino. The Committee on Homeland Security, 
Subcommittee on Cybersecurity and Infrastructure Protection, 
will come to order.
    Without objection, the Chair may declare the committee in 
recess at any point.
    The purpose of this hearing is to examine the Cybersecurity 
Information Sharing Act of 2015, or CISA 2015, which is up for 
reauthorization this year. We will evaluate the voluntary 
cybersecurity information-sharing framework established by this 
legislation, assessing how it has influenced the way private 
entities share information today.
    This hearing will highlight the need to continue 
cybersecurity information sharing given an increasingly complex 
threat environment, and we'll consider improvements to the 
legislation.
    I now recognize myself for an opening statement.
    Information sharing is a critical component of our Nation's 
defense against global cyber threats. From utility companies in 
rural areas to major banks on Wall Street, the private sector 
is on the front lines of the digital battlefield, frequently 
defending itself from malicious cyber actors.
    Securing the United States in cyber space requires a whole-
of-society approach, strong partnerships, and close 
coordination between industry and Government at all levels. Our 
national resilience against cyber threats is reinforced by 
sharing threat information and best practices amongst all 
stakeholders.
    Nearly 10 years ago, Congress passed the Cybersecurity 
Information Sharing Act of 2015, establishing a framework for 
the voluntary exchange of cybersecurity information between 
private entities and the Federal Government.
    By providing liability and privacy protections for 
information shared in accordance with the statute, CISA 2015 
removed long-standing barriers to public-private collaboration 
in cybersecurity.
    Over the past decade, the threat landscape has evolved 
significantly, with sophisticated nation-state and criminal 
actors increasingly exploiting cyber space to target 
infrastructure and individuals.
    As these threats continue to rise, CISA 2015 has become 
more vital than ever. The law has fostered a foundation of 
trust among cybersecurity stakeholders, making information 
sharing the default rather than an exception.
    A significant volume of critical cyber threat intelligence 
has been exchanged between industry and Government under this 
law. For instance, just this year a major organization shared 
84 formal reports, reaching thousands of partner organizations. 
This doesn't include the numerous informal daily exchanges that 
are also protected by the law.
    This September, CISA 2015 is set to expire unless Congress 
reauthorizes it.
    As we've heard from many stakeholders, the liability and 
privacy protections provided by the law have facilitated better 
information sharing, helped secure networks, and improved our 
overall cybersecurity posture.
    The Cybersecurity and Infrastructure Security Agency, which 
this subcommittee oversees, has played a crucial role in 
fostering these information-sharing partnerships, a mission I 
look forward to continuing under the new administration.
    There are valid concerns that without these protections the 
private sector would be less willing to share cybersecurity 
information, either amongst themselves or with the Federal 
Government. Without these safeguards, we can be certain that 
our Nation would be more vulnerable to cyber threats.
    I strongly support reauthorizing CISA 2015. I've made it a 
top priority this year. I am encouraged that just yesterday 
Secretary Noem voiced similar support before the full 
committee.
    This hearing is a crucial step forward in the 
reauthorization process, and I look forward to incorporating 
feedback into a reauthorization bill.
    I'd like to thank our expert panel for being here. Your 
insights on how this law has been implemented across industry 
are invaluable. Some of you have tracked or worked directly on 
this law since its inception.
    I look forward to exploring ways to maintain and 
potentially improve voluntary cybersecurity information sharing 
between the public and private sectors.
    [The statement of Chairman Garbarino follows:]
               Statement of Chairman Andrew R. Garbarino
                              May 15, 2025
    Information sharing serves as a critical component in our Nation's 
defense against global cyber threats. Ranging from utility companies in 
rural communities to large banks on Wall Street, the private sector 
operates on the front lines of the digital battlefield and is 
frequently defending itself from malicious cyber actors.
    Securing the United States in the cyber domain requires a whole-of-
society approach--partnerships and close coordination with industry as 
well as State, local, Tribal, and territorial governments. Our national 
resilience against cyber threats is strengthened by sharing threat 
information and best practices among stakeholders.
    Almost 10 years ago, Congress enacted the Cybersecurity Information 
Sharing Act of 2015--otherwise known as ``CISA 2015.'' This law created 
a framework for the voluntary exchange of cybersecurity information 
between private entities and with the Federal Government.
    By granting liability and privacy protections to information shared 
in accordance with the statute, CISA 2015 removed significant and long-
standing barriers to public-private collaboration in cybersecurity.
    The threat landscape has evolved significantly in the past 10 
years, with an emergence of sophisticated nation-state and criminal 
actors who use cyber space to exploit infrastructure and individuals. 
As threats continue to rise, CISA 2015 has become more important than 
ever before. The law has built a bedrock of trust among cybersecurity 
stakeholders to make information sharing the default, rather than the 
decision point.
    Indeed, a high volume of critical cyber threat intelligence has 
been shared between industry and Government under this statute. For 
example, this year alone, a large organization has shared 84 formal 
reports that have reached--in some cases--thousands of partner 
organizations. This does not include the multiple, daily, informal 
information-sharing engagements that the law also protects.
    This September, CISA 2015 will expire unless Congress acts now to 
reauthorize this key authority. As we have heard from many 
stakeholders, the liability and privacy protections have enhanced 
information sharing, helped secure their networks, and improved overall 
cyber defense posture of the United States. CISA the agency, which this 
subcommittee oversees, has played a significant role in facilitating 
information-sharing partnerships--something I look forward to seeing it 
continue as it refocuses on its core mission.
    There are valid concerns that, without this framework and its 
protections, the private sector would be less willing to share 
cybersecurity information among itself or with the Federal Government.
    We can be certain that our Nation would be more vulnerable to cyber 
threats if there were significant reductions in cybersecurity 
intelligence sharing.
    I wholeheartedly support the reauthorization of CISA 2015, and have 
made this bill a top priority this year. This hearing is a vital step 
forward for the reauthorization process, and I look forward to 
incorporating feedback from this hearing into a reauthorization bill 
that I intend to introduce very soon.
    I want to thank our expert panel for being here today. You bring 
valuable insights about how this law has been operationalized across 
industries. Some of you have even tracked, or directly worked on, this 
law from initial inception.
    I look forward to exploring ways in which we can maintain, and 
potentially further improve, voluntary cybersecurity information 
sharing between the public and private sectors.

    Mr. Garbarino. I now recognize the Ranking Member, the 
gentleman from California, Mr. Swalwell, for his opening 
statement.
    Mr. Swalwell. Thank you, Chairman.
    I was a member of the Intelligence Committee back in 2015 
when the CISA 2015 was enacted, and it was apparent to me then, 
even in the midst of very intense, vigorous debate, that we 
needed greater public-private cybersecurity collaboration.
    So I want to first just thank the witnesses for coming 
today and sharing their perspective, their members' positions, 
their industry's concerns, because we want to get this right 
and we want to build on the success that we have.
    So we're hearing about new cybersecurity attacks every day, 
yet the Federal Government at the time had very little 
visibility into what was happening on private networks, and the 
private sector was receiving very little information from the 
Federal Government on cyber threats.
    I would say that is probably still happening today, and the 
biggest complaint I hear from you all, especially on JCDC, is 
it's a one-way relationship. I know we want to do more to 
increase what is shared with you in the private sector.
    But I laid out in the 2015 debate that there was at the 
time almost no cyber sharing between the public sector and the 
private sector.
    CISA 2015 sought to change that, and it has changed that. 
It's provided the legal framework to facilitate cyber 
information sharing between the Federal Government and the 
private sector. It gives companies the confidence that they'll 
be legally protected if they voluntarily share cyber threat 
information with the Department of Homeland Security or with 
their competitors.
    It's rare that these days we see such a wide consensus on 
any topic, but on the issue of reauthorizing CISA 2015 I've 
received a very clear message from everyone I've talked to: Do 
not let it lapse.
    Stakeholders have consistently stated that CISA 2015 has 
drastically improved public-private collaboration, helping our 
cyber defenders better do their job.
    Of particular importance to me was that in 2015 we 
addressed privacy and civil liberty protections and 
demonstrated that their effectiveness was in ensuring 
information shared with the Government is protected and always 
used properly.
    As CISA 2015 was developed, I advocated for strong privacy 
protections, and I'm glad to see those statutory requirements 
have achieved their outcomes.
    We must move quickly to reauthorize CISA 2015 before it 
expires in September. Maybe we could change the name so it's 
not so confusing with the other CISA that we're working on. 
That is one change I think we would all welcome. Yeah, good 
name change.
    While it's reasonable to discuss if there are ways to 
strengthen the law going forward, we cannot allow such 
discussions with such an imminent time line to delay 
reauthorization.
    It's also important to remember there are steps that 
Congress and the administration can take in the interim after 
reauthorization.
    While establishing the legal regime to facilitate cyber 
information sharing, the maturation of the Cybersecurity and 
Infrastructure Security Agency--the original CISA--has provided 
a central hub for public-private cyber collaboration across 
critical infrastructure sectors.
    If CISA lacks the people and forms necessary to receive, 
analyze, and share cyber threat information, CISA 2015's 
provisions will be rendered meaningless.
    One important step for Congress that I have been working 
with in this committee is to codify the Joint Cyber Defense 
Collaborative and better define its mission and structure, and 
I hope we get a vote on that again this Congress.
    The administration should restore the Critical 
Infrastructure Partnership Advisory Council--also known as 
CIPAC--or establish a similar new entity that provides a 
mechanism for critical infrastructure collaboration.
    Finally, we must continue to support CISA's efforts to 
improve Automated Indicator Sharing and implement its Threat 
Intelligence Enterprise Services Program.
    Again, I thank the witnesses for participating in this. I 
expect I will hear across the board the value of CISA, that 
there are reforms that we can put in place.
    But if it's deciding between not authorizing and trying to 
find better reforms and risking this lapsing or reauthorizing 
something clean and then fighting and working together 
collaboratively ultimately to get reforms in the future, I 
think that you would choose the latter.
    With that, I yield back.
    [The statement of Ranking Member Swalwell follows:]
               Statement of Ranking Member Eric Swalwell
                              May 15, 2025
    As a Member of the Intelligence Committee when the Cybersecurity 
Information Sharing Act of 2015 (CISA 2015) was enacted, it was very 
apparent to me then that there was a need for greater public-private 
cybersecurity collaboration.
    We were hearing about new cyber attacks every day, yet the Federal 
Government had little visibility into what was happening on private 
networks, and the private sector was receiving little information from 
the Federal Government on cyber threats. As I explained during the 
debate leading up to the enactment of CISA 2015, there was, at the 
time, ``virtually zero relationship between private industry and 
Government'' when it came to cybersecurity.
    Thanks to CISA 2015, that has changed over the last decade. CISA 
2015 has provided the legal framework to facilitate cyber information 
sharing between the Federal Government and the private sector, as well 
as between private-sector entities. It gives companies the confidence 
that they will be legally protected if they voluntarily share cyber 
threat information with the Department of Homeland Security or with 
their competitors.
    It is rare these days that we see such a wide consensus on any 
topic, but on the issue of reauthorizing CISA 2015, I have received a 
very clear message from everyone I have talked to--we cannot let this 
authority lapse. Stakeholders have consistently stated that CISA 2015 
has drastically improved public-private collaboration, helping our 
cyber defenders better do their job.
    Of particular importance to me, CISA 2015's privacy and civil 
liberties protections have demonstrated their effectiveness in ensuring 
information shared with the Government is protected and used properly. 
As CISA 2015 was developed, I advocated for strong privacy protections, 
and I am glad to see those statutory requirements have achieved their 
desired outcomes. We must move quickly to reauthorize CISA 2015 before 
it expires in September.
    While it is reasonable to discuss if there are ways to strengthen 
the law going forward, we cannot allow such discussions to delay 
reauthorization, which would risk CISA 2015 lapsing and undermine the 
private sector's confidence in cooperating with the Federal Government.
    It is also important to remember that there are steps that Congress 
and the administration can take to improve cybersecurity information 
sharing beyond just reauthorizing CISA 2015. While CISA 2015 
established the legal regime to facilitate cyber information sharing, 
the maturation of the Cybersecurity and Infrastructure Security Agency 
has provided a central hub for public-private cyber collaboration 
across critical infrastructure sectors. Continued support and 
resourcing for CISA will be essential to improved information sharing.
    If CISA lacks the people and forums necessary to receive, analyze, 
and share cyber threat information, CISA 2015's provisions will be 
meaningless. One important step for Congress to take would be to codify 
the Joint Cyber Defense Collaborative and better define its mission and 
structure. And the administration should restore the Critical 
Infrastructure Partnership Advisory Council (CIPAC) or establish a 
similar, new entity that provides a mechanism for critical 
infrastructure collaboration.
    Additionally, we must continue to support CISA's efforts to improve 
Automated Indicator Sharing and implement its Threat Intelligence 
Enterprise Services program. It is critical that CISA has access to the 
best technologies available to facilitate timely and useful cyber 
threat information sharing, and Congress must ensure CISA has the 
resources and capacity to modernize its systems and services so that 
they become more useful to the private sector.
    I know there is bipartisan support for these efforts and am eager 
to work together to get CISA 2015 reauthorized and to continue building 
out the Federal Government's capacity for information sharing.
    I thank the witnesses for participating today and look forward to 
hearing from them about how CISA 2015 has strengthened our national 
security and how we can continue to better facilitate public-private 
information sharing going forward.

    Mr. Garbarino. The gentleman yields back.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                              May 15, 2025
    Ten years ago, Congress enacted legislation that transformed how 
the Government and private sector collaborate to defend the Nation 
against cyber threats. The Cybersecurity Information Sharing Act of 
2015 reflects a hard-fought compromise that took years and multiple 
Congresses to accomplish.
    Many of the witnesses testifying today worked with Congress over 
the multi-year authorization effort to ensure the bill included 
protections for privacy and civil liberties and establish appropriate 
mechanisms for information sharing. I'd like to thank you for your 
efforts to get CISA 2015 enacted then and to get it reauthorized now. 
Today, CISA 2015 serves as the foundational authority for critical 
public-private collaboration programs--from CISA's Ransomware Task 
Force and Notification Initiative to the Joint Cyber Defense 
Collaborative--as well as private-sector information-sharing 
organizations like information sharing and analysis centers (ISACs).
    More broadly, the Cybersecurity Information Sharing Act transformed 
security culture, creating within the private sector a bias toward 
sharing information with Government and each other through both formal 
and informal mechanisms. As a result, Government has been able to work 
with the private sector to more dynamically respond to a range of cyber 
threats from our most sophisticated adversaries and cyber criminals.
    While I recognize that there is room to improve and modernize the 
Cybersecurity Information Sharing Act, we cannot allow efforts to 
rethink the bill to interfere with its timely reauthorization. This 
critical authority expires in just 44 legislative days. If history is 
any guide, changes to CISA 2015--however minor--will involve multiple 
stakeholders and multiple rounds of careful negotiation. I recommend, 
in the strongest terms, that this committee move a clean, 10-year 
extension of CISA 2015 as soon as possible to ensure continuity of the 
collaboration programs that both Government and the private sector rely 
on.
    Doing so will send a strong message to the security community that 
despite the current upheaval across Government, Congress remains 
committed to ensuring the Federal Government is a strong security 
partner. It will also make clear to our adversaries that our political 
divisions will not distract us from our obligation to defend the 
critical infrastructure Americans rely on every day from cyber attacks.
    I appreciate the Subcommittee Chair and Ranking Member's commitment 
to reauthorizing the Cybersecurity Information Sharing Act of 2015, and 
I look forward to working with them to get it across the finish line.

    Mr. Garbarino. I am pleased to have a distinguished panel 
of witnesses before us today. I ask that our witnesses please 
rise and raise their right hand.
    [Witnesses sworn.]
    Mr. Garbarino. Let the record reflect that the witnesses 
have answered in the affirmative.
    Thank you, and please be seated.
    I would now like to formally introduce our witnesses.
    Mr. John Miller currently serves as the senior vice 
president of policy for trust, data, and technology and general 
counsel for the Information Technology Industry Council.
    Mr. Miller is responsible for driving ITI's global strategy 
and advocacy on cybersecurity, technology, and digital policy 
issues while also serving as the organization's chief legal 
officer.
    In addition to his work at ITI, his experience includes 
serving as co-chair of CISA's ICT Supply Chain Risk Management 
Task Force, 3 terms as chair of the IT Sector Coordinating 
Council, and co-founder of the Council to Secure the Digital 
Economy.
    Ms. Diane Rinaldo previously served on the House Permanent 
Select Committee on Intelligence, where she had first-hand 
experience working on CISA 2015. Ms. Rinaldo also held senior-
level roles in the Executive branch, serving as acting 
administrator of the National Telecommunications and 
Information Administration and as acting assistant secretary of 
Commerce for communications and information. She currently 
serves as the executive director of the Open RAN Policy 
Coalition.
    Mr. Karl Schimmeck currently serves as executive vice 
president and chief information security officer of Northern 
Trust. He's also here on behalf of the Securities Industry and 
Financial Markets Association, or SIFMA, where he previously 
served as the managing director of cybersecurity, business 
resiliency, and operational risk.
    At Northern Trust, he is responsible for designing and 
managing the strategy and operations of the bank's information 
security, cybersecurity, and data protection programs. 
Additionally, he serves on the board of directors of both the 
Financial Services Information Sharing and Analysis Center and 
the Cyber Risk Institute.
    Ms. Kate Kuehn serves on the board of directors and is 
CISO-in-residence at the National Technology Security 
Coalition, where she brings experience leading and advising 
cybersecurity, technology, innovative AI strategies, and teams 
to help shape the industry with better business security and 
risk decisions.
    In addition to her work at the NTSC, Ms. Kuehn serves on 
the board of directors for HYAS and the Cybermaniacs.
    I thank the witnesses for being here today.
    I now recognize Mr. Miller for 5 minutes to summarize his 
opening statement.

 STATEMENT OF JOHN MILLER, SENIOR VICE PRESIDENT OF POLICY FOR 
   TRUST, DATA, AND TECHNOLOGY, GENERAL COUNSEL, INFORMATION 
                  TECHNOLOGY INDUSTRY COUNCIL

    Mr. Miller. Chairman Garbarino, Ranking Member Swalwell, 
and distinguished Members of the subcommittee, on behalf of the 
Information Technology Industry Council, or ITI, thank you for 
the opportunity to testify today on the critical need for 
Congress to reauthorize the Cybersecurity Information Sharing 
Act of 2015, or CISA 15, before it is set to expire in just 4 
months.
    ITI is a global trade association representing 80 of the 
world's leading tech companies, and I lead ITI's Trust, Data, 
and Technology policy team, including our work on 
cybersecurity, AI, and privacy in the United States and 
globally.
    I've worked on cyber policy issues for nearly 2 decades, 
and I have extensive experience partnering with DHS, CISA, and 
other Federal Government stakeholders to improve cyber and 
critical infrastructure security, including currently serving 
in the leadership of the IT Sector Coordinating Council and ICT 
Supply Chain Risk Management Task Force.
    I've had the honor of testifying before this subcommittee 
previously on the related topic of security incident 
notification, so I know you appreciate that sharing cyber 
threat information is vital to improving the Nation's cyber 
resilience and security by increasing situational awareness 
across Government and industry and driving more effective 
operational collaboration to prevent and respond to cyber 
threats.
    The same principles underlying CIRCIA motivated Congress to 
pass CISA 15, and that law is as fundamental to our collective 
cybersecurity today as it was back in 2015.
    I want to underscore that any lapse in CISA 15 authorities 
would be an unfortunate step backward, an unforced error that 
only stands to benefit cyber criminals, including sophisticated 
nation-state threat actors, such as China, Iran, and Russia.
    The axiom that cybersecurity is a team sport is no more 
self-evident than in the context of information sharing, which 
dictates that those experiencing or observing an incident, 
vulnerability, or other indicators that a network or device has 
been compromised should share that information.
    Sharing these indicators of compromise and other threat 
intelligence helps defenders team up to prevent potential 
targets from becoming future victims.
    The goal of CISA 15 and a central thrust of U.S. cyber 
policy over the years has been to foster cyber threat info 
sharing to increase real-time situational awareness of the 
threat landscape to improve threat prevention, response, and 
mitigation efforts.
    CISA 15 sought to accomplish this goal by incentivizing and 
making it easier for companies to share threat intelligence, 
both with the Government and with each other, without fear of 
lawsuits or liability, including as related to antitrust, 
information disclosure, or regulatory uses, provided the 
information shared adhered to privacy and civil liberties 
guardrails. It also required DHS to establish an automated 
process for sharing such information at scale.
    After nearly 5 years of debate and negotiation, the CISA 15 
statute realized these goals. It included precisely-scoped 
definitions of the information the bill authorized 
organizations to share and carefully negotiated and calibrated 
liability and privacy protections that balance the competing 
and sometimes conflicting concerns of stakeholders, ranging 
from the intelligence community to privacy advocates.
    As a cyber policy expert and lawyer working on this issue 
at the time, I worked, along with fellow witnesses on this 
panel and many others, to help Congress strike a winning 
balance.
    While it was a messy and sometimes contentious process, 
Congress ultimately reached an effective compromise, and we are 
better off today from a cybersecurity standpoint than we were 
10 years ago.
    The reality today is that organizations are benefiting more 
from cyber threat info sharing than they were before CISA 15 
became law, and they are sharing and receiving via automated 
processes, not via spreadsheets.
    This is not to say that CISA 15 was perfectly designed or 
has been perfectly implemented or that it cannot be improved. 
But with a looming September deadline for CISA 15 
reauthorization, we cannot allow the perfect to be the enemy of 
the good.
    Please do not jeopardize the cybersecurity improvements and 
partnerships that CISA 15 has catalyzed and that many now 
likely take for granted by letting the law lapse if that is the 
price of making changes.
    That said, the tech sector stands ready to work with 
Congress to update and improve upon the cyber threat info-
sharing ecosystem in the United States at any time.
    Three targeted improvements worth considering include, No. 
1, both the threat landscape and technology have changed over 
the past decade. From ransomware and operational technology to 
the explosion of generative AI, technologies and threats 
continue to evolve well beyond 2015 and hackers continue to 
adapt.
    One simple rubric Congress could use in considering changes 
to CISA 15 is to evaluate whether the statute, as written, 
effectively captures the sharing of information necessary to 
combat cyber threats in 2025.
    No. 2, given the rise of software supply chain attacks, I 
encourage Congress to examine whether definitions of terms such 
as cyber threat indicator can be updated to promote the sharing 
of information useful in preventing or mitigating threats to 
the ICT supply chain, such as information related to suspect 
suppliers.
    No. 3, Congress could consider including adjacent 
authorities which also support public-private information 
sharing and partnership, such as the currently suspended 
Critical Infrastructure Partnership Advisory Council, or CIPAC, 
in a future iteration of CISA 15.
    While the administration has indicated it plans to 
reinstate CIPAC authorities in some form, Congress could 
provide certainty by firmly codifying functionally equivalent 
authorities in statute.
    Thank you for the opportunity to testify today. I look 
forward to your questions.
    [The prepared statement of Mr. Miller follows:]
                   Prepared Statement of John Miller
                              May 15, 2025
    Chairman Garbarino, Ranking Member Swalwell, and distinguished 
Members of the Subcommittee on Cybersecurity and Infrastructure 
Protection, thank you for the opportunity to testify today. My name is 
John Miller, senior vice president of policy and general counsel at the 
Information Technology Industry Council (ITI).\1\
---------------------------------------------------------------------------
    \1\ The Information Technology Industry Council (ITI) is the 
premier global advocate for technology, representing the world's most 
innovative companies. Founded in 1916, ITI is an international trade 
association with a team of professionals on 4 continents. We promote 
public policies and industry standards that advance companies on and 
innovation worldwide. Our diverse membership and expert staff provide 
policy makers the broadest perspective and thought leadership from 
technology, hardware, software, services, manufacturing, and related 
industries. Visit https://www.itic.org/ to learn more.
---------------------------------------------------------------------------
    ITI represents 80 of the world's leading information and 
communications technology (ICT) companies. We promote innovation 
worldwide, serving as the ICT industry's premier advocate and thought 
leader in the United States and around the globe. ITI's membership 
comprises leading innovative companies from all corners of the 
technology sector, including hardware, software, digital services, 
semiconductor, network equipment, cloud, artificial intelligence (AI), 
cybersecurity, and other internet and technology-enabled companies that 
rely on ICT to evolve their businesses. Our companies service and 
support the global ICT marketplace via complex supply chains in which 
products are developed, made, and assembled in multiple countries, and 
service customers across all levels of government and the full range of 
global industry sectors, including financial services, health care, and 
energy. We, thus, not only acutely understand the importance of 
cybersecurity as a global priority for governments, companies, and 
customers, and critical to our collective security, but our members can 
also attest to the complexities of demonstrating compliance with 
diverging or duplicative regulations in the United States and around 
the world.
    I lead ITI's Trust, Data, and Technology policy team, including our 
work on cybersecurity, supply chain resiliency, privacy, artificial 
intelligence, data, and related policy issues in the United States 
(U.S.) and globally. I have deep experience working on public-private 
initiatives with the Department of Homeland Security (DHS), the 
Cybersecurity and Infrastructure Security Agency (CISA), and other 
Federal agencies. Currently, I serve as the co-chair of the CISA-
sponsored Information and Communications Technology
    Supply Chain Risk Management Task Force (ICT SCRM Task Force) and 
on the Executive Committee of the Information Technology Sector 
Coordinating Council (IT-SCC), the principal IT sector partner to CISA 
on critical infrastructure protection and cybersecurity policy. I have 
also previously served as an industry representative to the Enduring 
Security Framework (ESF), and on multiple National Security and 
Telecommunications Advisory Committee (NSTAC) subcommittees, most 
recently as an appointee to the Subcommittee on Addressing the Misuse 
of Domestic Infrastructure by Foreign Malicious Actors.
                              introduction
    I am honored to testify before you today on an issue that is 
critical to our collective national and cybersecurity, as well as an 
issue of personal interest for me given my long-standing experience as 
an industry representative to many public-private partnerships where 
information sharing is a foundational, core goal. Like the other 
cybersecurity policy and legal experts appearing on this witness panel 
and many others, I spent several years discussing, debating, and 
working with policy makers, as well as industry and civil society 
representatives, on the statute that would ultimately become the 
Cybersecurity Information Sharing Act of 2015 (hereinafter CISA 15). I 
will recount some of those challenges later in my testimony in the 
hopes of illustrating the progress gained from the hard-won compromises 
that led CISA 15 to become a cornerstone of the modern cyber threat 
information sharing ecosystem.
    Over the last decade, CISA 15 has strengthened America's cyber 
defenses by incentivizing and facilitating the sharing of cyber threat 
information. Any lapse of CISA 15 would create significant uncertainty, 
weaken the U.S. cybersecurity posture, and undermine a decade of 
progress in building trust between national security, law enforcement, 
critical infrastructure owners and operators, and others in industry. 
It is axiomatic that in cybersecurity, no single company or agency has 
a complete picture of the threat; it is, thus, the real-time 
aggregation of threat intelligence from many sources that allows us to 
detect, counter, or mitigate new attacks before they spread.
    A failure to renew CISA 15 could be interpreted by malicious actors 
as the United States ``dropping its guard'' and would be an unforced 
error in a dangerous and evolving moment of cyber risk for the United 
States. The lapse of CISA 15 would remove the legal protections 
underlying the trust mechanisms and relationships that underpin the 
cyber threat information sharing that is fundamental to our collective 
cyber defense. The one guarantee of a lapse in the CISA 15 authority is 
that attackers would be in a better position to capitalize on any 
resulting confusion and uncertainty caused by a lapse in CISA 15.
    I urge Congress to act swiftly to reauthorize the Cybersecurity 
Information Sharing Act of 2015 and preserve an authority that is 
foundational to many collaborative cybersecurity activities in the 
United States.
                         how cisa 15 became law
    Prior to the passage of CISA 15, cyber threats were escalating at 
an alarming rate. Meanwhile, legal uncertainty often constrained the 
ability of incident responders to communicate with one another. Many 
companies feared that sharing indictors of compromise, technical 
information on vulnerabilities, defensive measures, or other 
cybersecurity information could violate privacy laws, antitrust or 
disclosure rules, or create regulatory exposure. In short, the legal 
uncertainties surrounding private-sector cyber threat information 
sharing created a chilling effect that constrained some companies from 
sharing threat data and intelligence that could prevent or mitigate 
potential targets from becoming victims.
    The pre-CISA 15 era was marked by strong consensus among 
cybersecurity professionals, industry stakeholders, and policy makers 
in both Congress and the Executive branch that something needed to be 
done to improve the threat information-sharing ecosystem in the United 
States. However, that shared recognition of the problem did not quickly 
result in passage of the much-needed law. Finding agreement on cyber 
threat information-sharing policy among national security, law 
enforcement, and homeland security stakeholders was a challenge unto 
itself. The challenge was only exacerbated when balancing those 
equities against the interests of a wide array of stakeholders across 
industry and the privacy and civil liberties communities.
A. CISPA and Privacy Concerns
    The push for cybersecurity information-sharing legislation began in 
earnest around 2011.\2\ The first major legislative effort, the Cyber 
Intelligence Sharing and Protection Act (CISPA), had broad bipartisan 
support with 111 Republican and Democratic co-sponsors in the House.\3\ 
The bill stalled in the Senate after President Obama threatened to veto 
the bill arguing that ``the law repeals important provisions of 
electronic surveillance law without instituting corresponding privacy, 
confidentiality, and civil liberties safeguards.''\4\
---------------------------------------------------------------------------
    \2\ In May 2011, the administration unveiled a legislative 
proposal. The proposal contained problematic regulatory elements, which 
the administration later abandoned when it issued EO 13636. However, 
the commitment to incentivizing greater information sharing was a 
bipartisan, public-private constant at this time, from all quarters--
admin, Congress, and industry. Howard A. Schmidt, The Administration 
Unveils its Cybersecurity Legislative Proposal, The White House, posted 
May 12, 2011, available at https://obamawhitehouse.archives.gov/blog/
2011/05/12/administration-unveils-its-cybersecurity-legislative-
proposal.
    \3\ Cyber Intelligence Sharing and Protection Act of 2011, H.R. 
3523, H.Rept. 112-445. 112th Congress, available at https://
www.congress.gov/bill/112th-congress/house-bill/3523.
    \4\ Cybersecurity bill CISPA passes US House, bbc.com, posted April 
27, 2012, available at https://www.bbc.com/news/world-us-canada-
17864539.
---------------------------------------------------------------------------
    The tech sector strongly supported the concept of voluntary 
information sharing and argued it could and should be done in a way 
that protected privacy. In April 2012, ITI helped organize a coalition 
of major technology associations to urge Congress to move forward with 
a ``balanced threat information-sharing system'' as part of a national 
cybersecurity strategy.\5\ We emphasized that cybersecurity was not a 
partisan issue and that ``from the perspective of America's major 
innovators, there is no Republican cybersecurity or Democratic 
cybersecurity. There is only American cybersecurity, where urgent 
action is needed.''
---------------------------------------------------------------------------
    \5\ Tech Sector Unites Behind Cybersecurity Plan, ITI Press 
Release, dated April 18, 2012, available at https://itic.genb.pro/news-
events/news-releases/tech-sector-unites-behind-cybersecurity-
plan#:?:text=WASHINGTON%2C%20D,balanced%20threat%20information%20'sharin
g%20'sys- tem.
---------------------------------------------------------------------------
    While proponents of CISPA argued that information sharing would 
help stem the ``hemorrhaging'' of U.S. company data to China and 
Russia, privacy and civil liberty groups raised legitimate concerns 
that the new authorities could be used for ``nefarious purpose[s].''\6\ 
Civil liberties groups feared that information sharing might become a 
back door for Government surveillance, funneling personal data to 
intelligence agencies. ITI recognized early on that those concerns were 
not without merit and advocated that trust had to be built into any 
information-sharing framework by safeguarding privacy and civil 
liberties. We actively engaged with privacy advocates to help find 
common ground, and publicly lauded the efforts of CISPA's sponsors to 
work with groups like the Center for Democracy and Technology (CDT) to 
make sure that important privacy safeguards were included in any 
information-sharing bill. When CDT announced it would not oppose 
CISPA's progress after key changes, ITI praised the ``constructive 
dialog between bill sponsors and privacy groups'' that improved the 
bill and helped ``balance privacy concerns.''\7\
---------------------------------------------------------------------------
    \6\ Hayley Tsukayama, CISPA: Who's for it, who's against it and how 
it could affect you, The Washington Post, dated April 27, 2012, 
available at https://www.washingtonpost.com/business/technology/cispa-
whos-for-it-whos-against-it-and-how-it-could-affect-you/2012/04/27/
gIQA5- ur0lT_story.html.
    \7\ ITI Applauds Privacy Agreement between CISPA Sponsors and CDT, 
ITI Press Release, dated April 24, 2012, available at https://
www.itic.org/news-events/news-releases/iti-applauds-privacy-agreement-
between-cispa-sponsors-and-cdt#:?:text=Dean%20Garfield%2C%20President- 
%20and%20CEO,%E2%80%9D.
---------------------------------------------------------------------------
B. Cybersecurity Act of 2012 and Passage of CISA 15
    The House did pass an information-sharing bill in 2012 but the 
leading comprehensive, bipartisan Senate bill, the Cybersecurity Act of 
2012 (S. 3414) failed to overcome a filibuster.\8\ Opposition to the 
Senate bill was due in part to a lack of consensus on how to craft a 
balanced legal regime for information sharing. Nonetheless, information 
sharing was the constant element with bipartisan support across 
legislative efforts and proposals from the Obama administration.
---------------------------------------------------------------------------
    \8\ Michael S. Schmidt, Cybersecurity Bill Is Blocked in Senate by 
G.O.P. Filibuster, The New York Times, dated August 2, 2012, available 
at https://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-
blocked-by-gop-filibuster.html.
---------------------------------------------------------------------------
    The next few years saw both progress and new challenges. Cyber 
attacks on U.S. companies and Government agencies continued unabated, 
keeping pressure on lawmakers to act. President Obama, via multiple 
Executive Orders, encouraged voluntary information sharing.\9\ But 
Congress needed to legislate to address removing the real and perceived 
legal barriers so as to incentivize increased information sharing. By 
mid-2013, revelations about U.S. Government surveillance programs had 
come to light, eroding trust in sharing information with Government 
more broadly. Many in the public and Congress became wary of any bill 
that might inadvertently expand intelligence agencies' access to 
private data.
---------------------------------------------------------------------------
    \9\ President Obama Signs Executive Order on Cybersecurity 
Information Sharing, hunton.com, posted February 17 2015, available at 
https://www.hunton.com/privacy-and-information-security-law/president-
obama-signs-executive-order-cybersecurity-information-sharing. See 
Executive Order 13636, February 12, 2013, available at https://
obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-
order-improving-critical-infrastructure-cybersecurity and Executive 
Order 13691, February 13, 2015, available at https://
obamawhitehouse.archives.gov/the-press-office/2015/02/13/executive-
order-promoting-private-sector-cybersecurity-information-shari.
---------------------------------------------------------------------------
    To address these concerns, one of the core principles ITI pushed 
for was to channel information sharing through a civilian agency--
specifically, the Department of Homeland Security (DHS)--rather than 
directly to intelligence agencies. In ITI's view, having DHS serve as 
the ``civilian interface'' for the program would help reassure the 
public that information was not simply feeding into a black box at the 
National Security Agency (NSA). By 2014, this concept had gained 
traction as the 113th Congress drew to a close. To further bolster the 
privacy protections in the bill, ITI also pressed for provisions to 
ensure that any shared data would be ``anonymized'' or stripped of 
personal information to the extent possible prior to sharing. The goal 
was to share threat indicators (like malicious IP addresses, signatures 
of malware, etc.), not personal information about individuals.
    The 114th Congress took up the effort with fresh urgency, partly 
spurred by high-profile breaches like the massive OPM Federal data 
breach in mid-2015. Throughout 2015, as the bill advanced, ITI 
advocated for key provisions that we believed would make the 
information-sharing framework both effective and responsible--notably 
voluntary participation, multi-directional sharing (private-to-
Government, Government-to-private, and private-to-private sharing), and 
protecting privacy through data minimization.\10\
---------------------------------------------------------------------------
    \10\ Id.
---------------------------------------------------------------------------
    The result was a bill that addressed the private sector's needs to 
incentivize greater sharing (by providing liability protections and 
clarity that it was lawful for the private sector to share data) while 
building in the privacy safeguards and civilian government oversight 
that many stakeholders demanded. By late 2015, a bipartisan consensus 
had finally coalesced around this balanced approach. CISA 15 was passed 
by the Senate with strong bipartisan support and was ultimately enacted 
in the year-end omnibus funding bill.
    One key takeaway relevant to today's hearing is this: even in the 
face of an urgent need and rising threats, it took half a decade of 
work to get to finally enact an information-sharing law. Along the way, 
Congress and other stakeholders had to navigate legitimate concerns 
about privacy and the role of intelligence agencies, amongst others. 
Since its passage, CISA 15 has become a cornerstone legal authority 
that underpins a multitude of information-sharing organizations, 
forums, and activities both within the private sector and between the 
private sector and the public sector.
    While privacy concerns were constantly at the forefront of the 
cybersecurity information-sharing conversation in the years leading up 
to CISA 15, looking back we can see that the carefully negotiated and 
constructed privacy provisions \11\ have proven effective. DHS \12\ and 
the intelligence communities \13\ Inspectors General both investigated 
the CISA 15 program in 2023 and 2024 and found no evidence of adverse 
privacy and civil liberty effects of the law. The fact is that zero 
reported incidents regarding leakage of personal data over the course 
of nearly 10 years provide convincing evidence to demonstrate the 
effectiveness of the statute's privacy safeguards.
---------------------------------------------------------------------------
    \11\ U.S. Department of Homeland Security and U.S. Department of 
Justice, Privacy and Civil Liberties Final Guidelines: Cybersecurity 
Information Sharing Act of 2015, dated April 2025, available at https:/
/www.cisa.gov/sites/default/files/2025-04/CISA%202015%20PCL%20- 
Final%20Guidelines%20Periodic%20Review%20%28April%202025%29%20Final-
508.pdf.
    \12\ U.S. Department of Homeland Security Office of Inspector 
General, CISA Faces Challenges Sharing Cyber Threat Information as 
Required by the Cybersecurity Act of 2015, dated September 25, 2024, 
available at https://www.oig.dhs.gov/sites/default/files/assets/2024-
09/OIG-24-60-Sep24.pdf?utm_source.
    \13\ Office of the Inspector General of the Intelligence Community, 
Joint Report on the Implementation of the Cybersecurity Information 
Sharing Act of 2015, dated December 12, 2023, available at https://
www.oversight.gov/sites/default/files/documents/reports/2024-01/Joint-
Report-Implementation-Cybersecurity-Information-Sharing-Act-2015AUD-
2023-002Unclassified.pdf#:- 
?:text=civil%20liberties%20of%20United%20States,adverse%20effects%20were
%20not%20neces- sary.
---------------------------------------------------------------------------
How CISA 15 Enables Information Sharing and What's at Stake if Congress 
        Does Not Act
    Since its enactment, CISA 15 has meaningfully improved the capacity 
and speed with which we can respond to cyber incidents while 
establishing clear expectations for privacy and confidentiality. CISA 
15 helped foster and expand a vast network of cyber information-sharing 
organizations at the Federal, State, and local levels, in addition to 
28 Information Sharing and Analysis Centers (ISACs) for specific 
industry sectors.\14\ ISACs serve as trusted entities to exchange and 
share cyber and physical threat information, allowing for sector-wide 
situational awareness, 24/7 threat warnings, incident reporting, and 
response.\15\ ISACs also share with each other, including through the 
National Council of ISACs and directly with each other to facilitate 
and coordinate cross-sector sharing and collaboration. The Multi-State 
ISAC additionally facilitates sharing and collaboration amongst State, 
local, Tribal, and territorial government entities. This network of 
ISACs, and other Information Sharing and Analysis Organizations 
(ISAOs), non-governmental organizations, and security operations 
centers does more than improve visibility into hackers' activities. 
These networked entities enhance our ability to mitigate risks, conduct 
threat-hunting activities, and close technical vulnerabilities.
---------------------------------------------------------------------------
    \14\ National Council of ISACs website, last visited May 12, 2025, 
https://www.nationalisacs.org/. ``Formed in 2003, the [National Council 
of ISACs (NCIO)] today comprises 28 organizations. It is a coordinating 
body designed to maximize information flow across the private-sector 
critical infrastructures and with Government. Critical infrastructure 
sectors and subsectors that do not have ISACs are invited to contact 
the NCI to learn how they can participate in NCI activities.''
    \15\ Id.
---------------------------------------------------------------------------
    Relatedly, I understand there has been criticism of the Automated 
Indicator Sharing (AIS) program authorized by CISA 15, specifically for 
the apparent decrease in participants and volume of threat indicators 
shared through the platform. However, such criticisms overlook the fact 
that back in 2015, wide-spread automated sharing of threat indicators 
at scale was an aspiration that CISA 2015 helped turn into a reality. 
As Scott Algeier, executive director of the IT-ISAC, recently argued, 
``While measuring the number of companies directly sharing is 
interesting, it doesn't necessarily reflect how the industry shares 
information. Thousands of companies belong to ISACs, including the IT-
ISAC and many of our peers in the National Council of ISACs who 
participate in the DHS AIS program. Leveraging the ISACs and our 
collective member companies provides scale for DHS to share with 
thousands of companies. Any assessment of industry's participation 
should include the thousands of companies who participate through 
ISACs.''\16\ The fact is that AIS as envisioned by CISA 15 laid the 
groundwork for countless public and private organizations to share 
automated indicators at scale, and there now exist a multitude of 
forums and venues to conduct threat sharing that did not exist in 2015 
and are reliant upon the protections and mechanisms established by CISA 
15.\17\
---------------------------------------------------------------------------
    \16\ Scott Algeier, A Decade of CISA 2015: Reviewing its 
Effectiveness, IT-ISAC Blog, posted May 12, 2025, available at https://
www.it-isac.org/post/a-decade-of-cisa-2015-reviewing-its-effectiveness.
    \17\ Id.
---------------------------------------------------------------------------
    Equally important, the law's antitrust exemption and associated 
protections, such as protections from Freedom of Information Act (FOIA) 
disclosure and regulatory use have facilitated broader cyber 
information sharing between private-sector organizations and set the 
stage for expanding non-governmental cyber-threat-sharing 
organizations. As discussed above, legal ambiguities in privacy and 
antitrust law and potential regulatory exposure chilled the sharing of 
cyber threat information prior to the passage of CISA 15. These 
protections removed those legal barriers to incentivize increased 
sharing and spurred the modern information-sharing ecosystem to grow 
over the last 10 years.
    A lapse in CISA 15 liability protections would remove the legal 
scaffolding that Federal, State, and local governments and private-
sector entities rely on to conduct many of their day-to-day 
cybersecurity operations. Below, I outline 3 categories of consequences 
that such a lapse would have, both legally and operationally, for our 
Nation's cybersecurity.
   Chilling of Threat Information Sharing.--Companies would 
        lose the liability protections and safe harbors from antitrust 
        rules and regulatory use that currently encourage them to share 
        cyber threat indicators and defensive measures. Without these 
        assurances and the business certainty, stability, and 
        predictability they provide, many organizations will likely, 
        and understandably, become more reluctant to share sensitive 
        threat information due to concerns regarding potential negative 
        legal and regulatory consequences.
   Loss of Real-Time Visibility and Early Warnings for State, 
        Local, and Federal Government.--Government entities--including 
        DHS, law enforcement, and the intelligence community, as well 
        as State, local, Tribal, and territorial government entities--
        would likely begin to lose access to a great volume of 
        voluntarily shared threat intelligence from private-sector 
        partners. Indeed, the CISA 15 framework is now fundamental to 
        how industry and agencies collaborate and work together when 
        cyber incidents arise. Key examples include critical 
        infrastructure sectors from finance to energy which have 
        expanded their role and reach since the passage of CISA 15. The 
        law also enabled the DHS/CISA to establish the Joint Cyber 
        Defense Collaborative (JCDC),\18\ which facilitates real-time 
        sharing of threat alerts and coordinated operational 
        collaboration and response planning among public and private 
        partners.
---------------------------------------------------------------------------
    \18\ CISA website, last visited May 13, 2025, https://www.cisa.gov/
topics/partnerships-and-collaboration/joint-cyber-defense-
collaborative/jcdc-faqs.
---------------------------------------------------------------------------
   Undermining Trust and Deterrence.--A lapse of CISA 15 would 
        signal a broader retreat from coordinated defense. This 
        includes the trust that non-Government entities have formed 
        with CISA as the responsible facilitator of cyber information 
        sharing activities in a way that protects privacy, focuses on 
        security over regulatory use, and advances the Government's 
        cybersecurity mission. Sending a message of retreat to threat 
        actors including foreign adversaries could have even more 
        troubling consequences.
A. Other Cybersecurity Authorities and Activities Would Be Harmed by a 
        Lapse of CISA 15
    A lapse in CISA 15 would also undermine the effectiveness of 
multiple related laws and programs created since 2015. For example, the 
liability protections in CISA 15 were incorporated by reference into 
other significant cyber laws, such as the Cyber Incident Reporting for 
Critical Infrastructure Act (CIRCIA). Similarly, information sharing 
and operational programs and initiatives across various levels of 
government have relied on CISA 15 authorities as a basis on which to 
build out their own cybersecurity programs. Barring any successor 
agreements, these programs and initiatives might be weakened or forced 
to temporarily suspend operations if CISA 15 were allowed to lapse.
    CISA 15 also covers information sharing with a ``non-Federal 
entity'' to include State, Tribal, or local governments, as well as 
their departments or components. This terminology means that State-run 
cybersecurity organizations, such as the New York Joint Security 
Operations Center (JSOC) or the California Cybersecurity Integration 
Center (Cal-CSIC), also rely upon the protections in CISA 15 and would 
likely lose information from their private-sector partners if CISA 15 
were to lapse.
    Finally, CISA 15 contributed to the sustained growth of additional 
platforms and automated information-sharing standards. Specifically, 
the Open Threat Exchange (OTX), a crowd-sourced cybersecurity platform 
initiated by AlienVault (now AT&T Cybersecurity), has seen substantial 
growth. According to the latest reports, OTX boasts over 180,000 
participants across 140 countries, sharing more than 19 million 
potential threats daily. CISA 15 provided a key impetus to help push 
the adoption of standardized formats for the automated sharing of such 
cyber threat information. Specifically, section 105(c)(1) of CISA 15 
required DHS to develop a ``capability and process'' to share threat 
indicators in an automated manner, catalyzing the uptake of the 
Structured Threat Information Expression (STIX) and the Trusted 
Automated Exchange of Intelligence Information (TAXII). Studies have 
shown a steady increase in the volume of STIX data shared among 
organizations in recent years \19\ which suggests the continued 
utilization and need for automated information sharing.
---------------------------------------------------------------------------
    \19\ Jin et al., Sharing cyber threat intelligence: Does it really 
help? Network and Distributed System Security (NDSS) Symposium, January 
2024, available at https://www.ndss-symposium.org/ndss-paper/sharing-
cyber-threat-intelligence-does-it-really-help/.
---------------------------------------------------------------------------
             evolving threats and the technology landscape
    Private-sector cyber defenders, including those from critical 
infrastructure entities, are regularly targeted by threat actors. Since 
the enactment of the CISA 15, the threat landscape has continued to 
evolve alongside significant technology innovation.
    For example, AI has become a ubiquitous feature of IT applications, 
offerings, and services transforming various aspects of cybersecurity. 
AI is being used to enhance threat detection and response capabilities, 
but it is also being leveraged by malicious actors to conduct more 
sophisticated attacks. Experts note that with the advent of advanced AI 
models, we face novel risks like adversarial AI manipulation (tricking 
algorithms through malicious inputs), data poisoning (corrupting the 
training data of AI systems), and prompt injection exploits--challenges 
that our current cybersecurity approaches were not designed to 
handle.\20\ While such AI-specific attacks are still emerging, their 
potential impact is serious and highlights how our defensive strategies 
(and the laws governing them) may need to adapt to keep pace with 
technological change.
---------------------------------------------------------------------------
    \20\ ITI's AI Security Policy Principles, dated October 2024, 
available at https://www.itic.org/documents/artificial-intelligence/
ITI_AI-Security-Principles_102124_FINAL.pdf#:?:text=- 
However%2C%20threats%20unique%20to%20AI,systems%20has%20been%20'steadily
%20increas- ing.
---------------------------------------------------------------------------
    Additionally, the convergence of Information Technology (IT) and 
Operational Technology (OT) systems has introduced new complexities and 
vulnerabilities. This integration aims to improve operational 
efficiency but also expands the attack surface, making it crucial to 
manage a broader landscape of cybersecurity risks effectively.
    New categories of attacks have emerged since Congress passed CISA 
15 as malicious actors continuously seek new attack vectors. Ransomware 
attacks have become increasingly prevalent, causing significant 
disruptions and financial losses. These attacks are striking ever more 
critical targets--governments, hospital systems, pipelines--with 
increasingly dire consequences.\21\ Software supply chain attacks such 
as SolarWinds have also gained prominence, targeting vulnerabilities in 
third-party software components to compromise entire systems.
---------------------------------------------------------------------------
    \21\ Threat Evaluation Working Group, Supplier, Products, and 
Services Threat Evaluation, Information and Communications, Technology 
Supply Chain Risk Management Task Force, July 2021, available at 
https://www.cisa.gov/sites/default/files/publications/ict-scrm-task-
force-threat-scenarios-report-
v3.pdf#:?:text=The%20impacts%20of%20ransomware%20attacks,- 
Another%20recently.
---------------------------------------------------------------------------
    While we have a better understanding of these new threats and 
patterns thanks to a combination of pre- and post-incident information 
sharing enabled by CISA 15. Defenders depend on threat indicator 
sharing to strengthen their defenses and protect their customers' data. 
Information sharing alone cannot be the solution, but it is undoubtedly 
a critical component of our collective response to the evolving threat 
landscape, and it is fair to ask whether CISA 15 adequately accounts 
for the sharing of threat information related to all of these 
technological advances.
                            recommendations
    Given the importance of CISA 15 authorities to our national cyber 
defense, Congress' first and most important job this year is the 
reauthorization of the existing law before it lapses in September. 
Given recent cybersecurity incidents, notably the Salt Typhoon campaign 
against U.S. telecommunications companies, Congress should examine how 
to improve our Nation's digital defenses. The technology sector looks 
forward to partnering with policy makers to improve all areas of our 
cybersecurity posture, including improvements to CISA 15. The 
improvements cannot come at the expense of the existing cyber 
activities that rely on CISA 15 authorities. Any lapse to CISA 15's 
liability protections could have real and immediate negative 
consequences that put all American organizations at greater risk.
    There are ways in which Congress could improve the information-
sharing ecosystem spurred by CISA 15. These include updating the scope 
of covered cyber threat indicators to match the modern threat 
environment, exploring ways to support offensive cyber capabilities, 
and considering the intersection of CISA 15 authorities with other laws 
and authorities. I will cover each of these recommendations below.
1. Modernize Terms to Match Threats and Technology
    Given the ever-improving and evolving nature of technology and of 
hacker behaviors and capabilities, Congress should consider updating 
the scope of CISA 15 to align with modern threats, indicators, and 
defensive measures. Specifically, Congress should consider whether and 
how to refine the definition of ``cyber threat indicator,''\22\ to 
ensure that CISA 15 is operative and applicable to cover the current 
landscape of threats, vulnerabilities, and malicious activities. 
Additional indicators may be appropriate to include, especially those 
related to supply chain exploits and risk information,\23\ ransomware, 
or fraud. Similarly, AI-related threats may be worth considering such 
as those related to training data anomalies, evasion logs, prompt 
ejections, or malicious prompt patterns.
---------------------------------------------------------------------------
    \22\ Sec. 102. Definitions. (6) available at https://www.cisa.gov/
sites/default/files/publications/
Cybersecurity%2520Information%2520Sharing%2520Act%2520of%25202015.pdf.
    \23\ CISA website, last visited May 13, 2025, available at https://
www.cisa.gov/resources-tools/groups/ict-supply-chain-risk-management-
task-force.
---------------------------------------------------------------------------
    For example, CISA 15 defines a ``cybersecurity threat'' primarily 
as an action ``on or through an information system'' that may harm the 
security or data of that information system.\24\ This framing made 
sense at the time but might not explicitly encompass threats that 
exploit machine-learning models in the cloud, corrupt software 
components before they ever reach a victim's network, or target IoT and 
OT devices that fall outside the classic notion of an IT system. 
Updating the terminology of CISA 15 to encompass AI-driven exploits, 
ransomware operations, software supply chain compromises, and OT 
attacks, among other attack vectors, will remove doubt and friction in 
our information-sharing efforts.
---------------------------------------------------------------------------
    \24\ Megan Brown, Jacqueline Brow, and Sydney White, CSIA 15 
Reauthorization--Are Changes on the Horizon? Wiley Connect Blog, posted 
March 3, 2025, available at https://www.wileyconnect.com/CISA-2015-
Reauthorization-Are-Changes-on-the-Horizon#:?:text=%E2%- 
80%9CCybersecurity%20threat%E2%80%9D%20is%20defined%20under,be%20'scoped
%20- more%20broadly%20or.
---------------------------------------------------------------------------
2. Information Sharing for Effect--Degrading Threat Actor 
        Infrastructure & the JCDC
    It is important to underscore the limits of sharing information 
about cybersecurity vulnerabilities, threat actor behaviors, and other 
intelligence. If policy makers are concerned about how best to 
structure the Federal cybersecurity enterprise to degrade hackers' 
ability to conduct attacks, I recommend evaluating the current 
functions of the Joint Cyber Defense Collaborative (JCDC).
    The best version, and stated intent, of the JCDC is to serve as a 
forum for real-time, joint cyber defense operational planning and 
response. A public-private collaborative approach is essential to 
countering advanced persistent threat (APT) actors which are backed by 
nation-state resources, access to talent, and technical capabilities. 
The work of the JCDC builds upon and evolves CISA 15, though the 
program remains only a few years old and could benefit from 
Congressional direction and oversight.
    Combatting sophisticated APT level groups will require a different 
strategy than promoting basic cyber hygiene policies which, if 
effectively implemented, can combat the vast majority of cyber 
criminals but not the most sophisticated threat actors. A deeper 
public-private collaboration is needed to leverage the authorities and 
capabilities of a multitude of Federal agencies from Homeland Security 
and Law Enforcement in concert with the private-sector companies--
including tech, telecom, and cybersecurity firms--who have visibility 
into the targets APTs are looking to compromise.
    ITI appreciates committee Members' interest in JCDC legislation and 
provided feedback to the committee on Ranking Member Swalwell's 
legislative proposal last Congress. At a high level, additional 
governance structures and processes at the JCDC are important to make 
participants co-equal partners in the center's activities. A well-
defined strategy for the JCDC, transparency through a charter for the 
JCDC, and regular reporting requirements would all benefit the JCDC's 
mission of evolving information sharing into a collaborative planning 
body.
3. Protect-Related Information-Sharing Partnerships and Forums for 
        Collaboration
    The currently-suspended Critical Infrastructure Partnership 
Advisory Council (CIPAC) provided a protected forum and set of umbrella 
authorities enabling private-sector and Federal agencies to exchange 
threat intelligence, craft cybersecurity policies, and discuss and make 
recommendations to address risks to critical infrastructure. CIPAC 
created trust among numerous public-private partnerships by providing a 
protected channel controlling how shared information could be used and 
disseminated, exempt from the Federal Advisory Committee Act's 
requirements.
    Examples of partnerships impacted by the suspension of CIPAC 
include the Sector Coordinating Councils (SCCs), the Enduring Security 
Framework (ESF) and the Information and Communications Technology 
Supply Chain Risk Management (ICT SCRM) Task Force. The SCCs are 
independent, self-governed bodies composed of private-sector entities 
that own, operate, and secure the Nation's critical infrastructure. The 
SCCs leveraged CIPAC to provide advice and guidance to collectively 
address the most pressing security challenges facing our country. ESF 
is a cross-sector working group that operates under the auspices of 
CIPAC to address threats and risks to the security and stability of 
U.S. National Security Systems and critical infrastructure by bringing 
together the public and private sectors to work on intelligence-driven 
cyber challenges. The ICT SCRM Task Force is a public-private 
partnership established by DHS in 2018 in concert with the IT and 
Communications SCCs as another cross-sector CIPAC-chartered working 
group whose work is becoming increasingly critical as adversaries scale 
efforts to disrupt the supply chains underpinning the digital economy. 
While Secretary Noem has publicly announced plans to reinstate CIPAC 
authorities in some form, Congress could provide greater certainty by 
firmly codifying functionally equivalent authorities in statute.
                               conclusion
    The legal framework established by CISA 15 is a critical foundation 
for the effective functioning of cyber threat information sharing 
between the public and private sector, for Federal, State, and local 
governments and among industry sectors. Any lapse in these authorities 
will likely disrupt critical information-sharing activities nationwide, 
significantly weaken our cybersecurity defenses, and provide malicious 
actors with new opportunities to exploit vulnerabilities. It is 
imperative that Congress prioritize the reauthorization of CISA 15 
ahead of its sunset date in September. We strongly recommend a clean 
extension to ensure continuity, with any improvements to the important 
protections in existing law to be addressed in future legislation.
    Thank you for the opportunity to testify today. I look forward to 
your questions.

    Mr. Garbarino. Thank you, Mr. Miller.
    I now recognize Ms. Rinaldo for 5 minutes to summarize her 
opening statement.

          STATEMENT OF DIANE RINALDO, PRIVATE CITIZEN

    Ms. Rinaldo. Thank you.
    Chairman Garbarino, Ranking Member Swalwell, Members of the 
committee, thank you for the opportunity to appear before you 
today.
    My name is Diane Rinaldo, and by way of background, I 
worked on the Cybersecurity Information Sharing Act from its 
inception to passage into law as a staff member on the House 
Permanent Select Committee on Intelligence. I am grateful to 
speak to the urgent need for its reauthorization.
    This act remains a critical legislative framework that has 
enabled meaningful cooperation between the public and private 
sectors, yet the threat environment has grown dramatically more 
complex and our approach must evolve accordingly.
    When the original legislation was drafted in 2012, growing 
concerns about the frequency and sophistication of cyber 
attacks were already taking shape. In hindsight, those early 
warnings significantly underestimated the scale and complexity 
of today's threat landscape.
    Over the past decade, threat actors have become more 
capable and emboldened, outpacing both legislative safeguards 
and defensive technologies. High-profile attacks, such as Salt 
Typhoon and incursions on the U.S. Government, have made it 
abundantly clear: No sector, private or public, is immune.
    At the heart of the legislation and what remains just as 
urgent today is China's unrelenting assault on the U.S. economy 
through cyber-enabled espionage. Chinese cyber hacking stands 
out as one of the most strategically dangerous and persistent 
threats to national security.
    For over a decade, state-sponsored actors have conducted a 
sweeping and coordinated cyber espionage campaign targeting 
U.S. companies, research institutions, and Government agencies. 
These operations have resulted in the theft of massive troves 
of intellectual property and trade secrets.
    This is not random or opportunistic. It's a deliberate 
strategy to fuel China's economic and military ambitions, with 
cyber capability serving as a core instrument of statecraft and 
industrial policy.
    In this evolving threat environment, the need for real-time 
bidirectional information sharing between Government and 
industry has never been more critical.
    The Cyber Information Sharing Act laid the foundation for 
improved collaboration between Government agencies and the 
private sector by creating a legal framework for voluntary 
information sharing. It offered liability protections to 
encourage private-sector companies to share threat indicators 
and defensive measures with the Federal Government and business 
to business.
    Our thought was simple: See something, say something.
    That framework helped normalize and destigmatize cyber 
threat information sharing across industry.
    The Department of Homeland Security's Automated Indicator 
Sharing program and the role of ISACs is a direct result and 
outgrowth of this legislation.
    This legislation was the product of 4 years of intensive 
effort, including more than 100 meetings with stakeholders, 
ranging from Fortune 100 companies to small and medium-sized 
businesses, privacy advocates, and academic institutions.
    It also reflected countless consultations with Government 
agencies and underwent 3 major rewrites based on the feedback 
that we received.
    From the outset, the committee recognized the critical need 
to strike the right balance between privacy and security. With 
so much at stake, we knew we had to get it right.
    However, while the law was forward-thinking at the time, 
the pace of technological change and the growing complexity of 
cyber threats have outpaced some of its provisions. Despite 
progress, some gaps still remain: limited participation, speed 
and relevance of information, lack of bidirectional flow, 
inconsistent standards, and a trust deficit.
    Reauthorizing information sharing gives Congress the 
opportunity to strengthen and scale its original vision. To 
strengthen national security, Congress should expand and 
clarify liability protections to encourage broader information 
sharing.
    Additionally, Federal agencies, such as CISA, must be 
required, not merely allowed, to share timely, relevant, and 
declassified intelligence with the private sector. Trust and 
engagement improve significantly when companies see tangible 
reciprocity.
    Cybersecurity is no longer a technical issue, it's a 
national security imperative that requires whole-of-nation 
coordination. No single company, agency, or State can defend 
against these threats alone. The adversaries we face, whether 
criminal networks or foreign governments, exploit our silos. We 
must instead leverage our strengths: diversity of talent, 
innovation, and democratic collaboration.
    In closing, I urge the committee to quickly reauthorize 
this critical function. Let us affirm the importance of 
information sharing, strengthen the incentives and protections 
for participants, and build the trusted, interoperable, and 
actionable threat ecosystem our future demands.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Rinaldo follows:]
                  Prepared Statement of Diane Rinaldo
                              May 15, 2025
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
subcommittee: Thank you for the opportunity to appear before you today. 
As someone who was closely involved in the development and passage of 
the Cybersecurity Act of 2015, I am grateful to speak to the urgent 
need for its reauthorization and modernization. This Act, which 
included the Cybersecurity Information Sharing Act (CISA) remains a 
critical legislative framework that has enabled meaningful cooperation 
between the public and private sectors. Yet the threat environment has 
grown dramatically more complex--and our approach must evolve 
accordingly.
                   the growing cyber threat landscape
    When the original legislation was drafted in 2012, growing concerns 
about the frequency and sophistication of cyber attacks were already 
taking shape. In hindsight, those early warnings significantly 
underestimated the scale and complexity of today's cyber threat 
landscape. Over the past decade, threat actors have become more capable 
and emboldened, exploiting zero-day vulnerabilities, bypassing multi-
factor authentication, compromising third-party vendors, and outpacing 
both legislative safeguards and defensive technologies. High-profile 
attacks--from the SolarWinds breach to the Colonial Pipeline ransomware 
incident, from Salt Typhoon to incursions targeting the Office of the 
Comptroller of the Currency--have made it abundantly clear: no sector, 
public or private, is immune.
    Today, cyber threats are not only more pervasive but also more 
destructive. Ransomware, state-sponsored espionage, supply chain 
infiltration, and AI-driven attack vectors now pose existential risks 
to critical infrastructure, national security, and economic stability.
    The proliferation of artificial intelligence promises to 
supercharge this already volatile landscape. AI enables the creation of 
life-like audio and imagery, more convincing spear-phishing campaigns, 
and advanced social engineering tactics. Large language models allow 
adversaries to write malware and exploit code at unprecedented speed 
and scale, lowering the technical barriers for would-be attackers. 
State-backed intelligence and military units are now leveraging these 
tools to target critical infrastructure, enhance surveillance 
capabilities, and support offensive cyber operations.
    At the heart of the legislation--and what remains just as urgent 
today--is China's unrelenting assault on the U.S. economy through 
cyber-enabled espionage. Chinese cyber hacking stands out as one of the 
most strategically dangerous and persistent threats to national 
security. For over a decade, state-sponsored actors tied to the 
People's Liberation Army and China's Ministry of State Security have 
conducted a sweeping and coordinated cyber-espionage campaign targeting 
U.S. companies, research institutions, and Government agencies. These 
operations have resulted in the theft of massive troves of intellectual 
property, trade secrets, source code, and sensitive defense 
technologies. This is not random or opportunistic--it is a deliberate 
strategy to fuel China's economic and military ambitions, with cyber 
capabilities serving as a core instrument of statecraft and industrial 
policy.
    In this evolving threat environment, the need for real-time, 
bidirectional information sharing between Government and industry has 
never been more critical.
              the legacy of the cybersecurity act of 2015
    The cyber information sharing laid the foundation for improved 
collaboration between Government agencies and private entities by 
creating a legal framework for voluntary information sharing. It 
offered liability protections to encourage private companies to share 
threat indicators and defensive measures with the Federal Government 
and, most importantly, business to business. Our thought was simple: 
see something, say something.
    That framework helped normalize, and de-stigmatize, cyber threat 
information sharing across industries. The Department of Homeland 
Security's Automated Indicator Sharing (AIS) program and the role of 
Information Sharing and Analysis Centers (ISACs) and Organizations 
(ISAOs) are direct outgrowths of the Act.
    The legislation was the product of 4 years of intensive effort, 
including over 100 meetings with stakeholders ranging from Fortune 100 
companies to small and medium-sized businesses, privacy advocates, and 
academic institutions. It also reflected countless consultations with 
Government agencies and underwent 3 major rewrites based on the 
feedback received. From the outset, the committee recognized the 
critical need to strike the right balance between privacy and security. 
With so much at stake, we knew we had to get it right.
    However, while the law was forward-thinking at the time, the pace 
of technological change and the growing complexity of cyber threats 
have outpaced some of its provisions.
    Despite progress, several key gaps remain:
    1. Limited Participation.--Many private-sector entities, 
        particularly small and mid-sized businesses, still hesitate to 
        share information due to uncertainty about liability 
        protections and limited resources.
    2. Speed and Relevance.--The timeliness and utility of shared data 
        can be inconsistent. Automated platforms are underutilized, and 
        actionable intelligence does not always flow quickly enough to 
        prevent or mitigate attacks.
    3. Lack of Bidirectional Flow.--While private entities are 
        encouraged to share data with the Government, the feedback loop 
        is often one-way. Companies need useful, contextualized threat 
        intelligence in return.
    4. Inconsistent Standards.--Threat data is not always shared in a 
        standardized, machine-readable format, limiting its utility at 
        scale.
    5. Trust Deficit.--Public trust in Government handling of sensitive 
        data--particularly in sectors like finance and health care--
        remains a concern. Transparency, oversight, and accountability 
        must be strengthened.
    Reauthorizing the Cybersecurity Information Sharing Act gives 
Congress the opportunity to strengthen and scale its original vision. 
To strengthen national cybersecurity, Congress should expand and 
clarify liability protections to encourage broader information sharing. 
Businesses, particularly those outside of traditionally-designated 
``critical infrastructure'' sectors, need clear legal assurances that 
they will be shielded when acting in good faith. The scope of protected 
activities must be explicitly defined to eliminate ambiguity and foster 
participation. Small and medium enterprises, which often lack dedicated 
personnel or technical expertise, should be supported for training, 
tool kits, and access to threat-sharing ecosystems like Information 
Sharing and Analysis Centers (ISACs). Additionally, Federal agencies 
such as CISA must be required--not merely allowed--to share timely, 
relevant, and declassified intelligence with the private sector. Trust 
and engagement improve significantly when companies see tangible 
reciprocity.
    Cybersecurity is no longer a technical issue; it is a national 
security imperative that requires whole-of-Nation coordination. No 
single company, agency, or State can defend against these threats 
alone. The adversaries we face--whether criminal networks or foreign 
governments--exploit our silos. We must instead leverage our strengths: 
diversity of talent, innovation, and democratic collaboration.
    The reauthorization of information sharing presents a generational 
opportunity. We can reinforce our values, secure our systems, and 
create a more resilient digital economy by recommitting to a 
collaborative model built on transparency, accountability, and mutual 
support.
    In closing, I urge this committee to quickly modernize and 
reauthorize this critical function. Let us affirm the importance of 
information sharing, strengthen the incentives and protections for 
participants, and build the trusted, interoperable, and actionable 
threat-sharing ecosystem our future demands.
    Thank you again for the opportunity to testify.

    Mr. Garbarino. Thank you, Ms. Rinaldo.
    I now recognize Mr. Schimmeck for 5 minutes to summarize 
his opening statement.

STATEMENT OF KARL SCHIMMECK, EXECUTIVE VICE PRESIDENT AND CHIEF 
          INFORMATION SECURITY OFFICER, NORTHERN TRUST

    Mr. Schimmeck. Chairman Garbarino, Ranking Member Swalwell, 
and distinguished Members of the committee, thank you for the 
opportunity to testify today on a matter of critical national 
importance: the urgent need to reauthorize the Cybersecurity 
Information Sharing Act of 2015.
    My name is Karl Schimmeck. I serve as the chief information 
security officer at Northern Trust and serve on the board of 
directors of the Financial Services Information Sharing and 
Analysis Center, or the FS-ISAC.
    I'm here today on behalf of the Securities Industry and 
Financial Markets Association, or SIFMA, where I sit on the 
Cybersecurity Committee.
    SIFMA is the leading trade association for broker-dealers, 
investment banks, and asset managers operating in the United 
States. SIFMA advocates on legislation, regulation, and 
business policy affecting financial markets.
    I've spent much of my career focused on cybersecurity in 
the financial sector, and I was directly involved in the 
advocacy that helped shape CISA 2015. That law was a bipartisan 
achievement, and it remains one of the most important 
cybersecurity tools that we have and a cornerstone of our 
Nation's cyber defense strategy.
    The threats we face today are not hypothetical. They are 
real, growing, and increasingly dangerous. Nation-state actors 
are conducting relentless cyber operations against our critical 
infrastructure--banking systems, communication networks, energy 
grids, and Government agencies.
    These attacks are not just attempts to steal data. They are 
designed to disrupt, destabilize, and undermine confidence in 
our institutions.
    Put simply, cyber is now a national security domain, and 
the private sector is on the front lines.
    CISA 2015 provides the legal foundation that enables 
companies like mine to share threat intelligence quickly and 
confidently with the Federal Government and with one another. 
It creates the trust, structure, and legal protections required 
for real-time collaboration.
    Without the protections in the act--protections against 
civil liability, regulatory action, and antitrust exposure--
companies would hesitate. They would share less and they would 
share more slowly. That hesitation would be a gift to our 
adversaries.
    When CISA passed, there were concerns about protecting the 
privacy of individuals. After 10 years of activity, there have 
been no known reports that PII not directly related to a 
cybersecurity incident has been shared.
    The participants in this system have a responsibility to 
ensure that the only information submitted is directly related 
to a cybersecurity threat. We take this responsibility 
seriously, and the unblemished track record demonstrates that 
commitment.
    Let me be clear: If the act lapses, our Nation will be more 
vulnerable to cyber attacks the very next day. Threat sharing 
saves time, and in cybersecurity time is everything. It's the 
difference between stopping an attack at the perimeter or 
watching it spread across the system. It's the difference 
between a minor disruption and a systemic crisis.
    We often say that cybersecurity is a team sport, but that's 
only true if the rules allow us to play together. CISA 2015 
makes teamwork possible. Recent events, including SolarWinds 
and CrowdStrike, clearly evidence the value of rapid 
information sharing, which helped to minimize the damage of 
these events.
    That's why we are calling on this subcommittee and the full 
Congress to act swiftly and decisively to reauthorize the act 
without delay, without changes. We cannot afford a gap in our 
defenses, not now, not with the threat landscape evolving by 
the day.
    We are not asking for new authorities. We are asking to 
preserve what already works--a proven framework that enables 
trust, protects privacy, and makes us all stronger.
    The act is not just a legal mechanism, it's a force 
multiplier. It has created a trusted architecture for cyber 
collaboration. To let it expire would be to knowingly dismantle 
the critical defense layer at a precise moment when we need it 
most.
    In closing, I'll leave you with this: Cyber threats don't 
take breaks and they don't wait for legislative calendars. If 
we hesitate, we expose ourselves. If we act, we protect the 
Nation.
    Thank you for the opportunity to speak today, and I look 
forward to any questions.
    [The prepared statement of Mr. Schimmeck follows:]
                  Prepared Statement of Karl Schimmeck
                              May 15, 2025
                              introduction
    Chairman Garbarino, Ranking Member Swalwell, and distinguished 
Members of the subcommittee, thank you for the opportunity to testify 
today in favor of the reauthorization of the Cybersecurity Information 
Sharing Act of 2015 (``CISA 2015'' or the ``Act'').\1\ My name is Karl 
Schimmeck. I am an executive vice president and chief information 
security officer of Northern Trust, responsible for the design and 
management of the bank's information security, cybersecurity, and data 
protection programs. I am here today as a representative of the 
Securities Industry and Financial Markets Association (``SIFMA'') where 
I am a member of the Cybersecurity Committee. I am also on the board of 
directors of the Financial Services Information Sharing and Analysis 
Center (``FS-ISAC'').
---------------------------------------------------------------------------
    \1\ Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, 
Div. N, Title I--Cybersecurity Information Sharing Act of 2015, 129 
Stat. 2935 (2015), 6 U.S.C.  1501; S. Rep. No. 114-32, at 2 (2015).
---------------------------------------------------------------------------
    Prior to my current position at Northern Trust, I served as chief 
information security officer and head of technology risk and resilience 
for Morgan Stanley's U.S. banks. Prior to that, I was managing director 
of cybersecurity, business resiliency & operational risk at SIFMA from 
2011 to 2016, during which I was involved in the advocacy efforts for 
CISA 2015. During that time, I was also on the executive committee of 
the Financial Services Sector Coordinating Council (``FSSCC'').
    SIFMA is the leading trade association for broker-dealers, 
investment banks, and asset managers operating in the United States and 
global capital markets. SIFMA advocates on legislation, regulation, and 
business policy affecting financial markets and serves as an industry 
coordinating body to promote fair and orderly markets, informed 
regulatory compliance, and efficient market operations and resiliency.
    As part of its critical role as a coordinating body and as it 
relates to this hearing, SIFMA hosts an bi-annual cybersecurity 
exercise known as Quantum Dawn which brings together public and 
private-sector participants for a series of exercises that simulate the 
operational impacts that a systemic cyber attack could have on 
financial firms, critical third parties, and the global financial 
ecosystem due to a large-scale attack. Last year's exercise included 
more than 1,000 participants from 20 countries. The goal of the 
exercise is to improve response and recovery plans and strengthen 
global coordination and information-sharing mechanisms which are 
necessary for quickly responding to significant operational outages, 
including cyber events.\2\
---------------------------------------------------------------------------
    \2\ Press release, SIFMA Cybersecurity Exercise, Quantum Dawn VII 
After-Action Report (May 1, 2024), https://www.sifma.org/resources/
general/cybersecurity-exercise-quantum-dawn-vii/.
---------------------------------------------------------------------------
    Certain key provisions of CISA 2015 are set to expire in September 
if Congress does not reauthorize them. SIFMA is calling for a clean 
reauthorization of the expiring provisions of CISA 2015 as soon as 
possible so that participating institutions will have the necessary 
assurances that the existing protections will continue. These expiring 
provisions include liability protections for private companies when 
sharing information pursuant to the Act--protections that are essential 
to the collective protection of the United States via the enhanced 
situational awareness that information sharing provides. It is critical 
that Congress reauthorize these provisions to preserve information 
sharing before they expire.
                cisa 2015 background and reauthorization
    Since its bipartisan passage 10 years ago, CISA 2015 has become a 
vital part of cyber defense by providing a robust legal and operational 
framework for voluntarily sharing information between the public and 
private sector in the United States. The financial services industry 
has since become reliant on the Act's legal framework and protections, 
which have proven necessary on many occasions. In the decade since its 
enactment, the law has meaningfully improved the capacity and speed 
with which we can respond to large-scale cyber incidents while 
establishing clear expectations for privacy and confidentiality. This 
includes building the structures used by private-sector cyber defenders 
to inform Government partners of on-going cyber threats from malicious 
actors.
    The Act provides a formalized foundation for firms to voluntarily 
collaborate with both the Federal Government and other institutions to 
share necessary information to protect investors and the financial 
markets from cyber criminals seeking financial gain and nation-states 
seeking to disrupt orderly markets and critical infrastructure. This 
foundation is largely based on legal and liability protections granted 
to the private sector to further promote voluntary sharing of cyber 
threat indicators and defensive measures to help prevent imminent cyber 
threats. Public and private-sector participants primarily share this 
information through the Cybersecurity and Infrastructure Security 
Agency's (``CISA'') Automated Indicator Sharing Program (``AIS'') which 
operates a server that allows public and private participants to share 
cyber threat indicators.\3\ Once that information is analyzed and 
appropriately sanitized including the removal of personally 
identifiable information (``PII''), AIS shares indicators or defensive 
measures submitted by Government agencies and private-sector entities 
with all AIS participants. This information may also be compared and 
used in conjunction with post-incident information reporting required 
under the Cyber Incident Reporting for Critical Infrastructure Act of 
2022 (``CIRCIA'') to prevent future incidents.\4\ Further, information 
sharing under CISA 2015 benefits financial institutions of all sizes 
and business models, not just large firms.
---------------------------------------------------------------------------
    \3\ Cong. Rsch. Serv., The Cybersecurity Information Sharing Act of 
2015: Expiring Provisions (Apr. 8, 2025), https://www.congress.gov/
crs_external_products/IF/PDF/IF12959/IF12959.4.pdf.
    \4\ 6 U.S.C.  681a-681b.
---------------------------------------------------------------------------
    At the time of passage, there were some concerns about protecting 
the privacy of individuals when cyber threats were reported under CISA 
2015. After 10 years of activity, no AIS participants (public or 
private) have been known to report PII that was not directly related to 
a cybersecurity incident pursuant to CISA 2015.\5\ The participants in 
this system have a responsibility to ensure that the only information 
submitted to AIS is directly related to a cybersecurity threat. All AIS 
participants are responsible for scrubbing any PII not directly related 
to cybersecurity threats prior to submission. Further, CISA has 
additional automated controls to identify potential PII in reports 
prior to dissemination through the AIS. Flagged information is reviewed 
and approved by designated CISA staff before it is sent out through 
AIS.
---------------------------------------------------------------------------
    \5\ Dep't of Homeland Sec. Off. of the Inspector Gen., CISA Faces 
Challenges Sharing Cyber Threat Information as Required by the 
Cybersecurity Act of 2015, OIG 24-60 (Sept. 25, 2024), https://
www.oig.dhs.gov/sites/default/files/assets/2024-09/OIG-24-60-Sep24.pdf.
---------------------------------------------------------------------------
    The U.S. Government and the private sector face daily cyber threats 
that require cross-sector information sharing to capably combat.
    The reality of the on-going threats to financial institutions, 
Federal and State governments, and the general public cannot be 
overstated. Nation-state hackers have launched numerous attacks on U.S. 
critical infrastructure \6\ including our communications systems--
signaling they are positioning for bigger, more disruptive attacks. 
Federal agencies have similarly been targeted--most recently the 
Treasury Department in the BeyondTrust breach,\7\ the SolarWinds 
incident in which 9 agencies were compromised,\8\ and the Office of the 
Comptroller of the Currency email breach this year.\9\ Unfortunately, 
foreign cyber criminals continue to target U.S. companies through 
various tactics, such as phishing and ransomware, making information 
sharing essential to defending our critical infrastructure against such 
threats.\10\ Further, a recent report found that two-thirds of 
financial institutions faced cyber attacks in 2024.\11\ The threat is 
real, its increasing in volume, speed, and sophistication; effective 
information sharing is one of the best ways we can work together 
against this growing risk.
---------------------------------------------------------------------------
    \6\ Dustin Volz et al., How Chinese Hackers Graduated From Clumsy 
Corporate Thieves to Military Weapons, WALL ST. J. (Jan. 4, 2025), 
https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-
weapons-97d4ef95; Nat'l Counterintelligence and Sec. Ctr. & Off. of 
Cybersecurity Exec, SolarWinds Orion Software Supply Chain Attack (Aug. 
19, 2021), https://www.dni.gov/files/NCSC/documents/
SafeguardingOurFuture/
SolarWinds%20Orion%20Software%20Supply%20Chain%20Attack.pdf.
    \7\ Arielle Waldman, CISA: BeyondTrust breach affected Treasury 
Department only, TECHTARGET (Jan. 7, 2025), https://www.techtarget.com/
searchsecurity/news/366617777/CISA-BeyondTrust-breach-impacted-
Treasury-Department-only.
    \8\ Nat'l Counterintelligence and Sec. Ctr. & Off. of Cybersecurity 
Exec., SolarWinds Orion Software Supply Chain Attack (Aug. 19, 2021), 
https://www.dni.gov/files/NCSC/documents/SafeguardingOurFuture/
SolarWinds%20Orion%20Software%20Supply%20Chain%20Attack.pdf.
    \9\ Office of the Comptroller of the Currency, OCC Notifies 
Congress of Incident Involving Email System, News Rel. 2025-30 (April 
8, 2025), https://occ.gov/news-issuances/news-releases/2025/nr-occ-
2025-30.html.
    \10\ Office of the Dir. Of Nat'l Intelligence, Annual Threat 
Assessment of the U.S. Intelligence Community, (March 18, 2025). 
https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025-
Unclassified-Report.pdf.
    \11\ Tom Kellerman, Modern Bank Heists Report 2025: Executive 
Summary, at 4 (Contrast Sec. 2025).
---------------------------------------------------------------------------
    Legal protections under CISA 2015 are necessary to facilitate 
information sharing by and among private companies.
    CISA 2015 provides legal and liability protection for entities that 
share cyber threat indicators pursuant to the Act. Prior to CISA 2015, 
existing laws did not clearly shield private entities from regulatory 
enforcement actions, civil actions, or antitrust enforcement actions 
when sharing cyber threat information. Likewise, the law did not 
explicitly preserve legal protections, like attorney-client privilege, 
or safeguards for trade secrets and proprietary information shared with 
the Government or with other private entities for the purpose of 
preventing cyber attacks. CISA 2015 provided a clearer legal framework, 
outlining what information can be shared and how that information 
should be shared to retain these legal protections. Such protections 
encourage voluntary information sharing, which has become necessary for 
defending against cyber threats.
            1. Protection from Civil Liability
    Under the Act, if a private entity shares a cyber threat indicator 
or a defensive measure in accordance with CISA's procedures, it is 
protected from civil lawsuits that might otherwise arise from such 
sharing.\12\ The conditions for civil liability protections include 
sharing information in compliance with the Act's privacy and data-
handling requirements and when sharing information with the Federal 
Government, doing so only through CISA's prescribed process. As a 
result, if a financial institution sends an IP address associated with 
malware to AIS in compliance with the Act, the firm cannot be held 
liable for a breach of privacy or other civil right of action in 
connection with that information sharing.
---------------------------------------------------------------------------
    \12\ 6 U.S.C.  1505.
---------------------------------------------------------------------------
            2. Protection from Antitrust Liability
    CISA 2015 provides critical protection from antitrust liability for 
private entities that share covered information with the Federal 
Government or other private entities in accordance with the Act.\13\ As 
with the other legal protections provided under the Act, the 
information must be shared only in accordance with CISA 2015 and only 
used for the purpose of cybersecurity. In particular, the Act's 
antitrust exemption and associated protections have provided important 
assurances and therefore also facilitated broader cyber information 
sharing between private companies.
---------------------------------------------------------------------------
    \13\ 6 U.S.C.  1503(e)(1).
---------------------------------------------------------------------------
            3. Protection from Regulatory Enforcement Action
    CISA 2015 provides that sharing cyber threat information or 
defensive mechanisms shall not be used by Federal regulators to take 
enforcement action against the sharing entity. This protection 
encourages financial institutions to share information voluntarily by 
providing assurance that such information will not be used against them 
in an enforcement proceeding brought by the Securities and Exchange 
Commission or other prudential regulators so long as that information 
is shared within the Act's stated parameters.
            4. No Waiver of Privileges or Protections
    Sharing cyber threat information under CISA does not waive any 
applicable privilege or legal protection, including attorney-client 
privilege and protections for trade secrets and proprietary business 
information. These provisions ensure that institutions can share 
indicators without fearing loss of legal protections over that 
information.
            5. Controlled Government Use
    Information shared under the Act may be retained and used by the 
Federal Government only for limited purposes including for 
cybersecurity, investigating, or prosecuting certain crimes (e.g., 
cyber crime, identity theft, or serious violent crimes), and certain 
national security matters. This provision provides assurances to the 
private sector that the information they share voluntarily will not be 
used for purposes other than what was intended when disclosed.
Public-private information sharing has been beneficial to the financial 
        services industry.
    There are many examples where public-private information sharing 
has helped to mitigate significant cybersecurity threats impacting 
financial institutions. For example, during the SolarWinds incident 
SIFMA, FSSCC, and other organizations were able to quickly identify the 
impact areas thanks to information sharing among members but also with 
CISA and other Federal agencies. Even risks posed by non-malicious 
events in the CrowdStrike software update which caused a wide-spread 
outage in the financial services industry. This event demonstrated how 
well CISA's sharing and notification systems helped to improve 
resilience in the financial services industry and beyond.\14\ The 
ability to fend off imminent cyber threats through information sharing 
cannot be emphasized enough and these are just 2 examples of such 
events.
---------------------------------------------------------------------------
    \14\ Kapko, Mike, CrowdStrike snafu was a `dress rehearsal' for 
critical infrastructure disruptions, CISA director says, Cybersecurity 
Dive (Aug. 8, 2024), https://www.cybersecuritydive.com/news/
crowdstrike-critical-infrastructure-resiliency-cisa/723712/.
---------------------------------------------------------------------------
A lapse in the legal framework provided in the Act could discourage 
        essential information sharing.
    A lapse in the legal framework provided in the Act could limit 
cyber threat information sharing. These communication channels 
formalized under CISA 2015 are essential for enhancing overall 
awareness of national security threats and quickly responding to 
incidents.
    Without these legal safeguards, the flow of information would slow 
significantly, leaving critical vulnerabilities and awareness of 
malicious activity unreported. Because information shared under the Act 
is related to cyber threats, that information may help prevent imminent 
cyber events before they happen, preserving time and resources that 
would be expended on the resolution of the event. While post-incident 
reporting also helps to prevent future attacks, such information may 
not be as useful for protecting against an impending threat.
    In addition, these statutory provisions have been incorporated by 
reference to other significant cyber laws like CIRCIA--making 
reauthorization all the more critical.\15\
---------------------------------------------------------------------------
    \15\ See 6 U.S.C.  681a.
---------------------------------------------------------------------------
                               conclusion
    In closing, SIFMA and the financial services industry remain 
committed to strengthening the cybersecurity of our Nation's critical 
infrastructure. CISA 2015 has been a vital tool in building the trust, 
structure, and legal certainty needed for effective, real-time 
collaboration between the private sector and Government. It has made 
our institutions more resilient, our responses more coordinated, and 
our defenses more adaptive.
    Allowing the Act to lapse would weaken one of the most constructive 
public-private partnerships in cybersecurity policy to date. We 
respectfully urge this subcommittee and Congress to act swiftly to 
reauthorize CISA 2015.

    Mr. Garbarino. Thank you, Mr. Schimmeck.
    I now recognize Ms. Kuehn for 5 minutes to summarize her 
opening statement.

  STATEMENT OF KATHERINE KUEHN, MEMBER AND CISO-IN-RESIDENCE, 
             NATIONAL TECHNOLOGY SECURITY COALITION

    Ms. Kuehn. Chairman Garbarino, Ranking Member Swalwell, and 
Members of the committee, thank you for the opportunity to 
testify today in support of reauthorizing the Cybersecurity 
Information Sharing Act of 2015 and the importance of public-
private partnerships in protecting our national security.
    My name is Katherine Kuehn, and I am a board member of the 
National Technology Security Coalition and serve as their CISO-
in-residence.
    Established in 2016, the NTSC is a nonprofit, nonpartisan 
organization that advocates for the chief information security 
officers, chief privacy officers, and senior security 
technology executives.
    NTSC's mission is to advance cybersecurity policies that 
protect critical national infrastructure and foster strong 
collaboration between the public and private sectors to secure 
our digital landscape.
    As a part of this mission, we have been deeply involved in 
shaping the national conversation on cybersecurity, including 
advocacy for the creation of the Cybersecurity Advisory 
Committee.
    The Cybersecurity Information Sharing Act of 2015 has long 
been a cornerstone of our national cybersecurity strategy. 
Since its inception, this law has fostered collaboration 
between industry leaders and Federal agencies, enabling the 
identification and mitigation of cybersecurity threats.
    The legal protections offered by CISA encourage private 
organizations to share information without fear of 
repercussions, enhancing the Nation's ability to respond to 
cyber attacks. It facilities the exchange of critical cyber 
information threats between private-sector companies and the 
Federal Government.
    CISA provides incentives for companies to share 
cybersecurity threat indicators, such as software 
vulnerabilities and malware, with the Department of Homeland 
Security, DHS. This collaboration is crucial for preventing 
data breaches and attacks from cyber criminals and foreign 
adversaries.
    This law has been pivotal in addressing some of the most 
significant cyber threats over the past decade, including high-
profile incidents like the SolarWinds breach and, more recent, 
the Volt Typhoon and Salt Typhoon campaigns. These attacks 
underscore the growing sophistication and scale of cyber 
threats we face today.
    As noted by Senators Gary Peters and Mike Rounds, allowing 
CISA 15 to lapse would significantly weaken our cybersecurity 
ecosystem and undermine the ability to address these 
sophisticated threats. Moreover, a lapse would remove essential 
liability protections and hinder defensive operations across 
critical sectors.
    The protections under CISA 15 have provided legal certainty 
for companies that might otherwise hesitate to share critical 
data threats.
    This safe harbor provision has been crucial in fostering a 
culture of trust and collaboration. Without this legal 
protection, the flow of vital threat intelligence would slow, 
hindering both proactive and reactive cyber defense efforts.
    Cybersecurity is a team sport, one that requires 
collaboration between Government and private sector. 
Information sharing is essential for national security as cyber 
threats become increasingly sophisticated.
    The current global cyber threat environment demands 
constant information exchange between these sectors to protect 
the Nation's critical infrastructure.
    CISA 15 has been instrumental in supporting this 
collaboration, particularly through initiatives like the Joint 
Cyber Defense Collaborative, which unites Federal agencies and 
leading private-sector companies.
    Unfortunately, the recent termination of the Critical 
Infrastructure Partnership Advisory Council, the disbandment of 
the Cyber Safety Review Board, and the dismissal of members of 
the Cybersecurity Advisory Committee have undermined public-
private cooperation in cybersecurity. These advisory bodies 
have played crucial roles in fostering dialog and sharing best 
practices between Government and industry. Their loss has 
created a gap that must be addressed.
    The importance of public-private partnerships is further 
emphasized by the fact that critical infrastructure sectors, 
such as energy, finance, and health care, are predominantly 
managed by private companies. These industries rely on timely 
and accurate information to protect themselves against attacks 
from nation-state actors and cyber criminals.
    Information sharing is crucial for defending against 
complex state-sponsored attacks, such as those originating from 
Russia, China, and North Korea.
    The NTSC was directly involved in creating the 
Cybersecurity Advisory Committee, which was introduced in 2019 
through bipartisan legislation, a bill aimed at establishing an 
advisory committee composed of highly-skilled cybersecurity 
professionals responsible for protecting enterprises across all 
primary business sectors.
    The Advisory Committee would serve as a valuable cyber 
resource, providing unparalleled insight and expertise to the 
director of the Cybersecurity and Infrastructure Security 
Agency and Homeland Security.
    The NTSC, in collaboration with these Members of Congress 
and this committee, proposed the idea for the Advisory 
Committee and played a central role in the establishment.
    In conclusion, the reauthorization of CISA 15 is crucial 
for maintaining the Nation's cybersecurity and strengthening 
public-private partnerships in cybersecurity. The law has 
fostered a collaborative environment that enables real-time 
sharing of cyber intelligence and defends against attacks from 
sophisticated adversaries.
    We urge Congress to prioritize a clean reauthorization of 
CISA 15 and to ensure that we continue to look at areas we can 
focus on joint public-private cybersecurity collaboration.
    I thank you for your attention to this critical issue, and 
I look forward to addressing your questions.
    [The prepared statement of Ms. Kuehn follows:]
                 Prepared Statement of Katherine Kuehn
                        Wednesday, May 15, 2025
    The National Technology Security Coalition (NTSC) is a nonprofit, 
nonpartisan organization that serves as the preeminent advocacy voice 
for the chief information security officer (CISO) and senior security 
technology executives. Through dialog, education, and Government 
relations, we unite both public and private-sector stakeholders around 
policies that improve national cybersecurity standards and awareness.
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
committee, thank you for the opportunity to testify today in support of 
reauthorizing the Cybersecurity Information Sharing Act of 2015 (CISA 
2015) and the importance of public-private partnerships in protecting 
our national security. My name is Katherine Kuehn, and I am a board 
member of the National Technology Security Coalition (NTSC), serving as 
the CISO-in-residence.
    Established in 2016, the NTSC is a nonprofit, nonpartisan 
organization that advocates for chief information security officers, 
chief privacy officers, and senior security technology executives. 
NTSC's mission is to advance cybersecurity policies that protect 
critical infrastructure and foster strong collaboration between the 
public and private sectors to secure our digital landscape. As part of 
this mission, we have been deeply involved in shaping the national 
conversation on cybersecurity, including advocacy for the creation of 
the Cybersecurity Advisory Committee.
    The Cybersecurity Information Sharing Act of 2015 has been a 
cornerstone of our national cybersecurity strategy. Since its 
inception, this law has fostered collaboration between industry leaders 
and Federal agencies, enabling the identification and mitigation of 
cybersecurity threats. The legal protections offered by CISA encourage 
private organizations to share information without fear of legal 
repercussions, enhancing the Nation's ability to respond to cyber 
attacks. It facilitates the exchange of critical cyber threat 
information between private-sector companies and the Federal 
Government. Through CISA 2015, companies can share indicators of cyber 
threats, such as software vulnerabilities, malware, and malicious IP 
addresses, without fearing liability or legal repercussions. This 
collaborative approach has been instrumental in enhancing the Federal 
Government's ability to respond to cyber attacks quickly and 
effectively.
    CISA provides incentives for companies to share cybersecurity 
threat indicators, such as software vulnerabilities and malware, with 
the Department of Homeland Security (DHS). This collaboration is 
crucial for preventing data breaches and attacks from cyber criminals 
and foreign adversaries. This law has been pivotal in addressing some 
of the most significant cybersecurity threats over the past decade, 
including high-profile incidents like the SolarWinds breach and the 
more recent Volt Typhoon and Salt Typhoon campaigns. These attacks 
underscore the growing sophistication and scale of cyber threats we 
face today. As noted by Senators Gary Peters and Mike Rounds, allowing 
CISA 2015 to lapse would ``significantly weaken our cybersecurity 
ecosystem'' and undermine the ability to address these sophisticated 
threats.
    Moreover, a lapse would remove essential liability protections and 
hinder defensive operations across critical sectors. The protections 
under CISA 2015 have provided legal certainty for companies that might 
otherwise hesitate to share critical threat data. This ``safe harbor'' 
provision has been crucial in fostering a culture of trust and 
collaboration. Without this legal protection, the flow of vital threat 
intelligence would slow, hindering both proactive and reactive cyber 
defense efforts.
    Cybersecurity is a team effort--one that requires collaboration 
between the Government and the private sector. Information sharing is 
essential for national security as cyber threats become increasingly 
sophisticated. The current global cyber threat environment demands 
constant information exchange between these sectors to protect the 
Nation's critical infrastructure. CISA 2015 has been instrumental in 
supporting this collaboration, particularly through initiatives like 
the Joint Cyber Defense Collaborative, which unites Federal agencies 
and leading private-sector cybersecurity firms.
    Unfortunately, the recent termination of the Critical 
Infrastructure Partnership Advisory Council, the disbandment of the 
Cyber Safety Review Board, and the dismissal of members of the 
Cybersecurity Advisory Committee have undermined public-private 
cooperation in cybersecurity. These advisory bodies played a crucial 
role in fostering dialog and sharing best practices between the 
Government and industry. Their loss has created a gap in collaboration 
that must be addressed.
    The importance of these public-private partnerships is further 
emphasized by the fact that critical infrastructure sectors--such as 
energy, finance, and health care--are predominantly managed by private 
companies. These industries rely on timely and accurate information to 
protect themselves against attacks from nation-state actors and cyber 
criminals. Information sharing is crucial for defending against 
complex, state-sponsored cyber attacks, such as those originating from 
Russia, China, and North Korea.
    The NTSC was directly involved in creating the Cybersecurity 
Advisory Committee, which was introduced in 2019 through bipartisan 
legislation. In the 116th Congress, Representatives John Katko, Dan 
Newhouse, Brian Fitzpatrick, and Dan Lipinski introduced H.R. 1975, the 
Cybersecurity Advisory Committee Act of 2019, a bill aimed at 
establishing an advisory committee composed of highly-skilled 
cybersecurity professionals responsible for protecting enterprises 
across all primary business sectors. The advisory committee would serve 
as a valuable cyber resource, providing unparalleled insight and 
expertise to the director of the Cybersecurity and Infrastructure 
Security Agency and the Secretary of Homeland Security. The NTSC, in 
collaboration with these Members of Congress and this committee, 
proposed the idea for the advisory committee and played a central role 
in its establishment.
    The advisory committee was established to provide expert guidance 
on cybersecurity policy and offer actionable recommendations to enhance 
the Nation's defenses. Its work has been invaluable in shaping 
cybersecurity policy and ensuring the Government remains in close 
contact with industry leaders. Reinstating this advisory body is 
essential for ensuring that our cybersecurity policies continue to 
evolve in response to new threats.
    Given the urgency of the current cyber threat landscape, Congress 
must proceed with a clean reauthorization of CISA 2015. While there 
will be opportunities to adjust the law in the future, now is not the 
time for complicated negotiations that could delay reauthorization. A 
clean reauthorization would preserve the practical framework that 
facilitates public-private collaboration and provides legal protections 
for information sharing.
    In conclusion, the reauthorization of CISA 2015 is crucial for 
maintaining the Nation's security and strengthening public-private 
partnerships in cybersecurity. The law has fostered a collaborative 
environment that enables the real-time sharing of cyber threat 
intelligence, helping to defend against attacks from sophisticated 
adversaries.
    We urge Congress to prioritize a clean reauthorization of CISA 2015 
to ensure the continued effectiveness of these public-private 
partnerships and the legal protections they provide. Furthermore, we 
urge Congress and the administration to reinstate advisory bodies, such 
as CIPAC, CSRB, and CSAC, to strengthen public-private cybersecurity 
collaborations.
    Thank you for your attention to this critical issue. I look forward 
to addressing any questions you may have.

    Mr. Garbarino. Thank you, Ms. Kuehn.
    Members will be recognized by order of seniority for their 
5 minutes of questioning. I want to remind everyone to please 
keep their questioning to 5 minutes. Sometimes we go over. It's 
OK. An additional round of questioning may be called after all 
Members have been recognized.
    I now recognize the gentleman from Florida, Mr. Gimenez, 
for 5 minutes of questioning.
    Mr. Gimenez. Thank you, Mr. Chairman.
    I understand the importance of reauthorizing that bill, but 
what is the state of the cyber threat today compared to what it 
was 10 years ago?
    Mr. Miller.
    Mr. Miller. Thank you for the question, Congressman.
    I think by any account, the state of the cyber threat today 
is that there are far more threats. We have a different 
technology environment, including threats such as ransomware, 
which we weren't really talking about 10 years ago, threats to 
operational technology, and artificial intelligence, which is 
clearly on everyone's minds. Artificial intelligence can be 
used both as a sword and a shield, as it were.
    Also, I think it's fair to say that we have much more--even 
more sophisticated nation-state threat actors, the usual 
suspects, of course, China, Russia, North Korea, Iran.
    So, I mean, I think when we look at it and we look at the 
cyber threat ecosystem in particular, there are a lot more 
threats. But the good news is, in large part because of CISA 
15, we're able to share much more information at scale to keep 
pace with the various different changes in technology today 
than we were 10 years ago. That's why I think you hear 
unanimity on this panel that we need to----
    Mr. Gimenez. There are a number of cybersecurity companies 
that are contracted by different companies, et cetera, right? 
So do you find that they share information freely or do they 
try to keep their stuff proprietary and try to shield 
themselves from competition?
    Mr. Miller. Well, I mean, I don't know that I can talk 
about individual companies' business practices. But I will say, 
generally speaking, that when we think about Automated 
Indicator Sharing in particular we have--yes, there are some 
very large, excellent cyber threat companies who are sharing 
information with their customers at scale. They're plugged into 
the AIS system.
    Mr. Gimenez. But that's not--I'm not talking about their 
customers. I'm talking about sharing it throughout the Nation. 
In other words, not just their customers. I'm talking about 
sharing information with other entities that may not be using 
the same company for cybersecurity.
    How is that? Is there still a barrier there? Are there 
barriers there? Or are they freely sharing information across 
different companies and different platforms?
    Mr. Miller. I think when we look at the Information Sharing 
and Analysis Centers, the ISACs--and I can most speak to the 
IT-ISAC, but there are ISACs for all 16 critical infrastructure 
sectors--there are thousands of companies participating in 
those ISACs and sharing information, including the 
cybersecurity companies.
    I mean, as far as I know, there are not barriers to sharing 
there. Actually, the fact that we are able to share at scale 
amongst all these different entities is certainly a very good 
thing, because the cyber companies do participate in those 
sorts of sharing activities.
    There are others, other groups, like the Cyber Threat 
Alliance for instance, there are various other information and 
sharing and analysis organizations out there, and there's a lot 
of sharing going on, much, much more sharing than there was 
pre-CISA 15.
    Mr. Gimenez. Thank you.
    You talked about artificial intelligence, that it could be 
a sword or it could be a shield. Who's winning?
    Mr. Miller. I mean, I'd certainly like to think that the 
good guys are winning. Right now, it's probably----
    Mr. Gimenez. That's a matter of perspective. When we're 
trying to hack into somebody else, we're the good guys. So 
that's a sword.
    So who's winning, the sword or the shield? Who is keeping 
pace with who? Is the shield keeping pace with the sword?
    Mr. Miller. I think it's hard to generalize, but, I mean, I 
think that the way in which artificial intelligence technology 
is being used by defenders is proving quite effective today. 
But we really can't let our guard down, because, again, the 
good guys are innovating and so are the bad guys. So we really 
need to keep pace.
    Mr. Gimenez. Do you think that it would be a wise move for 
Congress, for the Government, to invest in artificial 
intelligence as a shield? Because we're never going to match 
our adversaries in terms of the manpower that they pour into 
this effort. The only way that we can match that is through 
automation.
    Do you agree with that, Mr. Schimmeck?
    Mr. Schimmeck. Similar to private-sector companies, the 
U.S. Government should be investing in artificial intelligence, 
improving its capabilities. We rely on the U.S. Government and 
its capabilities, both offensive and defensive in nature, to 
support us and protect us. So the more effective you can be, 
the better protected we're going to be in the end.
    Mr. Gimenez. Thank you so much.
    I yield back.
    Mr. Garbarino. The gentleman yields back.
    I always love when you ask questions. I never know where 
you're going to go.
    [Laughter.]
    Mr. Gimenez. I don't either until I get here.
    Mr. Garbarino. I love it.
    I now recognize the gentleman from Rhode Island, Mr. 
Magaziner, for 5 minutes of questions.
    Mr. Magaziner. Thank you, Chairman.
    The Cybersecurity and Infrastructure Security Agency, CISA, 
leads our Nation in securing businesses' critical 
infrastructure and the Government from cyber criminals, 
hackers, and adversarial countries.
    When U.S. businesses are attacked, CISA provides vital 
response and recovery. When there's an emerging cyber threat or 
a breach, CISA warns private industry about the threat and also 
provides training and education to the private sector, critical 
information operators, educational partners, and the general 
public.
    The absolutely vital work done at CISA makes our country 
safer from the growing threats on cyber space, in cyber space. 
I am glad that there is bipartisan interest in reauthorizing 
the Cyber Information Sharing Act of 2015 so that this work can 
continue.
    In part, though, the continued success of CISA and the 
hopefully growing success of CISA depends not just on this 
legislation being reauthorized but in making sure that CISA is 
adequately resourced. We need to ensure that the Trump and Musk 
administration doesn't cut CISA to the extent that they have 
announced they intend to do so. We should be investing in this 
space, not cutting back, because our adversaries are not 
cutting back.
    If we're going to believe that the administration takes 
cybersecurity seriously, then we're going to need to see from 
them a reversal in their plan to cut nearly half a billion 
dollars from CISA's budget, which is what was proposed in the 
administration's fiscal 2026 budget. If the administration took 
cybersecurity seriously, they would be investing in CISA, not 
cutting it.
    So we need to talk about that. Then we need to talk about 
the alternative. How do we build CISA up to continue to be 
successful going forward in the context of an ever-more complex 
and hostile threat environment targeting the United States?
    So I'll start with Ms. Kuehn.
    So in April it was reported that the administration, the 
Trump administration, plans to cut over a thousand jobs at 
CISA, which is expected to impact a myriad of programs across 
the agency.
    Can you discuss what the impact of those kinds of work 
force cuts would be and whether they are a good idea or not?
    Ms. Kuehn. So I think when you talk about the threats--if 
we talk about the threats that we're facing right now--you were 
asking about adversaries earlier.
    One of the critical roles that CISA is playing right now is 
that we really have, with the advent of AI, and specifically 
generative and agentic AI, 3 types of threats right now. We 
have malicious, which we all understand, nation-state 
adversaries and criminals.
    We also have malfunction and mistake. So if we think about 
what happened this summer with CrowdStrike from a software 
incident perspective, and then also with AI when all of a 
sudden an LM decides to go poorly.
    So CISA is playing a critical role, No. 1, the public 
partnership groups that I discussed before, like JCDC and the 
Advisory Council, of helping share information between the 
companies that are on the front lines in the private sector 
developing technologies and the Government when things happen 
from a threat perspective.
    The other thing that's really critical is we talk a lot 
about the private sector, but the reality is, is that a huge 
amount of our critical national infrastructure sits within 
medium and small businesses, and they rely on CISA for things 
like the small company guidances that came out in the last few 
years with cyber.
    Mr. Magaziner. Yes. I think that's such an important point. 
I mean, one of the things that I think the general member of 
the public doesn't fully appreciate unless they're deep in this 
stuff is that when our adversaries, particularly the state 
actors, China, Iran, North Korea, others, are trying to hack 
into U.S. systems, it's not just the big Government agencies 
like the Pentagon or the big companies like Northern Trust, but 
small and medium-sized businesses, and also all of these local 
utilities and local governments all across the country.
    We hear about these cases in Classified settings, but there 
are also plenty of cases that have been publicly reported of 
local water systems, local airports, et cetera.
    So, again, just getting back to the issue of resources and 
work force, CISA has, I mean, thousands and thousands of 
customers that it needs to interface with, small businesses, 
small localities.
    So, again, how important is it that we maintain a strong 
work force at CISA in that light?
    Ms. Kuehn. So I'll give an example. You talk about the 
small businesses and the importance of CISA.
    Not long ago I was on a plane chatting with a woman next to 
me. She was on her way to Florida because she was meeting her 
husband and her grandkids, and her husband was retiring from 
his job.
    What did he do? Well, he was a concrete distributor in 
Dallas. She explained to me that they were selling the company.
    The company was going out of business, basically, because, 
she literally went, ``There was one of those ransomware attack 
things. He borrowed my phone and did something for business on 
my phone, and we had a ransomware thing. And something, there 
was a gang in Turkiye''--and this is her explaining this to 
me--``who charged us $6 million. And it was just too hard to 
clean up. We don't have the ability of understanding the 
cybersecurity. And so we just gave up and we're closing the 
business and he's going to retire.''
    That's the issue we're facing here, is that while we can 
represent large organizations that can spend millions and 
millions and millions on cybersecurity, there are exponentially 
more organizations out there--critical national infrastructure, 
small banks, grocery stores, you name it--that don't have the 
ability and need organizations like the program CISA provides 
in order to ensure that we have mature cybersecurity.
    Mr. Magaziner. Thank you.
    Mr. Garbarino. The gentleman yields back.
    I now recognize the gentleman from Tennessee, Mr. Ogles, 
for 5 minutes of questions.
    Mr. Ogles. Thank you, Mr. Chairman.
    Thank you to the witnesses.
    I think, by and large, we all agree that CISA should be 
reauthorized. So then the question becomes: How do we make it 
better? I know there have been some calls, let's do a clean re-
auth and just get it out the door quickly.
    But as we look at the landscape as we go forward, obviously 
in battlefield terms, as warfare has changed, I would argue 
that one of those battlefields is in the cyber realm.
    So, Mr. Miller, I know you've had some suggestions in 
particular, some of the definitions as it pertains to CISA. Any 
thoughts on how we can improve as we go into reauthorization to 
make it better, stronger, more robust?
    Mr. Miller. Thank you for that question, Congressman.
    Yes, I did include some recommendations in my statement. I 
mean, I do think, in general, the approach that we should be 
taking if we're looking at changes is to just ask a pretty 
simple question: Hey, what's changed in the past 10 years from 
a threat standpoint, from a technology standpoint?
    Are the very technical definitions that we have of cyber 
threat indicator and defensive measures in the bill, do they 
really account for all the different types of attacks that 
companies are experiencing today? Are we sharing the types of 
threat information that we need to counteract those threats?
    I think one example of a relatively novel type of attack 
that's grown to prominence--I mean, someone mentioned 
SolarWinds earlier--supply chain attacks, software supply chain 
attacks.
    Right now, if a company knows that there is a suspect 
supplier in its supply chain, it doesn't get the type of 
liability protections that CISA provides to share that sort of 
information.
    So if you were thinking about making surgical, precise 
edits or changes to the bill, again, I would not open it up 
entirely, but you could look at things like the definition of 
cyber threat indicator, which has, I don't know, 7 or 8 
subparts, and you could perhaps add something like derogatory 
information about a supplier in your supply chain or something 
like that.
    That's just an example. But, I mean, that's like the 
general type of approach I would take rather than making 
wholesale changes to update the law.
    Mr. Ogles. Well, kind-of going back to Mr. Gimenez's point, 
I think one of the things we need to look at is better 
information sharing, broadening the scope of who might be 
included. But then, with that, you probably need, to your 
point, the liability protections to protect someone as they're 
sharing information that otherwise might be.
    So what about the JCDC? What role might they play as we go 
forward?
    Mr. Miller. Yes. I mean, as others have testified to, the 
JCDC is a very valuable newer partnership that CISA has led, 
obviously.
    It's really focused on operational collaboration as opposed 
to simply sharing information, and that's really what this is 
all about.
    I will say, it is my understanding that you really could 
not have JCDC still without the liability protections that 
exist in CISA 15, though.
    I mean, there are MOUs that companies that participate in 
JCDC sign, but that really deals more with information 
dissemination and adhering to pretty strict traffic light 
protocols. It doesn't have anything to do with the fundamental 
liability protections and authorizations that CISA provides for 
sharing the threat information in the first place, which at the 
end of the day is what underpins JCDC.
    Mr. Ogles. Ms. Rinaldo, you touched on China in rather 
stark terms. Do you just want to give us a quick brief of are 
we adequately protecting ourselves with CISA and the 
reauthorization in terms of China and obviously their bad 
actions?
    Ms. Rinaldo. Absolutely. When we were doing our fact-
finding mission as we were drafting the legislation, one thing 
that was very abundantly clear is that more than 90 percent of 
our networks are held by the private sector. So what can we do 
as a Government to help protect the private sector?
    So the idea of information sharing and the importance of 
Government to business. I think, to your question to John, how 
do we improve the transport of information from the Government 
to business? I would say that was one part that's lacking 
today. Not necessarily need--you don't need a Congressional 
change to make that happen, just oversight. How could we stay 
on top of the agencies to make sure that they are pushing out 
information?
    Then I would also say security clearances is a big issue. 
You may have people that can get a clearance, go into a room, 
hear the information, but do you have the engineers that can 
actually act on it? So that's an important aspect as well.
    Mr. Ogles. Mr. Chairman, I know I'm out of time. But I 
would just say to all the witnesses, if you have any 
suggestions or recommendations that might be specific as to how 
we make it better, now would be the time to provide that input. 
So if you would like to send that to my office or, of course, 
to anyone on the committee, the Chairman, happy to take a look 
at that, incorporate it, because, obviously, again, as we look 
to the future, as we look to the future of warfare, this is one 
of those battlefronts. We need to be ready. We need to be 
proactive. We need to be ahead of the AI curve.
    Mr. Chairman, I yield back. Thank you for your 
graciousness.
    Mr. Garbarino. The gentleman yields back.
    I second that thought. So that's great.
    I now recognize the Ranking Member, the gentleman from 
California, Mr. Swalwell, for 5 minutes of questions.
    Mr. Swalwell. Thank you.
    To follow what Ms. Rinaldo was saying about JCDC, Ms. 
Kuehn, can you discuss how JCDC facilitates information 
sharing? To Ms. Rinaldo's point, how important is it for CISA 
2015 to be effective that we have a mechanism like JCDC that 
facilitates cross-sector information sharing?
    Ms. Kuehn. I think how JCDC disseminates today and the 
critical importance of it and, to your point, that it's a 
relatively new program, one of the things about it is it allows 
for rapid distribution when threat happens between industry and 
Government so that we have, in essence, a real-time channel of 
things that are going on.
    From an industry perspective it's really important that we 
even broaden the scope of it to work closer with the ISACs and 
to think about how we can distribute not just to the top level 
of industry but actually pull it down.
    From a JCDC perspective, I think it's one of the best 
things we've seen come out of CISA so far, and it's still 
evolving.
    But that ability to have information sharing without 
repercussion I think is one of the areas that we really need to 
focus on. So that's why looking at the, in essence, 
reauthorization of this act is so important, because we're just 
at the beginning of where JCDC could go.
    As we start to think about--we mentioned China, but if we 
think about the Chinese threats that have come in from Volt 
Typhoon, Salt Typhoon, Flax Typhoon, Nylon Typhoon--there's a 
lot of typhoons right now--we're going to see, in essence, 
cross-pollination of those critical vulnerabilities' exploits, 
and JCDC is going to be incredibly important to ensure we 
disseminate rapidly through that.
    Mr. Swalwell. To Ms. Rinaldo's point about security 
clearances, it's a frustration I share as well. My district is 
high tech and biotech, two nuclear labs. Often I hear what Ms. 
Rinaldo is saying, which is, yes, the CEO is cleared, but he's 
not the engineer. He doesn't understand. No. 1, his time is 
limited, or her time is limited; and, No. 2, he or she doesn't 
have the skill set to receive and understand the threat. But 
the problem on the Government side is they're not really 
willing to clear that many individuals.
    I just welcome your feedback on if you're seeing that. 
Because if you remember like 2 years ago, it was a 19-year-old 
who was caught leaking Ukraine war plans, and it was a military 
service member. You're like, wait, we have a 19-year-old like 
basically the war plans for Ukraine, but we have like 20-year 
professionals who we could give 1-day passes or more 
information to better protect critical infrastructure and we're 
cautious about that?
    So it just seems like we've got the priorities crosswise. 
But I'd welcome feedback from you, Ms. Kuehn, on that.
    Ms. Kuehn. It's interesting. I've been in cybersecurity for 
over 25 years, and some of the first attacks or hacks I dealt 
with were nation-state-level attacks going around the financial 
services network. You can imagine, I was 23 years old walking 
rooms with Scotland Yard and looking at data center break-ins. 
Then some of the first financial services attacks.
    I have never held a security clearance in the United States 
and I've been a risk executive of 2 Fortune 25 companies.
    The reality is that we do need to reexamine how we look at 
clearance. But we also have to think about the fact that 
cybersecurity is to some degree--and we talked about it--a team 
sport. I've known 15-year-olds who have had inventions become 
state secrets and housed in the NSA, and I've known 90-year-
olds who still sit on boards and talk about cybersecurity.
    The reality of today's risk is that cyber risk is now 
business risk. It's a question of how we look at protecting all 
the different areas. Companies look at risk from a financial, 
operational, resilience perspective, everything.
    So from a clearance perspective, it's getting the right 
individuals in an organization cleared to ensure they 
understand, but also to make it more of a common language so we 
understand the impact risk has on our organizations.
    Mr. Swalwell. Just as Mr. Ogles said, I welcome ideas, 
feedback. I am a little hesitant to want to amend this at all 
at this point, at this late hour, risking that opening this up 
would not see it reauthorized.
    But I do agree with Mr. Ogles that we need your feedback. 
Just because we reauthorize it, if we do it in a clean way, 
that doesn't mean we can't down the road, even right after 
reauthorization, have hearings and mark-ups to make it even 
better.
    But avoiding a lapse is my priority, and it sounds like, 
Ms. Kuehn, you agree.
    Ms. Kuehn. That would actually be my recommendation. I 
think that a reauthorization cleanly and then look at how we 
optimize and look at things down the road for a couple reasons.
    We're at the beginning of AI. We're still trying to figure 
out some things regarding different types of attacks. Like I 
said, we have malicious, mistake, and malfunction. I think 
there's a way we can strengthen public-private on the back of 
it. But I would recommend a clean authorization.
    Mr. Swalwell. Thank you. I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize myself for 5 minutes of questions.
    I just want to say, since the beginning of Congress we have 
been approached by countless stakeholders about the need to 
reauthorize CISA 2015. In fact, we have 8 statements that we 
will be submitting for the record, one of which has 52 
organizations as signatories.
    So I would like to, without objection, add these to the 
record.
    So done. OK, wonderful. So ordered.
    That's great. I can do this by myself. Wonderful.
    [The information follows:]
                    Letter From Business Roundtable
                                      May 15, 2025.
The Honorable Mark Green,
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, DC 20515.
The Honorable Bennie Thompson,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, DC 20515.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection, 
        Committee on Homeland Security, U.S. House of Representatives, 
        Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcommittee on Cybersecurity and Infrastructure 
        Protection, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, DC 20515.
    Dear Chairman Green, Ranking Member Thompson, Subcommittee Chairman 
Garbarino, and Subcommittee Ranking Member Swalwell: Business 
Roundtable urges the Committee on Homeland Security to swiftly consider 
legislation to reauthorize the Cybersecurity Information Sharing Act of 
2015 to ensure there is no disruption in the critical information-
sharing activities on which the public and private sectors depend to 
defend against escalating cyber threats. A lapse in the Cybersecurity 
Information Sharing Act of 2015 authorities would hamstring both 
Federal and private-sector preparedness for and response to cyber 
threats. It would signal to malicious threat actors that, after 
September 30, 2025, the United States' cybersecurity posture will 
weaken, potentially encouraging future attacks on our critical 
infrastructure.
    Since enactment, the Cybersecurity Information Sharing Act of 2015 
has played a crucial role in facilitating information sharing on 
cybersecurity threats in the United States. By providing liability 
protections and exemptions from Federal antitrust law, Freedom of 
Information Act disclosure, and State disclosure laws, the law 
incentivizes voluntary sharing of cyber threat indicators and defensive 
measures. This law ultimately simplifies the process for sharing 
information, reducing regulatory burden and accelerating the response 
to cybersecurity incidents within and across sectors. The collective 
defense of private-sector networks is more important than ever as the 
cyber threat landscape grows increasingly perilous.
    As the Federal Government and private sector have worked to 
collaboratively improve cybersecurity, the Cybersecurity Information 
Sharing Act of 2015's framework has served as the foundation. For 
example, the law underpins not only Cybersecurity and Infrastructure 
Security Agency's (CISA) Joint Cyber Defense Collaborative but also 
serves to drive greater information sharing between the various 
critical infrastructure sectors through Information Sharing and 
Analysis Centers. Moreover, the Cyber Incident Reporting for Critical 
Infrastructure Act explicitly builds on Cybersecurity Information 
Sharing Act of 2015 by directing CISA to use consistent procedures for 
incident reporting.
    Thank you for holding today's hearing entitled ``In Defense of 
Defensive Measures: Reauthorizing Cybersecurity Information Sharing 
Activities that Underpin U.S. National Cyber Defense.'' Business 
Roundtable appreciates the Committee on Homeland Security's commitment 
to strengthening the Nation's cybersecurity defenses. Reauthorization 
of the Cybersecurity Information Sharing Act of 2015 is critical for 
the public and private sectors to defend against escalating cyber 
threats. We look forward to continued collaboration with you and your 
staff to ensure this essential authority is renewed.
                                                Amy Shuart,
      Vice President, Technology & Innovation, Business Roundtable.
                                 ______
                                 
     Statement of the Protecting America's Cyber Networks Coalition
                              May 13, 2025
    TO THE MEMBERS OF THE U.S. CONGRESS: The Protecting America's Cyber 
Networks Coalition (the Coalition) urges Congress to reauthorize the 
Cybersecurity Information Sharing Act of 2015 (CISA 2015) before it 
expires on September 30, 2025.
    Reauthorizing CISA 2015 is a top policy priority for the Coalition, 
a partnership of leading business associations representing nearly 
every sector of the U.S. economy. If CISA 2015 lapses, the United 
States will encounter a more complex and dangerous security 
environment. A variety of foreign cyber criminals are targeting our 
advanced commercial capabilities, critical infrastructure, and economic 
well-being through various tactics, such as phishing and ransomware.\1\ 
Malicious hackers target both large national corporations and local 
branches, offices, and warehouses. Their attacks impact individual 
businesses, people, and their surrounding communities.
---------------------------------------------------------------------------
    \1\ Annual Threat Assessment of the U.S. Intelligence Community, 
Office of the Director of National Intelligence, March 18, 2025. 
https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025-
Unclassified-Report.pdf.
---------------------------------------------------------------------------
    Sharing information about cyber threats and incidents complicates 
attackers' operations because defenders learn what to monitor and 
prioritize. Consequently, attackers are forced to invest more in new 
tools or target different victims. CISA 2015 helps defenders improve 
their security measures while raising costs for attackers.
    Congress passed CISA 2015 with bipartisan support from both parties 
and the administration.\2\ This important cybersecurity law enables 
private entities to increase their protection of data, devices, and 
computer systems while promoting the sharing of cyber threat 
information with industry and Government partners within a secure 
policy and legal framework. CISA 2015 also provides protections for 
businesses related to public disclosure, regulatory issues, and 
antitrust matters to promote the timely exchange of information between 
public and private entities. Industry and Government have a strong 
record of safeguarding privacy and civil liberties under this 
legislation.\3\
---------------------------------------------------------------------------
    \2\ Consolidated Appropriations Act, 2016 (Pub. L. 114-113), 
December 18, 2015 (see division N, title I). https://www.congress.gov/
114/statute/STATUTE-129/STATUTE-129-Pg2242.pdf.
    \3\ ``Recent Inspector General reviews have not found that 
[personally identifiable information] has been shared in violation of 
the act.'' Congressional Research Service, The Cybersecurity 
Information Sharing Act of 2015: Expiring Provisions, April 8, 2025. 
https://www.congress.gov/crs-product/IF12959.
---------------------------------------------------------------------------
    CISA 2015 is a cornerstone of American cybersecurity. It enhances 
businesses' ability to respond swiftly to today's cyber threats, 
including tackling cybersecurity issues and addressing them at scale. 
Lawmakers must send the CISA 2015 reauthorization legislation to the 
president to continue ensuring that businesses have legal certainty and 
protection against frivolous lawsuits when voluntarily sharing and 
receiving threat indicators and taking steps to mitigate cyber attacks.
    Since the implementation of CISA 2015, collaboration in 
cybersecurity has improved significantly in several ways, including 
encouraging the development and/or the expansion of information sharing 
and analysis centers, or ISACs, across multiple sectors. These centers 
serve as hubs for sharing cybersecurity information within specific 
industries, thereby boosting sector-specific threat detection and 
response capabilities.
    Cyber incidents underscore the need for legislation that helps 
businesses augment their understanding of cybersecurity threats and 
strengthen their protection and response capabilities in collaboration 
with Government entities.\4\ It is encouraging that leading members of 
the House and Senate Homeland Security and Intelligence committees 
advocated for the renewal of CISA 2015.\5\
---------------------------------------------------------------------------
    \4\ Cybersecurity: Selected Cyberattacks, 2012-2024, Congressional 
Research Service, January 8, 2025. https://www.congress.gov/crs-
product/R46974.
    \5\ ``A major cybersecurity law is expiring soon--and advocates are 
prepping to push Congress for renewal,'' CyberScoop, February 26, 2025. 
https://cyberscoop.com/cybersecurity-information-sharing-law-expiring-
congress-renewal.
---------------------------------------------------------------------------
    The Coalition is dedicated to collaborating with the Trump 
administration and lawmakers to swiftly reauthorize CISA, thus 
enhancing national security and bolstering the resilience and 
protection of the U.S. business community.\6\ Congressional action is 
urgently needed.
---------------------------------------------------------------------------
    \6\ In April 2025, Secretary of Homeland Security Kristi Noem 
called for CISA 2015 to be reauthorized. ``Homeland Security Secretary 
Noem urges partnerships to guide future of CISA, backs secure by 
design'' Inside Cybersecurity, April 29, 2025. https://
insidecybersecurity.com/daily-news/homeland-security-secretary-noem-
urges-partnerships-guide-future-cisa-backs-secure-design.
---------------------------------------------------------------------------
            Sincerely,
                                    ACT/The App Association
                                 Airlines for America (A4A)
                         Alliance for Automotive Innovation
                   Alliance for Chemical Distribution (ACD)
                           American Chemistry Council (ACC)
                   American Council of Life Insurers (ACLI)
         American Fuel & Petrochemical Manufacturers (AFPM)
                                American Gaming Association
                             American Gas Association (AGA)
                                 American Institute of CPAs
                         American Petroleum Institute (API)
   American Property Casualty Insurance Association (APCIA)
                   American Public Power Association (APPA)
     American Short Line and Regional Railroad Association 
                                                   (ASLRRA)
                    American Water Works Association (AWWA)
                                         ASIS International
                    Association of American Railroads (AAR)
          Association of Metropolitan Water Agencies (AMWA)
                           Business Software Alliance (BSA)
   College of Healthcare Information Management Executives 
                                                    (CHIME)
                          Connected Health Initiative (CHI)
                                                       CTIA
                                               CyberAcuView
                                The Cybersecurity Coalition
                            Edison Electric Institute (EEI)
                   Electric Power Supply Association (EPSA)
                             The Fertilizer Institute (TFI)
   The Financial Services Information-Sharing and Analysis 
                                           Center (FS-ISAC)
                                      The GridWise Alliance
     Healthcare Information and Management Systems Society 
                                                    (HIMSS)
                        Healthcare Leadership Council (HLC)
                                                Health-ISAC
                           Internet Security Alliance (ISA)
      InterState Natural Gas Association of America (INGAA)
                          Large Public Power Council (LPPC)
             National Association of Water Companies (NAWC)
             National Defense Industrial Association (NDIA)
       National Electrical Manufacturers Association (NEMA)
                    National Propane Gas Association (NPGA)
                           National Retail Federation (NRF)
                NCTA--The Internet & Television Association
                      NTCA--The Rural Broadband Association
                                  Open RAN Policy Coalition
                 Plumbing Manufacturers International (PMI)
                   Reinsurance Association of America (RAA)
                        Security Industry Association (SIA)
     The Software & Information Industry Association (SIIA)
                                      The Sulphur Institute
                                                TIC Council
                                   U.S. Chamber of Commerce
                       USTelecom--The Broadband Association
                        Utilities Technology Council (UTC).
           Letter From the Alliance for Automotive Innovation
                                      May 15, 2025.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection, 
        Committee on Homeland Security, U.S. House of Representatives, 
        2344 Rayburn House Office Building, Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcommittee on Cybersecurity and Infrastructure 
        Protection, Committee on Homeland Security, U.S. House of 
        Representatives, 174 Cannon House Office Building, Washington, 
        DC 20515.
    Dear Chairman Garbarino and Ranking Member Swalwell: The Alliance 
for Automotive Innovation (``Auto Innovators'') appreciates the 
opportunity to share its support for the reauthorization of the 
Cybersecurity Information Sharing Act of 2015 (``CISA 2015''). The U.S. 
automotive industry strongly urges Congress to prevent the September 
30, 2025, expiration of this critical law, which is integral to the 
cybersecurity posture of the automotive ecosystem. We respectfully 
submit this letter for the hearing record.
    Auto Innovators represents the full automotive industry, including 
the manufacturers producing most vehicles sold today in the U.S., major 
equipment suppliers, battery manufacturers, semiconductor makers, 
technology companies, and autonomous vehicle developers. The automotive 
industry is America's largest manufacturing sector and underpins our 
nation's industrial base. The sector employs ten million Americans in 
all fifty States and drives $1.2 trillion into the economy each year--
nearly 5 percent of GDP.
    Nimbleness and agility in response to a dynamic cybersecurity 
threat environment--particularly as the modern vehicle fleet becomes 
more automated, connected, and electrified--remains a top priority for 
the U.S. automotive industry. Automotive companies rely upon the 
exchange of cybersecurity threat intelligence, defensive measures, and 
shared experiences across industry sectors to counter cybersecurity 
threats and the ever-evolving tactics and capabilities of malicious 
threat actors. Congress enacted CISA 2015 to enable such cooperation 
and collaboration with broad bipartisan support.
    Key provisions of CISA 2015 include:
   Clear authorization for information sharing of cybersecurity 
        threat indicators, defensive measures, cybersecurity incidents, 
        and significant cybersecurity concerns;
   Exemptions that safeguard shared intelligence and security 
        information from disclosure under the Freedom of Information 
        Act and State open records laws;
   Assurances that threat indicator and defensive measure 
        sharing in accordance with the law do not waive applicable 
        privileges or other protections provided by law, including 
        trade secret protection;
   Designation of threat indicators and defensive measures 
        shared by a private-sector entity with Federal entities as 
        their commercial, financial, and proprietary information; and
   Protections against claims of antitrust violations or civil 
        liability for entities when sharing information in accordance 
        with the provisions of the law.
    The Automotive Information Sharing and Analysis Center (``Auto-
ISAC'') launched the same year as CISA 2015's enactment. Established to 
serve as the trusted cybersecurity community for automotive companies, 
the Auto-ISAC facilitates the sharing of cybersecurity threat 
intelligence and insights gained from public and private-sector 
sources. CISA 2015 fostered confidence among the initial Auto-ISAC 
members that their unified, community approach to cybersecurity risk 
mitigation was lawful. In the intervening decade, Auto-ISAC membership 
has grown over 500 percent, including original equipment manufacturers, 
suppliers, autonomous vehicle developers, and technology companies, 
highlighting the value that participants see in this trusted framework. 
In addition to the exchange of invaluable information, other key 
initiatives of the Auto-ISAC include table-top exercises, cybersecurity 
training, development of best practice guides and informational reports 
on important cybersecurity topics, and the creation of a common threat 
taxonomy related to automotive cybersecurity governance.
    The Auto-ISAC's initiatives, proactive engagement efforts, threat 
and incident analyses, and dissemination of cybersecurity awareness and 
preparedness information depend on the statutory provisions of CISA 
2015. These various cybersecurity risk mitigation efforts would not be 
possible without the authorizations and protections provided by the 
law.
    As a result, Auto Innovators strongly supports Congress' 
reauthorization of CISA 2015. Such action is necessary to sustain the 
U.S. automotive industry's efforts that counter the unrelenting dangers 
posed by malicious threat actors. These efforts are crucial to ensuring 
the safe operations and resilience of the nation's largest 
manufacturing sector, and a predictable and durable policy environment 
related to cybersecurity information sharing is critical to these 
efforts. Auto Innovators looks forward to partnering with Congress on 
the reauthorization of CISA 2015, and we are grateful to the 
subcommittee for holding this hearing on such an important topic.
            Sincerely,
                                              Jennica Sims,
                                         Director, Federal Affairs.
                                 ______
                                 
 Joint Statement of Intrado Life & Safety, the National Association of 
      State 9-1-1 Administrators, and NENA--The 9-1-1 Association
                              May 15, 2025
    Intrado Life & Safety, the National Association of State 9-1-1 
Administrators, and NENA--The 9-1-1 Association thank you and the 
Members of the House Homeland Security Subcommittee on Cybersecurity 
and Infrastructure Protection for holding this critical hearing, 
titled, ``In Defense of Defensive Measures: Reauthorizing Cybersecurity 
Information Sharing Activities that Underpin U.S. National Cyber 
Defense.''
    Two hundred forty million calls are made to 9-1-1 every year. 
Together, as public safety advocates and industry leaders we proudly 
represent those who serve others in times of crisis. The networks that 
support our 9-1-1 infrastructure are the backbone of our national and 
public safety systems.
    But these networks are also under constant threat. Bad actors 
seeking to cause harm are attempting to infiltrate America's public 
safety networks on a daily basis. To combat these attempts, we must use 
every private and public sector tool at our disposal.
    That is why we have come together to voice our support for the 
reauthorization of the Cybersecurity Information Sharing Act, which 
sunsets on September 30, 2025. This legislation was enacted 10 years 
ago with the bipartisan vision of incentivizing and protecting 
information sharing between industry and Government to reduce 
cybersecurity threats to our Nation. It is working.
    As current members of information sharing and analysis centers, we 
can speak to the invaluable impact the bill has had as we work to 
defend our network and protect 9-1-1 professionals, first responders, 
and the communities they serve. Information sharing in these forums 
provides us with key insights, data, and analysis that allows for 
quick, decisive action necessary to deploy our cyber defenses.
    Nation-state actors and cyber criminals target critical 9-1-1 
infrastructure daily. If CISA's authority is not extended, we fear we 
will lose our ability to be one step ahead of those who attack our 
critical infrastructure and seek to harm our national security. In 
short, the United States will encounter a more complex and dangerous 
security environment.
    When we share information about cyber threats and incidents, we 
learn what to monitor and prioritize. This makes attack operations more 
difficult and requires bad actors to acquire new tools or target 
different victims, which raises their cost and gives us time to act.
    Information sharing is a cornerstone of cybersecurity best 
practice, and the public-private sharing that this legislation has 
encouraged is central to protecting our national security and defending 
our homeland.
    We are grateful to you and the subcommittee for holding this 
important hearing on the future of this legislation. We are hopeful it 
will lead to reauthorizing this legislation and needed support our 
Nation's continued efforts to defend our 9-1-1 systems.
                                 ______
                                 
                Joint Letter From Multiple Associations
                                    April 28, 2025.
The Honorable Rand Paul,
Chairman, Homeland Security & Governmental Affairs Committee, 295 
        Russell Senate Office Building, Washington, DC 20510.
The Honorable Gary Peters,
Ranking Member, Homeland Security & Governmental Affairs Committee, 724 
        Hart Senate Office Building, Washington, DC 20510.
    Dear Chairman Paul and Ranking Member Peters: The undersigned trade 
associations (collectively, ``the associations'') urge Congress to 
extend, for at least 10 years, the Cybersecurity Information Sharing 
Act (CISA 2015), which is scheduled to expire at the end of September 
2025.
    Originally enacted in 2015 with broad bipartisan support, CISA 2015 
established the voluntary information network to enable ``public and 
private-sector entities to share cyber threat information, removing 
legal barriers and the threat of unnecessary litigation.''\1\ The law 
remains foundational to strengthening our collective defense against 
cybersecurity threats, facilitating trust in the public-private 
partnership, and serving as the backbone of essential programs across 
the Federal Government--programs that have measurably improved the 
security posture of critical infrastructure in the United States and 
strengthened the Federal Governments' security awareness.
---------------------------------------------------------------------------
    \1\ Consolidated Appropriations Act, Pub. L. No. 114-113, Div. N, 
Title I--Cybersecurity Information Sharing Act, 129 Stat. 2935 (2015), 
6 U.S.C.  1501; S. REP. NO. 114-32, at 2 (2015).
---------------------------------------------------------------------------
    Of paramount importance, the law's antitrust exemption and 
liability protections enables private-sector sharing of sensitive cyber 
information. Our Nation's critical infrastructure operators depend on 
threat indicator sharing from one another and from the Federal 
Government to strengthen their overall defenses. A lapse in CISA 2015 
authorities will curb this sharing, which is fundamental for enhancing 
overall awareness of national security threats.
    CISA 2015 continues to improve the capacity and speed of 
information sharing between the private sector and the Federal 
Government, while most critically providing necessary protections for 
privacy and confidentiality. Illustrative of this success is the joint 
effort of the Cybersecurity and Infrastructure Security Agency (CISA), 
the National Security Agency (NSA), and the Federal Bureau of 
Investigation (FBI) to identify the People's Republic of China (PRC) 
cyber actor, Volt Typhoon, in United States energy systems. This 
collaboration, fostered by CISA 2015, contributed to one of the most 
comprehensive, actionable, declassified cyber information sharing 
reporting in our Nation's history and continues to lead to further 
discoveries of this advanced persistent threat actor in other critical 
infrastructure sectors.
    Extending CISA 2015 is also pivotal for supporting the 
effectiveness of Federal programs, like CyberSentry \2\ and ``Section 
9''\3\ support, that mutually benefit the Federal Government as well as 
the infrastructure operator. In addition, CISA 2015 plays an essential 
role in the functions of CISA's Joint Cyber Defense Collaborative 
(JCDC), which reduces cyber risk by unifying the cyber defense 
capabilities and actions of Government and industry partners, including 
the associations' members. Furthermore, these statutory provisions are 
so undeniably indispensable that they are incorporated by reference in 
other significant cyber laws, including the Cyber Incident Reporting 
for Critical Infrastructure Act.\4\ Within the legal framework of the 
industry's Cyber Mutual Assistance (CMA) Program, CISA 2015 provides 
CMA Program participants additional protections when sharing certain 
sensitive cybersecurity information with one another. These additional 
protections strengthen the program and enhance security for the 
industry by encouraging and protecting greater sharing of cybersecurity 
information between private entities.
---------------------------------------------------------------------------
    \2\ Participating entities share threat information with CISA in 
real time for analysis and further dissemination to critical 
infrastructure operators across the Nation. CyberSentry also provides 
valuable insights into the nature and scope of potential cyber attacks, 
and facilitates proactive mitigation as well as swift and effective 
incident response planning.
    \3\ See Executive Order--Improving Critical Infrastructure 
Cybersecurity  9 (February 12, 2013). https://
obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-
order-improving-critical-infrastructure-cybersecurity.
    \4\ See 6 U.S.C.  681e.
---------------------------------------------------------------------------
    For these reasons, an expiration of these protections risks leaving 
our infrastructure more vulnerable to cyber incidents that could impact 
operational integrity and resilience. The associations and the 
companies we represent thank you for your leadership on this issue and 
stand ready to engage with Congress to ensure CISA 2015 remains 
prioritized in reinforcing our national and energy security goals.
            Sincerely,
            American Fuel & Petrochemical Manufacturers Association
                                           American Gas Association
                                       American Petroleum Institute
                                    American Public Gas Association
                                          Edison Electric Institute
                                                      GPA Midstream
                      InterState Natural Gas Association of America
                                Liquid Energy Pipeline Association.
CC: The Honorable Mark Green, Chairman, House Homeland Security 
Committee; The Honorable Bennie Thompson, Ranking Member, House 
Homeland Security Committee; The Honorable Tom Cotton, Chairman, Senate 
Select Committee on Intelligence; The Honorable Mark Warner, Ranking 
Member, Senate Select Committee on Intelligence; The Honorable Rick 
Crawford, Chairman, House Permanent Select Committee on Intelligence; 
The Honorable Jim Himes, Ranking Member, House Permanent Select 
Committee on Intelligence.
                                 ______
                                 
 Statement of the Operational Technology Cybersecurity Coalition (OTCC)
                              May 15, 2025
    The Operational Technology Cybersecurity Coalition, a dedicated 
group of cybersecurity vendors committed to safeguarding our Nation's 
critical infrastructure, writes to urge the reauthorization of the 
Cybersecurity Information Sharing Act of 2015 (CISA 2015).
    Since its enactment following the Office of Personnel (OPM) data 
breach, CISA 2015 has provided a vital framework for voluntary public-
private cyber threat information sharing, thereby strengthening our 
collective national cyber defenses. On November 12, 2024, your full 
House Committee on Homeland Security released a cyber threat snapshot 
that detailed a 30 percent increase in cyber attacks targeting critical 
infrastructure since 2023. The report also cited the Cybersecurity and 
Information Security Agency's findings that ransomware reports across 
all sectors increased over 70 percent from 2022 to 2023. The escalating 
sophistication of cyber threats, underscored by recent attacks on 
critical infrastructure including Volt Typhoon and Salt Typhoon, and on 
Federal agencies in incidents like SolarWinds, Storm 0558, and MOVEit, 
highlight the persistent and critical need for this legislation.
    CISA 2015 has successfully facilitated collaboration by providing 
legal protections, including antitrust exemptions, necessary for 
companies to confidently share threat indicators and defensive measures 
with both governmental partners and other private entities. This 
collaborative environment has demonstrably improved the speed and 
capacity with which our Nation can respond to large-scale cyber 
incidents such as the Log4j JNDI attack and the CrowdStrike/Microsoft 
incident of 2024. In 2022, the latest year for which there is published 
data, 413,834 cyber threat indicators were shared with the 
Cybersecurity and Information Security Agency. For operational 
technology assets of critical infrastructure, this speed is essential 
to effectively mitigate cyber attacks, which is the core mission of our 
Coalition.
    We firmly believe that a lapse in the CISA 2015 framework would 
inevitably and immediately reduce the crucial flow of information, 
leaving the United States--civilian, military, commercial, et al--more 
vulnerable to the malicious activities of nation-state actors and cyber 
criminals. These established communication channels are essential for 
maintaining situational awareness and enabling rapid, effective 
responses to security incidents which are crucial to protecting 
operational technology. Furthermore, the provisions of CISA 2015 are 
foundational to other significant cyber laws, including the Cyber 
Incident Reporting for Critical Infrastructure Act (CIRCIA), making its 
reauthorization essential for the stability of our broader 
cybersecurity legislative landscape.
    The Operational Technology Cybersecurity Coalition champions an 
open, vendor-neutral approach to cybersecurity, a principle that is 
bolstered by voluntary information-sharing frameworks like the one 
established by CISA 2015. Echoing our formal communication sent to 
Congress on March 21, 2025, we reiterate the urgent call for the 
extension of the Cybersecurity Information Sharing Act of 2015. 
Preserving this framework is paramount to maintaining and enhancing the 
crucial information-sharing capabilities that protect our Nation's 
critical infrastructure and ensure our national security against ever-
evolving cyber threats.
    We thank the subcommittee for your leadership on this important 
matter and remain committed to working alongside you.
                                 ______
                                 
              Statement of the National Retail Federation
                              May 15, 2025
    The National Retail Federation (``NRF'') submits this statement to 
the committee for its hearing entitled ``In Defense of Defensive 
Measures: Reauthorizing Cybersecurity Information Sharing Activities 
that Underpin U.S. National Cyber Defense'' and in support of the 
extension and reauthorization of the Cybersecurity Information Sharing 
Act of 2015 (``CISA 2015''). The framework established by CISA 2015, 
including its liability protections, has facilitated increased 
collaboration and information sharing both within the retail sector and 
between related stakeholders and partners over the past decade. It is 
critical that Congress reauthorizes the law before September 30, 2025.
    NRF passionately advocates for the people, brands, policies, and 
ideas that help retail succeed. From its headquarters in Washington, 
DC, NRF empowers the industry that powers the economy. Retail is the 
Nation's largest private-sector employer, contributing $3.9 trillion to 
annual GDP and supporting 1 in 4 U.S. jobs--52 million working 
Americans. For over a century, NRF has been a voice for every retailer 
and every retail job, educating, inspiring and communicating the 
powerful impact retail has on local communities and global economies.
    For more than a decade, NRF has worked to increase collaboration 
among retailers on cybersecurity. In 2014, NRF established its IT 
Security Council, a forum for retail Chief Information Security 
Officers (CISOs) and other senior members of their teams to engage with 
each other; share best practices; and participate in workshops, 
benchmarking surveys, and sector-specific cyber exercises.\1\ In early 
2023, NRF established a formal partnership with the Retail and 
Hospitality Information Sharing and Analysis Center (``RH-ISAC'') and 
today works closely with them to increase sector-wide cybersecurity 
engagement.\2\ NRF has also worked to build ties with key Governmental 
partners on cybersecurity issues, including the Federal Bureau of 
Investigation (FBI), U.S. Secret Service, National Institute for 
Standards and Technology (NIST), and the Cybersecurity and 
Infrastructure Security Agency (CISA).
---------------------------------------------------------------------------
    \1\ NRF IT Security Council webpage. https://nrf.com/membership/
committees-and-councils/it-security-council.
    \2\ NRF press release, January 9, 2023. https://nrf.com/media-
center/press-releases/retail-hospitality-isac-and-national-retail-
federation-partner-enhance.
---------------------------------------------------------------------------
    Over the past decade, we have seen a gradual increase in the 
willingness of retailers to share cyber threat indicators that they 
have uncovered and collected, both via the RH-ISAC and directly with 
Government and industry partners. While the number of retailers that 
shared their own cyber threats indicators in the years immediately 
after CISA 2015 was limited, this engagement has increased over time, 
such that the RH-ISAC reported that 60 percent of its 300+ member 
companies had contributed cyber intelligence within the ISAC in 2024, 
including over 51,000 indicators of compromise and nearly 2,000 
responses to requests for information.\3\
---------------------------------------------------------------------------
    \3\ RH-ISAC, 2024 Year in Review Report. https://rhisac.org/wp-
content/uploads/2024_RH-ISACYearinReview.pdf.
---------------------------------------------------------------------------
    Several factors explain this increase in information sharing over 
the past decade. Many large and medium-sized retailers have 
significantly increased the size and capability of their cybersecurity 
teams, which has strengthened efforts to detect and share information 
on threats. Retail legal teams have also gradually become more 
comfortable with allowing their cyber teams to share threat 
information, in large part due to the liability protections provided by 
CISA 2015. In the years immediately after CISA 2015 was enacted, NRF 
regularly heard from retail CISOs that their legal teams were reluctant 
to allow cyber threat information sharing. But over time, this 
reluctance has waned, and more teams are able to proactively share 
cyber threat information. We are concerned that this progress will 
stall or reverse if CISA 2015 lapses later this year.
    Given the urgency of this reauthorization, NRF's priority request 
is for a clean extension of CISA 2015, consistent the language in 
Senate legislation introduced last month by Senators Gary Peters (D-MI) 
and Mike Rounds (R-SD).\4\ If there are opportunities to further amend 
the law as part of reauthorization, or in subsequent legislation, we 
would also support modest changes to the definitions of ``cybersecurity 
threat,'' ``cyber threat indicator'' and ``defensive measure'' that 
would clarify that CISA 2015 also applies to threat information related 
to cyber crime and on-line fraud, given the significant growth in 
threats in these domains over the past several years and the 
convergence of cyber and fraud threat actor tactics.
---------------------------------------------------------------------------
    \4\ S. 1337, Cybersecurity Information Sharing Extension Act. 
https://www.congress.gov/bill/119th-congress/senate-bill/1337.
---------------------------------------------------------------------------
    In support of the extension and reauthorization of CISA 2015, 
cybersecurity leaders at NRF and RH-ISAC member companies have provided 
examples of how cybersecurity information sharing has helped them 
prevent, disrupt, or respond to relevant cyber threats. The following 
quotes are relevant excerpts from these comments, anonymizing the 
company names by their general retail category:
CISO of National Grocery Chain
    ``We've found great success in information sharing both across 
industry and with our Government partners. We engage regularly with our 
Secret Service partners regarding intelligence we've gathered targeting 
retail skimming rings in several large markets across the industry. 
This work has DIRECTLY resulted in convictions of criminals attempting 
to place skimmers across various retailers in markets across the 
country.
    ``We were warned by an ISAC partner that a prolific threat group 
was spinning up a campaign against us. This advanced warning gave us 
time to prepare for the incoming attack.
    ``Recently, we were able to leverage the ISAC to anonymously share 
information regarding a potential breach of a third-party service 
provider. Our sharing allowed other ISAC members to make better 
decisions at a time when public information was scarce and fear, 
uncertainty, and doubt were circulating everywhere.''
CISO of National Sporting Goods Chain
    ``Within the first month of starting my new CISO role at a new 
company, I saw a post on the Retail & Hospitality ISAC portal from a 
cyber threat intel analyst that provided indicators of compromise (IOC) 
that contained over 600 known email addresses associated with the 
Democratic People's Republic of Korea (DPRK, aka North Korea) threat 
actor known as FAMOUS CHOLLIMA. This group impersonates U.S.-based tech 
workers applying for remote jobs, and when hired, will syphon the 
salaries to the DPRK government, steal sensitive data, and cause harm 
(e.g., ransomware) when discovered or when they have achieved their 
objectives.
    ``I forwarded the link to my Security Operations Center (SOC) 
Manager, who also leads our Cyber Threat Intelligence (CTI) function, 
and asked if they had seen these IOCs yet, and if not, to please add 
them to our tooling for detection, blocking, and alerting. The 
following day we had 3 hits where the threat actor had applied for 
multiple jobs with the company, and one had already completed their 
interviews and was about to receive an offer. We were able to 
immediately stop the hiring process, which prevented an unknown but 
likely significant event, and we now have a process that continues to 
update these IOCs to prevent future risks with this and similar 
threats.''
CISO of Footwear Company
    ``RH-ISAC has been essential in helping protect our organization 
from modern cyber threats. There is no other place we get the quality 
of intelligence at the pace we need to action on it before adversaries 
take advantage of us. The recent major outages in the U.K. commercial 
sector attributed to Scattered Spider highlight what happens when 
threat actors use the same tactics against organizations that aren't 
sharing intelligence. Using intelligence from RH-ISAC partners, we have 
been able to detect and prevent these exact types of attacks and keep 
our business running and customer data secure.
    ``Having access to verified community intelligence has allowed us 
to prevent malware infections, identify critical vulnerabilities, 
mitigate supply chain attacks, and respond to incidents more quickly 
than we otherwise would have been able to. This intelligence is a vital 
part of our information security practice.''
IT Leader at Book Retailer
    ``Our company uses the CISA portal to monitor cybersecurity and 
strengthen our threat awareness and incident response education--both 
of which are critical to our cybersecurity program. These capabilities 
help safeguard our systems, protect customer data and reduce 
operational risk. CISA 2015 was established to enable secure 
information sharing between the Government and private sector, helping 
organizations like ours stay ahead of emerging threats and coordinate 
timely responses. Eliminating this framework would reduce visibility 
into nationwide cyber risks and weaken our ability to respond quickly, 
increasing the likelihood of financial loss, service disruptions, and 
reputational damage.''
CISO of National General Merchandise Retailer
    ``We have numerous examples of successful cyber information sharing 
within retail to address and defend against threats.
    ``As one example, Atlas Lion is a cyber criminal group targeting 
retail, hospitality, and gift card organizations that has been active 
since at least 2021. They manipulate victims into providing log-in 
information through SMS phishing and phishing, and once inside a 
network, they quickly identify and exploit gift card systems to 
facilitate gift card fraud and theft. As part of their Threat 
Intelligence processes, one of the larger retail cybersecurity teams 
identified phishing and credential harvesting infrastructure 
proactively and notified companies of likely phishing attempts before 
they happened. Together with other mature retail cyber programs, they 
shared infrastructure tracking for this threat actor with the RH-ISAC, 
enabling other retailers to proactively defend their infrastructure 
before the cyber criminals send phishing campaigns.
    ``As a second example, Payroll Pirates is a cyber criminal group 
that uses phishing and fake log-in sites to steal victims' log-in 
information for human resources and payroll systems. This group sends 
phishing emails and sets up malicious advertisements on search engines. 
Once a victim enters their credentials, Payroll Pirates uses that 
information to redirect salaries and payroll to bank accounts 
controlled by the cybercriminal group. One of the mature retail 
cybersecurity programs proactively monitored this group's 
infrastructure and alerted multiple RH-ISAC organizations of 
infrastructure targeting these companies, helping them and their 
employees defend against fraud.''
CISO of Fashion Retailer
    ``As a member of the RH-ISAC, I can confidently state that our 
participation has been transformative for our security posture. Prior 
to joining the RH-ISAC in 2019, our company experienced a credit card 
breach. Based on the intelligence sharing and collaborative security 
resources we've accessed through RH-ISAC membership since then, I am 
100 percent certain that had we been members beforehand, we would have 
prevented that breach entirely.
    ``Our membership has enabled us to advance our security program 
much more rapidly and in a targeted way compared to attempting to build 
our defenses independently. The threat intelligence and best practices 
shared through the RH-ISAC have directly contributed to protecting our 
customers' data and our business operations.''
CISO of Footwear Manufacturer and Retailer
    ``Information sharing fosters a culture of trust and collaboration 
within the cybersecurity community--specifically sharing of Indicators 
of Compromise and having that level of information to help reduce 
impact of known attacks. There isn't a need to `suffer' as individual 
companies but rather pooling resources and knowledge, we can develop 
stronger defenses.''
CISO of a Regional Grocery Chain
    ``Due to the sharing provisions of CISA 2015, our organization--a 
retail grocery chain--has been well prepared to prevent, detect, and 
respond to threats that would otherwise be unknown to us. One such 
example is recent activity from North Korean nation-state threat actors 
targeting retailers in fake remote work schemes. Intelligence like this 
comes from a complex blend of Classified, unclassified, and private 
sources. CISA 2015 removes the friction of collecting and compiling 
these sources for CISA and facilitates their ability to distribute a 
threat intelligence product that is easily digestible and rapidly 
actionable by us. Our organization, and many others like us, lack the 
resources to achieve this outcome on our own. We urge you to 
reauthorize CISA 2015 to maintain this essential public-private 
cybersecurity partnership.''
CISO of Consumer Goods Product Manufacturer
    ``In previous roles in the Defense and Aerospace sectors, I 
experienced first-hand the value of threat intelligence sharing between 
companies that were essentially competitors and the direct impact on 
national defense. In my current role, and with a much smaller 
cybersecurity team, we rely heavily on the intelligence and peer 
sharing within the ISAC to protect the company and maintain operations. 
It is almost impossible for companies smaller than $20 billion to 
effectively self-fund and manage their own threat intelligence teams/
process/reporting.''
Cyber Leader for Truck Stop Company
    ``Information sharing between private companies, Government 
agencies, and law enforcement has been critical in furthering our 
cybersecurity posture. In several instances, information provided to 
law enforcement, under the security of the Cybersecurity Information 
Sharing Act of 2015, has been fruitful in thwarting fraud, breaches, 
and other potentially harmful events.''

    * * * * *
    NRF is available to provide additional context on these comments 
with the committee upon request, including opportunities for direct 
dialog between retail cybersecurity leaders and committee Members and/
or committee staff.
    Thank you for focusing on this important issue. We encourage you to 
continue to work over the next 4 months to ensure that CISA 2015 is 
reauthorized and extended before the September 2025 expiration date.
                                 ______
                                 
   Letter From the Software & Information Industry Association (SIIA)
                                      May 15, 2025.
The Honorable Andrew Garbarino,
Chair, Subcommittee on Cybersecurity and Infrastructure Protection, 
        U.S. House of Representatives, Committee on Homeland Security, 
        H2-176 Ford House Office Building, Washington, DC 20515-6480.
The Honorable Eric Swalwell,
Ranking Member, Subcommittee on Cybersecurity and Infrastructure 
        Protection, U.S. House of Representatives, Committee on 
        Homeland Security, H2-176 Ford House Office Building, 
        Washington, DC 20515-6480.

Re: ``In Defense of Defensive Measures: Reauthorizing Cybersecurity 
Information Sharing Activities that Underpin U.S. National Cyber 
Defense''

    Dear Chair Garbarino and Ranking Member Swalwell: On behalf of the 
Software & Information Industry Association (SIIA), I write to urge the 
subcommittee to consider reauthorization of the Cybersecurity 
Information Sharing Act of 2015 (CISA 2015) during its May 15 hearing, 
``In Defense of Defensive Measures: Reauthorizing Cybersecurity 
Information Sharing Activities that Underpin U.S. National Cyber 
Defense.'' We would appreciate your including our views in the record 
of the hearing.
    SIIA is the principal trade association for those in the business 
of information, including its aggregation, dissemination, and 
productive use. Our members include roughly 380 companies reflecting 
the broad and diverse landscape of digital content providers and users 
in academic publishing, education technology, and financial 
information, along with creators of software and platforms used 
worldwide, and companies specializing in data analytics and information 
services.
    SIIA supports reauthorizing CISA 2015, which is scheduled to expire 
on September 30, 2025.\1\ Cybersecurity is a critical legislative 
priority, and one essential to the safety and security of a functioning 
democracy and a robust private sector. Information sharing between the 
Government and the private sector--as well as among private-sector 
entities--helps to harmonize meaningful cybersecurity safeguards with 
appropriate business compliance, and smooth implementation of joint 
cybersecurity efforts.
---------------------------------------------------------------------------
    \1\ The bipartisan Cybersecurity Information Sharing Extension Act, 
introduced in the Senate at S. 1337, provides for a clean extension. No 
such legislation has been introduced in the House this session.
---------------------------------------------------------------------------
    CISA 2015's protections for private-sector cyber defenders, 
including its antitrust exemption, has led to increased public-private 
collaboration and cyber threat information sharing, and has also 
improved information sharing within the private sector. This foundation 
has enabled American businesses to address and respond to cybersecurity 
threats and has raised the level of cyber resilience in critical 
infrastructure sectors and beyond. By improving cybersecurity 
resilience, CISA 2015 has also helped to advance consumer privacy and 
mitigate the impact of breaches. This has also benefited consumer 
privacy interests, since information sharing among private-sector 
entities, especially around threat indicators, has been foundational 
for responsibly stewarding customer data in the face of these threats.
    Permitting CISA 2015 to lapse would be detrimental to the United 
States' cybersecurity posture at a time when cybersecurity risks are 
intensifying in intensity and scope. Recent incidents, including the 
Salt Typhoon attack and the BeyondTrust incident, underscore the 
importance of strengthening domestic cooperative efforts to counter 
these threats.
    Reauthorizing CISA 2015 is an essential first step, but more should 
be done. We also encourage the subcommittee to examine ways to further 
incentivize information sharing with the public sector, which has 
lagged private-to-private sharing in recent years.\2\ This may include 
expanding CISA 2015's definitions of ``cyber threat indicators,'' 
``defensive measures,'' ``cybersecurity purpose,'' and ``cybersecurity 
threat'' to expand liability protections and further encourage sharing 
in a wider variety of contexts. Congress may also wish to consider 
extending liability protections to direct sharing with agencies beyond 
DHS and its automated indicator sharing system.
---------------------------------------------------------------------------
    \2\ See, e.g., Megan L. Brown, et al., ``CISA 2015 
Reauthorization--Are Changes on the Horizon?,'' Wiley Connect (Mar. 3, 
2025), https://www.wileyconnect.com/CISA-2015-Reauthorization-Are-
Changes-on-the-Horizon; see also Sean Lyngaas, ``Private Sector Isn't 
Sharing Data with DHS's Threat Portal,'' CyberScoop (Jun. 28, 2018), 
https://cyberscoop.com/dhs-ais-cisa-isnt-used-jim-langevin/.
---------------------------------------------------------------------------
    Although undoubtedly helpful to enforcers, CISA 2015's exception 
permitting Government use of shared information to inform regulation 
and enforcement may have unintentionally chilled public-private 
sharing. Last, greater information sharing from the Government to the 
private sector--especially in the context of incidents targeting 
critical infrastructure--would be a boon to private-sector cyber 
defenders. Congress can address this by providing statutory guidance 
and direction to the Cybersecurity and Infrastructure Security Agency.
    Thank you for considering our views and for the subcommittee's 
attention to this important matter. SIIA looks forward to continuing to 
engage with the subcommittee as its work continues.
            Sincerely,
                                             Paul N. Lekas,
Senior Vice President, Global Public Policy Software & Information 
                                       Industry Association (SIIA).

    Mr. Garbarino. I know you all have said re-auth has to 
happen, so I'm not even going to start with that question. 
Everybody is saying that it has to happen. It sounds like clean 
re-auth, everybody thinks, is the best way to do it just to 
make sure it's done.
    What would happen if this did not get reauthorized? You can 
all jump in. I want to hear from everybody. I feel like we need 
to get on the record why it's so important this has to be 
reauthorized. What would happen if it wasn't reauthorized?
    Want to start, Mr. Miller?
    Mr. Miller. Yes. Thank you for the question, Chairman.
    I mean, I think if it was not reauthorized there would be 
an immediate chilling effect, at least for some organizations 
on their willingness and ability to share, because those 
express authorizations in the bill and those attendant 
liability protections would go away.
    I mean, this is not to say that information sharing itself 
would completely stop. Information sharing did occur before 
CISA 15, but a lot more of it is occurring after CISA 15.
    In particular, automated sharing at scale, again, as I 
understand it as a lawyer, not as a cybersecurity operator, 
didn't really exist in nearly the same way that it does today, 
and the bill should be credited for that.
    I personally think it's an open question given what exactly 
the fate of, for instance, the Automated Indicator Sharing 
program at CISA would be if the bill went away, because their 
authorization to run it would go away. It doesn't mean they 
would necessarily stop doing it. We don't have Homeland 
authorizations every year, as you know. But it would put things 
into question.
    So I think this would undermine a lot of certainty across 
industry and Government and, thus, undermine the certainty that 
we have with the trusted sharing partnerships that have been 
built since CISA 15.
    Mr. Garbarino. Ms. Rinaldo.
    Ms. Rinaldo. You are taking the decision from the CISO to 
the general counsel's office, and that is going to slow 
everything.
    Mr. Garbarino. Us attorneys are the worst.
    [Laughter.]
    Ms. Rinaldo. I wasn't going to say that.
    Mr. Garbarino. I can say it. It's OK.
    Mr. Schimmeck.
    Mr. Schimmeck. Yes. Reiterate that. Basically, firms would 
immediately hesitate. There would be uncertainty in what would 
be shared. Things would slow down.
    The other thing is, you would very much be locking out the 
small and medium-sized businesses and companies and vendors. 
This would be a big-firm-only play, because we would be the 
only ones willing to try it, willing to evaluate it.
    Then you'd also, I think, you'd start to see what we saw 
previously, which is every firm building bilateral gratis with 
the U.S. Government instead of going through this framework.
    Mr. Garbarino. It's a very key point. Thank you for making 
that.
    Ms. Kuehn.
    Ms. Kuehn. Just to reaffirm everything that everyone else 
has said. But you're right, there was information sharing 
before 2015. We did have it. But it was picking up the phone 
and kind-of chatting behind closed doors.
    That's going to hinder from both a proactive and a reactive 
cyber defense strategy if we don't have those safe harbors. To 
my fellow committee Member's point, it puts it in the hands of 
the lawyers.
    The reality is, is that with AI coming in, with what we're 
seeing with the rapid spread of threats, we don't have time for 
it to go to the lawyers at this point. We have to be able to 
share information quickly.
    Mr. Garbarino. The slower we are, the more exposed we are.
    Ms. Kuehn. Hundred percent.
    Mr. Garbarino. That information sharing is very important.
    Mr. Schimmeck, I want to ask you both--you worked at--you 
worked with SIFMA for a while. I wanted to know if you could 
specifically share some information or some anecdotal 
information about how your companies or other companies you've 
worked with have shared information under this law.
    Mr. Schimmeck. Sure. So what we'll use this for typically 
is we will provide the information via AIS. So we have that 
path of sharing information with DHS when we need to. We also 
use other mechanisms, phone calls, email.
    DHS provides multiple ways for us to submit information. So 
it provides maximum flexibility for firms to go do that. But 
then it also enables us to go peer-to-peer.
    There is probably not a day that goes by that I'm not 
talking to a peer CISO out there on some issue that's going on, 
either emerging or on an active threat that we're dealing with.
    This just provides us that flexibility to make sure that 
anything we're sharing we're protected, we're doing it under 
the best intentions. So it really allows us to, as we say in 
financial services, this is a noncompetitive topic for us.
    We want to make sure that the entire system is protected, 
because if there's an attack against one bank, it calls into 
question the entire system. Financial services, more than 
anything else, is built on trust.
    Mr. Garbarino. I appreciate that. My time has expired.
    We're going to start a second round of questioning, and I'm 
now going to recognize for a second round of questioning the 
gentleman from Florida, Mr. Gimenez, 5 minutes.
    Mr. Gimenez. I'm trying to figure out where I'm going to 
go.
    Mr. Swalwell. Uh-oh. Watch out.
    Mr. Gimenez. I'm not so sure I share the Ranking Member's 
problems with a 19-year-old. In ``Ender's Game'' the guy was 
like 12 years old, and he defeated an entire alien race. So 
maybe the Ukrainians are onto something. So there, that's where 
I was going.
    So my question is, and anybody can answer this, are we as a 
country spending enough?
    Because I do believe that at the end the solution is not 
going to be--yes, we need a number of people--but with 
artificial intelligence I can see the day that you're going to 
be both on the offense and defensive side.
    You will have literally millions of attacks per minute 
being launched and counter-launched and defended against. Then 
the systems learning from each other and probing and defending, 
probing, probing, and then basically, almost at the speed of 
light.
    No, we can't have--there's no way we can ever fund that 
many people.
    So are we investing enough as a country in artificial 
intelligence in order to protect us from what we know is going 
to be the threat, which is really artificial intelligence-
launched cyber attacks on our country and our infrastructure 
and everything? Are we investing enough in artificial 
intelligence that will counter that?
    Ms. Kuehn. I think, first of all, from the investment 
question, my other role is I'm head of global advocacy for--
cyber advocacy for a privately-held company. From an AI 
perspective, we've invested over a half-billion dollars and a 
billion in labs just to look at all the different technologies 
that are coming in right now, both from a proactive and 
reactive AI perspective.
    What I would say is, I think that we do need to invest 
more, but I think one of the critical areas is in public-
private partnership, is getting closer with the organizations 
like NVIDIA and others that are on the front lines of creating 
AI, and also then the companies that are defending AI, which 
many of them are early stage organizations.
    So the more we can strengthen the public-private 
partnership from Government and industry to approach how we 
look at AI, how we look at, like I said, malicious, 
malfunction, mistake going in the future, it's going to have 
benefit across all areas of industry.
    Mr. Gimenez. Are we unified in an approach, or is everybody 
just doing their own thing as individual companies? Is CISA 
doing its own thing? Is DOD doing its own thing? Is Oracle 
doing its own thing? Or would it be beneficial to maybe have 
some other different kind of legislation that kind-of starts to 
focus it all? Because it's a mutual defense system that we 
really have to build here, not just, gee, OK, DOD is protected, 
but, gee, it's too bad that our critical infrastructure wasn't.
    So are we there? Where are we with that? Is everybody just 
developing their own, or do we have some kind of a strategy to 
kind-of focus in on that to develop--instead of the golden 
shield, this will be the cyber shield, which is it's going to 
be artificial intelligence. That's the way it's going to be. 
Where are we on that?
    Ms. Rinaldo. So I would say that different agencies are 
focusing on it for their specific needs. There is not one 
holistic approach to it but more of a buckshot, if you will. I 
think there is more of a holistic approach to how we manage AI 
moving forward, but I think there's a lot of exciting 
applications.
    In my day job I run a telecom trade association, and we're 
really focusing on 6G and how AI is going to shape sensing 
communications moving forward, so you're able to detect 
anomalies in a network, whether it be security, whether it be 
weather-related. You could tell a certain portion of the 
network is down. That's all going to be done by AI.
    So there are a lot of great aspects of it, and I think it's 
really important for the different agencies to kind-of focus 
and really hone in on their particular function.
    Mr. Gimenez. Do you think our adversaries are somewhat 
scattered like we are, or do you think they're more focused on 
their goals?
    Ms. Rinaldo. I think China remains an existential threat to 
us on these issues.
    Mr. Gimenez. Are they focused, or do they have a 
scattershot kind of approach to their development of AI?
    Ms. Rinaldo. So what we've seen, and from my work at the 
House Intel Committee on Huawei, is that China is especially 
focused on certain individual companies as opposed to we 
support sectors. So they will want to see one individual 
company succeed globally while we push a sector. So in that 
instance, they are honed in.
    Mr. Gimenez. Should we match that?
    Ms. Rinaldo. No.
    Mr. Gimenez. No? OK.
    My time is up. I wish I could go further, but I'm done. 
Thank you.
    Ms. Rinaldo. True innovation happens when you have multiple 
different companies competing.
    Mr. Garbarino. The gentleman yields back.
    With the consent of the Ranking Member, I now recognize the 
gentleman from Tennessee, Mr. Ogles, for 5 minutes.
    Mr. Ogles. Thank you again, Mr. Chairman.
    I also sit on the Financial Services Committee, and, Mr. 
Schimmeck, I'd love to hear from you as one of the things that 
concerns me is the sophistication of AI and how we're seeing 
that play out in the financial sector and just the risks that 
are involved there.
    So, what are the next phases? Does this go far enough? 
Again, if we're going to come back and do a clean-up or 
revision of this at some later date, what needs to be included?
    Mr. Schimmeck. Yes. So AI, obviously, it's an area of 
investment for financial services both on the business side but 
also on the security side as well.
    Very much still early days in regards to how we're going to 
embed that within our operations, but pretty much every firm 
has got a strategy around this and are making significant 
investments, to Mr. Gimenez's point.
    In regards to how this is going to affect CISA, I think 
we're not really sure how this is going to play out and how 
we're going to want to share information, whether it's going to 
be in agentic AI within a financial services firm sharing with 
another agentic AI within DHS or within another agency. So I 
think that's something we'll have to work at.
    I think it goes to maybe some of the improvements we can 
have on the AIS systems. The AIS system was probably designed 
10 years ago. It's operational. It accomplishes the mission. 
But it's definitely something that could be modernized both 
with AI or even other opportunities to just improve the level 
of detail and to just make it more consumable for us as both a 
submitter and a consumer of that information.
    Mr. Ogles. Ms. Kuehn, you mentioned the typhoon attacks. As 
a former county executive one of the things that concerns me 
across our landscape isn't the larger companies. Obviously, 
they're a target and there's risk associated with it, but it's 
that critical infrastructure in rural Tennessee that supports 
hundreds of thousands if not millions of people across this 
network.
    What's the end game there? How do we help these smaller 
communities that, quite frankly--so I'll give you an example. 
In metro Nashville or Memphis or even the suburb, Williamson 
County, which is a very affluent county, they have the 
resources to have an IT department.
    If you go a little further south, east, or west, the IT guy 
is probably also the H.R. guy, and they're not equipped to 
defend a county--the water system, the electrical grid--from 
these types of attacks. So what do we do going forward?
    Ms. Kuehn. I think part of it is, again, and I sound like a 
broken record, it's public-private partnership.
    So the 2 attacks you just mentioned, so I'll use Salt and 
Flax, both of them are exploiting critical vulnerability 
exploits that were back from, like, 2018, 2021 on known, 
basically antiquated network and technology gear.
    So it's, again, educating smaller and mid-sized businesses. 
To your point, I saw a statistic recently that 80 percent of 
critical national infrastructure is sitting in small and medium 
business.
    So working with those organizations to create modernization 
plans, working with organizations that have the CVEs to help 
with creating, in essence, modernization, technology upgrade, 
helping small to medium businesses and critical national 
infrastructure organizations upgrade to technology that is not 
vulnerable anymore and putting action plans together to do so.
    The typhoons are--they're not going to care whether you're 
a large or a small organization. They're going to care about 
the disruption that it causes to critical national 
infrastructure. So it's going to take a shoulder-to-shoulder 
proactive measure between public and private to ensure that we 
don't have disruptive behavior from them.
    Mr. Ogles. Not that I want to be one of the Members of 
Congress that authorizes Skynet, but it's almost like we need a 
cyber shield that better equips our private and public partners 
in this space. But, again, proceed with caution.
    I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize the Ranking Member, Mr. Swalwell from 
California, for a second 5 minutes of questions.
    Mr. Swalwell. Great. Thank you, Chair.
    Ms. Kuehn, how has the loss of CIPAC impacted information 
sharing?
    Ms. Kuehn. I think when you look at the loss of CIPAC 
there's kind-of 2 things, whether you're talking about CIPAC or 
any of the councils, so from the advisory council perspective 
and then the safety review board. The work that it does is the 
education that we need.
    So from a CIPAC perspective, having that collaboration of 
experts both from public and private and being able to look and 
give advice on things like we've talked about, the typhoons, 
about agentic AI, about even quants that are going on, where 
should we be pointing our arrows. That's incredibly important 
for us to rely on.
    If we talk about the safety board getting the revisions and 
understanding what happened on critical attacks, like the work 
that was being done on Salt Typhoon, there was the Microsoft 
vulnerabilities, there were others, it's a question of those 
type of information sharing allows us to go a step further than 
JCDC and really disseminate critical information about where we 
want to focus our attentions from public and private and then 
also how we better protect ourselves.
    Mr. Swalwell. Are you aware as to whether DHS has provided 
a time line for when a CIPAC replacement will be established or 
a process for how the private sector can provide feedback?
    Ms. Kuehn. I am not aware at this point.
    Mr. Swalwell. How would you structure a new CIPAC?
    Ms. Kuehn. From a CIPAC perspective I think that you have 
to look at--there's practitioners and operators in 
cybersecurity and in AI. As we think about it, we need a blend 
of Government, former Government, the practitioner side, like 
the CISOs and the risk executives sitting here today, and then 
also operators, who are the business risk side, from boards and 
CEOs and understanding the cyber perspective from the business 
side.
    Because we're seeing we're in the middle of a digital 
revolution. Cyber touches every area. Traditional technology, 
everything we do has technology in it, and there's a cyber 
component.
    So as we look at the new CIPAC, we have to take into 
consideration that we're no longer just looking from an 
adversarial perspective, it's a business, operational, 
resiliency perspective, and we need to adjust accordingly.
    Mr. Swalwell. Great. Yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize myself for my second 5 minutes of 
questions.
    When the original CISA 2015 law was negotiated significant 
privacy concerns were raised. As far as I'm aware, these 
concerns did not come to fruition.
    Ms. Rinaldo, you were there. Will you please walk us 
through the initial debates and how they were resolved dealing 
with privacy?
    Ms. Rinaldo. Absolutely.
    So during the 4 years we had 3 different bills that were 
introduced, and from the first bill, which was a couple of 
pages, to the one that was signed into law, which was much, 
much bigger, we took a lot of the feedback from privacy groups 
and industry--John was instrumental in a lot of this work that 
we did--and we made changes.
    The information has to be anonymized. We want to make sure 
that what is actually being shared is the zeros and ones of it.
    I know that the inspector general has done a report 
recently and has determined that no privacy issues have arisen 
in the past 10 years. So the language and all the protections 
that we put in have been working.
    Mr. Garbarino. That's great, because I'll tell you, other 
than the name, privacy concerns, it might be the biggest 
obstacle to getting this reauthorized. So the fact that you 
have--that report has zero reports of privacy breaches is 
great.
    Mr. Miller, you were also instrumental, as we all just 
heard Ms. Rinaldo say. Have you heard of any privacy-related 
concerns over the last 10 years the law has been in effect?
    Mr. Miller. No, and I think that's pretty compelling 
evidence that the bill itself and the structure and the 
protections that were put in place to protect privacy and civil 
liberties worked.
    If I could add one other protection that I think was very 
important to what Diane said. Actually having DHS serve as the 
central hub, what we kind-of called the civilian interface at 
the time, was very important.
    If you think about what else was going on during this time, 
there was a lot of suspicion about sharing, and in particular 
about surveillance agencies, in light of the Snowden 
disclosures, for instance.
    So I think that the protections that Diane mentioned, 
requiring the stripping out of PII, was very important. But 
also sharing through DHS and then having DHS share across the 
Federal Government was a good innovation, I think, of the time 
as well.
    Mr. Garbarino. Mr. Schimmeck, anything to add there 
regarding privacy?
    Mr. Schimmeck. Just the only thing I would add to it is, 
No. 1, as I made in my statement, we have not had anything 
realized in regards to any disclosures.
    Also, from a financial services industry standpoint, we 
take privacy extremely seriously. It's something that's core to 
how our business operates.
    So having those protections in there and really to focus on 
it in the act, in the bill, was really important.
    Mr. Garbarino. Ms. Kuehn.
    Ms. Kuehn. I would agree. I think that they've summed it 
up. There really have not been any, to my knowledge, concerns 
from a privacy perspective. I think that that's one of the 
reasons that a clean authorization of it from a renewal 
standpoint is just critical. We can change what we need to 
change later, but what's working right now from a fundamental 
perspective is working.
    Mr. Garbarino. That was my follow-up question. You said 
clean re-auth, which means you would all agree that there is no 
need to change the language when it comes to privacy, correct?
    Ms. Kuehn. Yes.
    Mr. Schimmeck. Yes.
    Mr. Miller. Yes.
    Mr. Garbarino. They all said yes, for the record.
    Thank you very much for that.
    I do want to get to one more, because we're talking about 
information sharing with the Government, private to Government.
    But can you all talk about some reflections on how this 
legislation changed information sharing amongst private-to-
private entities and how it fostered that information sharing? 
Feel free to jump in, whoever wants.
    Mr. Miller. I mean, I'll jump in.
    Talking to, for instance, the executive director of the IT-
ISAC recently, it does seem like--and talking about some of the 
types of things that CISA 15 really has allowed the private 
sector to do, I mean, I think there are criticisms of whether 
the private-Government sharing can be better. I mean, we've 
heard some of those already today.
    But the private-private, private-to-private sharing, is a 
really critical and maybe sometimes overlooked aspect of what 
CISA 15 really enabled.
    Again, if you look at the ISACs, again, some of the ISACs 
have less than a hundred people, some of them have thousands of 
companies involved, you look at the National Council of ISACs, 
the State and local, Tribal, and territorial ISAC, all of these 
ISACs are--allow--it's kind-of a concept of the few protecting 
the many.
    They're very important in particular for those small and 
medium-sized businesses who can perhaps participate through 
ISACs because they don't have million-dollar budgets to spend 
on cybersecurity.
    So I think there's really been a pretty dramatic increase 
in private-to-private sharing that has been enabled because of 
CISA 15.
    Mr. Garbarino. Wonderful.
    All right. Well, I'm now out of time.
    I really want to thank you all for being here. I think you 
can tell by the fact that we all stayed for our second round 
and we have such a big crowd in the back that this is a very 
important hearing and people understand its importance.
    Again, I said it was wonderful that the Secretary mentioned 
it yesterday, that she wants to see reauthorization. That's the 
second time I've heard her publicly say that, which is great.
    So I want to thank you all for your valuable testimony and 
for the Members for their questions.
    Members of the committee may have some additional questions 
for you all, and we would ask you to respond to these in 
writing.
    Pursuant to committee rule VII(E), the hearing record will 
be held open for 7 days.
    Without objection, the committee stands adjourned.
    [Whereupon, at 3:22 p.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

      Questions From Chairman Andrew R. Garbarino for John Miller
    Question 1. Do barriers still exist to cybersecurity information 
sharing, such as private-sector companies' reluctance to share with law 
enforcement or quality concerns regarding redundant cyber threat 
indicators and defensive measures? What actions have been taken, if 
any, to overcome these barriers?
    Answer. While certain barriers to information sharing may persist, 
CISA 15 removed or lowered the vast majority of barriers to information 
sharing by providing clear liability protections to companies for 
voluntarily sharing or receiving cyber threat indicators (CTIs) or 
defensive measures (DMs), for authorized monitoring activities, by 
exempting these sharing activities from disclosure under FOIA and from 
antitrust laws, and providing limited protections against regulatory 
use. A lapse of CISA 15 would immediately reintroduce those barriers.
    It is important to note that while the intention behind CISA 15 was 
to incentivize voluntary sharing by removing these above-listed 
barriers, some private-sector entities have remained reluctant to share 
with DHS/CISA or other Government agencies due to lingering concerns 
over regulatory exposure, or other issues such as reputational risk or 
uncertainty around the onward use or dissemination of shared data.
    Additionally, I believe it would be prudent to review and update 
the list of cyber threat indicators (CTIs) in CISA 2015, not for 
redundancy but for completeness. Adversaries are constantly developing 
new tactics, techniques, and procedures to advance their nefarious 
objectives. Defenders need to have the ability to share updated CTIs on 
the entire dynamic threat landscape. The CTI definition is framed to 
encompass much of the threat landscape without risking redundancy. 
Accordingly, any update to the list of CTIs should focus on adding 
additional CTIs to reflect developments in the threat landscape. For 
example, CTIs related to supply chain attacks or AI-enabled TTPs may be 
appropriate to include. Notably, DHS/CISA has already worked to improve 
the technical utility of shared data and to facilitate anonymization 
and contextual enrichment of threat indicators to enhance their value. 
Evolving the list of CTIs alongside continued stakeholder engagement, 
transparency, and advancements in automated sharing standards may help 
to mitigate persistent concerns.
    Question 2. What can the Cybersecurity and Infrastructure Security 
Agency (CISA) do to increase participation in the Automated Indicator 
Sharing (AIS) program?
    Answer. One way for DHS/CISA to increase participation in AIS would 
be to better emphasize the value proposition behind bi-directional 
information sharing, particularly from Government to industry. 
Currently, much information sharing happens industry-to-industry, 
industry-to-Government, or Government-to-Government. Increasing 
Government-to-industry sharing of information could incentivize more 
private-sector entities to participate in AIS. Additionally, DHS/CISA 
can also broaden industry engagement by continuing efforts to improve 
the relevance, accuracy, and timeliness of shared indicators and 
provide metrics demonstrating operational impact and actionable 
intelligence to further improve the value proposition for reluctant 
companies. Moreover, enhancing integration with threat intelligence 
platforms used by private-sector entities and expanding training and 
onboarding support for small and mid-sized enterprises can make 
participation more accessible.
    While incentivizing greater participation is a worthwhile goal, it 
is also worth noting that the raw numbers of entities participating in 
AIS do not tell the whole story. Many companies including SMBs 
participate indirectly in and gain the benefits of the AIS program by 
virtue of their participation in the various sector ISACs representing 
critical infrastructure as well as other Information Sharing and 
Analysis Organizations (ISAOs).
    Question 3. Do you believe that the Cybersecurity Information 
Sharing Act of 2015 (CISA 2015), if reauthorized, should still exclude 
protections from sharing with the Department of Defense (DoD), 
including the National Security Agency (NSA)? Why or why not?
    Answer. The original decision to limit certain liability 
protections for sharing directly with the Department of Defense and NSA 
reflected a conscious effort to preserve public trust by emphasizing 
civilian-led cybersecurity collaboration. Removing those protections 
would resurface the same privacy concerns from a decade ago that took 
years to resolve. The intentional decision to establish DHS/CISA as a 
civilian intermediary was intended to mitigate these concerns, and 
based on available evidence--including no documented privacy incidents 
or instances of information leakage that I am aware of--the current 
structure establishing DHS/CISA as the central information sharing hub 
for the Federal Government has proven a success. There is no compelling 
reason to reassign these intermediary responsibilities to law 
enforcement or national security entities, and any effort to do so 
would raise the same privacy concerns from a decade ago. Resurfacing 
those concerns now would jeopardize the timely reauthorization of CISA 
15.
    Question 4. How important is the antitrust exemption in CISA 2015? 
Please explain and provide any examples that would help illustrate your 
point.
    Answer. The antitrust exemption in CISA 2015 is essential to 
fostering collaborative defense across sectors. It reassures companies 
that sharing cyber threat indicators and defensive measures with 
competitors in good faith will not expose them to antitrust liability. 
For example, in the financial and energy sectors, where competitors 
often face similar threats, the exemption has enabled proactive 
collaboration through the information sharing Information Sharing and 
Analysis Centers (ISACs) and Information Sharing and Analysis 
Organizations (ISAOs). Without it, firms may hesitate to engage in 
joint threat analysis or response coordination. This legal assurance 
has enabled trusted sharing ecosystems that enhance collective 
resilience.
    Question 5. How does CISA 2015 allow for small and rural critical 
infrastructure sector organizations to effectively share cyber threat 
information with Government entities?
    Answer. CISA 2015 facilitates participation by small and rural 
critical infrastructure organizations primarily through sectoral or 
(multi-)regional Information Sharing and Analysis Centers (ISACs). 
These intermediaries allow smaller entities to receive relevant threat 
information and share indicators through a trusted network. Moreover, 
DHS/CISA's support for automated tools and templates, as well as its 
outreach to under-resourced entities, helps reduce technical and 
operational barriers to participation. Liability protections further 
assure these organizations that sharing information will not result in 
undue risk.
    Question 6. Do liability protections under the existing statute 
sufficiently address threat actors' new and emerging tactics, 
techniques, and procedures (TTPs)? If they do not, please provide some 
recommendations to ensure the law upholds its relevancy as the threat 
landscape evolves.
    Answer. The existing liability protections have proven effective in 
encouraging information sharing across a range of threats. However, as 
TTPs evolve, including those involving AI-enabled exploits, supply 
chain compromises, and manipulation of operational technology systems, 
there may be ambiguity about whether certain cyber threat indicators or 
defensive measures are covered. To maintain the law's relevance, 
Congress should consider modernizing the definitions within the statute 
to explicitly account for emerging threats, including indicators 
related to ransomware campaigns, AI anomalies, and software component 
tampering. Clarifying these elements would reduce hesitation and 
further incentivize more robust sharing.
    Question 7. What changes, if any, can Congress make to CISA 2015 to 
ensure there are no delays or roadblocks to information sharing, 
especially when dealing with a campaign from an advanced persistent 
threat (APT) actor?
    Answer. It is imperative that Congress reauthorize the existing law 
before it lapses in September. Improvements should not come at the 
expense of the existing cyber information sharing activities that rely 
on CISA 2015 authorities. Any lapse to CISA 2015's liability 
protections could have real and immediate negative consequences that 
put all American organizations at greater risk.
    That said, Congress can take several actions to minimize delays in 
high-stakes scenarios involving APT actors. First, cross-checking, and 
updating as necessary, the definitions of covered threat indicators and 
defensive measures to make certain they sufficiently capture advanced 
and emerging attack vectors related to APTs would reduce ambiguity and 
make sure actionable information necessary to counter them is shared. 
Second, reinforcing the role of the Joint Cyber Defense Collaborative 
(JCDC) as a central hub for coordinated operational planning can 
streamline real-time sharing and response. Finally, codifying 
governance mechanisms like charter requirements, stakeholder roles, and 
reporting standards would strengthen trust and agility. Ensuring that 
liability protections clearly extend to fast-moving collaborative, 
operational responses is vital to enabling timely and decisive action 
during APT campaigns.
     Questions From Chairman Andrew R. Garbarino for Diane Rinaldo
    Question 1. Do barriers still exist to cybersecurity information 
sharing, such as private-sector companies' reluctance to share with law 
enforcement or quality concerns regarding redundant cyber threat 
indicators and defensive measures? What actions have been taken, if 
any, to overcome these barriers?
    Answer. Yes, barriers absolutely remain. Many companies still 
hesitate to share because they're uncertain about liability protections 
or they simply lack the resources to participate. Others worry about 
whether the information they share will be useful, or if they'll get 
meaningful intelligence back (is the juice worth the squeeze scenario). 
We've certainly made progress: DHS's Automated Indicator Sharing 
program, the growth of ISACs, and more streamlined declassification of 
intelligence have all helped. But the flow is still too often one-way, 
and the quality and timeliness of information aren't always what 
industry needs in the middle of an attack. What's required now is to 
strengthen reciprocity, provide clearer safe harbors, and make 
participation easier for small and mid-sized companies.
    Question 2. What can the Cybersecurity and Infrastructure Security 
Agency (CISA) do to increase participation in the Automated Indicator 
Sharing (AIS) program?
    Answer. CISA needs to make participation valuable in real time. 
When a company shares an indicator, they should get timely, actionable 
intelligence back but within hours. The data also needs to be delivered 
in formats that companies can use immediately in their security tools. 
Reducing noise, providing context, and integrating with the platforms 
companies already rely on would go a long way. Finally, CISA can make 
participation more attractive by offering incentives such as priority 
access to threat briefings or incident support for organizations that 
actively contribute.
    Question 3. Is there any ambiguity in CISA 2015's definitions, such 
as for cyber threat indicators or defensive measures, that Congress 
should revisit? If so, please explain.
    Answer. Yes, there are ambiguities. The term ``cyber threat 
indicator'' was written before today's realities like AI-driven 
attacks, identity-based threats, and large-scale abuse of cloud 
services. The definition should be broadened to clearly include 
behavioral analytics, AI detection artifacts, and identity signals like 
multifactor bypasses. Similarly, ``defensive measures'' should reflect 
the automated blocking and orchestration tools that are commonplace 
today. Clarifying these terms would remove uncertainty and give 
companies more confidence that their actions fall under the law's 
protections.
    Question 4. Do you believe that CISA 2015, if reauthorized, should 
still exclude protections from sharing with the Department of Defense 
(DoD), including the National Security Agency (NSA)? Why or why not?
    Answer. There needs to be a more balanced approach. The original 
exclusion was meant to build trust and avoid concerns about 
surveillance. The last 10 years have proven that the U.S. Government is 
able to adhere to the strict minimization standards and protect 
personally identifiable information (PII). The threat has certainly 
advanced beyond what we envisioned 10 years ago. When an advanced 
persistent threat is in play especially from a nation-state actor, it 
makes sense for DoD or NSA to be part of the picture. My view is that 
Congress should allow carefully-scoped sharing with these agencies, 
with guardrails: CISA should remain the front door, minimization and 
transparency should apply, and use of the data must be limited strictly 
to cybersecurity defense. That way, we preserve trust while ensuring we 
can act at the speed of the threat.
    Question 5. Do liability protections under the existing statute 
sufficiently address threat actors' new and emerging tactics, 
techniques, and procedures (TTPs)? If they do not, please provide some 
recommendations to ensure the law upholds its relevancy as the threat 
landscape evolves.
    Answer. Protections need to be enhanced to encourage greater 
participation. The statute was written before AI, before the explosion 
of ransomware-as-a-service, before the identity and supply chain 
attacks we see now. Companies need assurance that if they act in good 
faith, whether by sharing new types of indicators, deploying automated 
defensive measures, or collaborating internationally, they are 
protected. Congress should expand liability protections to explicitly 
cover these evolving tactics and tools. A good rule of thumb is: if a 
company follows best practices, uses recognized sharing standards, and 
acts to defend its network, they should be protected.
    Question 6. How does CISA 2015 allow for small and rural critical 
infrastructure sector organizations to effectively share cyber threat 
information with Government entities?
    Answer. In theory, the law applies equally to everyone. In 
practice, smaller organizations often don't have the staff, budget, or 
legal support to participate. Some benefit through ISACs, fusion 
centers, or State-based programs, but it's patchy. To make this law 
truly work for them, Congress should consider subsidizing membership in 
ISACs, and simplified legal frameworks so smaller players can 
participate without fear or cost barriers.
    Question 7. What changes, if any, can Congress make to CISA 2015 to 
ensure there are no delays or roadblocks to information sharing, 
especially when dealing with a campaign from an advanced persistent 
threat (APT) actor?
    Answer. Speed is everything in an advanced persistent threat 
scenario. Congress can help by requiring reciprocity: when companies 
provide indicators, CISA must push back sanitized, actionable 
intelligence quickly. Clear statutory time lines would help. Congress 
should also support ``default to declassify'' processes so that 
critical information isn't held up unnecessarily by classification. And 
we should empower joint operations cells with the relevant agencies 
such as CISA, FBI, DoD, NSA so the Government can act as one team and 
provide a single, timely stream of information to the private sector.
     Questions From Chairman Andrew R. Garbarino for Karl Schimmeck
    Question 1. Do barriers still exist to cybersecurity information 
sharing, such as private-sector companies' reluctance to share with law 
enforcement or quality concerns regarding redundant cyber threat 
indicators and defensive measures? What actions have been taken, if 
any, to overcome these barriers?
    Answer. Large financial institutions do not have significant 
barriers to cybersecurity information sharing but there may be 
reluctance among smaller companies that are not aware of the 
protections that are provided under CISA 2015. Although there has been 
outreach to such firms at various points a more concerted effort to 
raise awareness about the necessity of information sharing and the 
protections provided would be helpful. The financial services industry 
views the Federal Government (including CISA and Federal financial 
regulators) and law enforcement as valuable partners in defending 
against cybersecurity threats, but having information shared from 
companies of all sizes will further improve that value of the 
information shared. CISA 2015 provides significant protections against 
regulatory and antitrust enforcement actions and antitrust which are 
critical.
    Over the past few years U.S. Treasury has removed many barriers 
around sending Classified threat indicators (e.g., IOCs) to the private 
sector. Treasury now declassifies threat indicators more quickly to 
provide the sector with leading indicators they can use to prevent 
cyber attacks. And during crises, the public/private sector incident 
management mechanisms have improved to allow rapid sharing of ground 
truth during attacks in progress.
    Question 2. What can the Cybersecurity and Infrastructure Security 
Agency (CISA) do to increase participation in the Automated Indicator 
Sharing (AIS) program?
    Answer. CISA should make an affirmative effort to educate companies 
about the benefits of sharing through the AIS program. The program 
should also demonstrate its own valuable by using current technology as 
well as providing timely and accurate threat information shared in the 
system.
    CISA should explore alternative approaches to its automated threat 
intelligence and information-sharing capabilities, including 
implementing a long-term vision for information sharing, building on 
existing capabilities, and aligning with reporting programs at other 
Government agencies including financial regulators.
    Question 3. How important is the antitrust exemption in CISA 2015? 
Please explain and provide any examples that would help illustrate your 
point.
    Answer. The antitrust exemption is critical to information sharing 
between private entities as well as with the Government as that 
information is also shared indirectly with private companies. Antitrust 
compliance is time-consuming and costly. The exemption limits the 
necessity of lengthy internal or external reviews of information to be 
shared for antitrust compliance thus decreasing response times for 
sharing critical information with the Government or with other private 
entities. For example, if a private company has information about a 
cyber threat stemming from its use of a vendor, that company may share 
that information with the Government or other private entities who may 
also use that vendor including what services the company receives from 
the vendor which may be related to the cyber threat without risk of 
that behavior being deemed anti-competitive under U.S. law.
    Question 4. Is there any ambiguity in CISA 2015's definitions, such 
as for cyber threat indicators or defensive measures, that Congress 
should revisit?
    Answer. The definitions are generally well-understood and do not 
require additional changes to meet the needs of the financial services 
industry. For the most part, these definitions have been harmonized 
across the public and private sector to provide for better 
communication during cyber events. As a result, changing these 
definitions may cause additional challenges since they are already 
generally accepted.
    Question 5. What changes, if any, can Congress make to CISA 2015 to 
ensure there are no delays or roadblocks to information sharing, 
especially when dealing with a campaign from an advanced persistent 
threat (APT) actor?
    Answer. CISA 2015 already contains the necessary framework for 
information cyber threat information sharing between public and private 
entities. The Department of Homeland Security should have the necessary 
financial resources and technology necessary to both share information 
and provide detailed instructions on defensive strategies wherever 
possible.
    Question 6. Do you believe that CISA 2015, if reauthorized, should 
still exclude protections from sharing with the Department of Defense 
(DoD), including the National Security Agency (NSA)? Why or why not?
    Answer. CISA 2015 if reauthorized should include the broadest 
protections possible for sharing with any Federal Government entity 
which may play a part in the protection of our critical infrastructure. 
There should be the same protections regardless of which agency the 
entity shares cyber threat information with.
    Question 7. The existing statute states that the Federal Government 
must share ``timely'' information. Do you believe that the Federal 
Government is succeeding in this role, and does this extend to both 
Classified and unclassified information?
    Answer. Response times for information sharing from the Federal 
Government to the private sector are critical for the system to work. 
Stale information is not valuable in defending against an impending 
cyber threat, so it is important that this information be shared as 
soon as possible while still ensuring the necessary privacy and other 
confidential information is not shared if it's not necessary to the 
prevention efforts.
    Questions From Chairman Andrew R. Garbarino for Katherine Kuehn
    Question 1. Do barriers still exist to cybersecurity information 
sharing, such as private-sector companies' reluctance to share with law 
enforcement or quality concerns regarding redundant cyber threat 
indicators and defensive measures? What actions have been taken, if 
any, to overcome these barriers?
    Yes, barriers to cybersecurity information sharing persist, despite 
years of focus on public-private partnerships, and the private sector 
remains hesitant to share cyber threat information with the Federal 
Government. In addition, there are concerns that CISA doesn't protect 
its sensitive equities. According to information originating from the 
Cybersecurity and Infrastructure Security Agency (CISA), concerns have 
been raised regarding accuracy and timeliness. For example, Yara rules 
shared on threats have frequently contained inaccurate or poorly-
crafted alerts.
    Major barriers include:
   Lack of Trust.--Organizations may be reluctant to share 
        information due to concerns about data misuse or leaks, 
        especially when sharing with competitors or Government 
        entities. Building trust through transparent policies and 
        fostering a collaborative culture is crucial.
   Legal and Regulatory Challenges.--Different jurisdictions 
        have varied data-sharing laws, and regulations like GDPR can 
        pose challenges for cross-border sharing. Navigating these 
        legal frameworks and ensuring compliance can be complex, 
        potentially hindering collaboration. Concerns about potential 
        liability if shared information is inaccurate or misleading can 
        also deter organizations from sharing.
   Organizational Barriers.--Issues such as resource 
        constraints, a lack of technical expertise, and internal silos 
        within organizations can impede effective information sharing.
   Technical Challenges.--Difficulties in integrating systems 
        and establishing a common language for sharing can hinder 
        automated information exchange. The amount of data can also 
        overwhelm resources, making it difficult to deliver information 
        to the right place at the right time.
   Concerns about Disclosure.--Companies worry about revealing 
        sensitive company information, potential non-compliance with 
        regulations, customer privacy violations, and reputational 
        damage from sharing details of cyber attacks.
    Actions taken to overcome these barriers:
    Efforts have been made to address these concerns, including 
updating the Automated Indicator Sharing (AIS) platform and launching 
programs such as the Joint Cyber Defense Collaborative (JCDC). However, 
these steps have not meaningfully changed the landscape. The private 
sector still overwhelmingly relies on peer-to-peer exchanges, 
commercial threat intelligence providers, and industry-specific 
Information Sharing and Analysis Centers (ISACs), all of which are 
connected to the foundation laid by CISA 2015, which provides the 
liability protections and other legal assurances necessary for these 
programs to exist. Even with these assurances, trust issues and 
inefficiencies continue to dominate the information-sharing environment 
and will persist without the safeguards established in CISA 2015. A 
clean renewal is necessary to continue the programs that are working, 
and as we look toward the future, additional actions could include:
   Additional Legislation and Policy
   More Collaborative Government/Industry Initiatives
   Incorporation of Technological Advancements
   Focus on Trust and Communication.
    Following the clean renewal of the Cybersecurity Information 
Sharing Act of 2015 (CISA 2015), we can examine other ways of sharing 
information that should be considered for dissemination and building 
more trust between public-private partnerships. One suggestion would be 
to continue the Office of the National Cyber Director (ONCD) roundtable 
efforts or expand JCDC or AIS, which would enable coordinated cross-
functional cyber information dissemination points that could act in a 
central and controlled way with the ability to engage with Industry in 
a functional and approved manner.
    A potential framework for this type of partnership could be 
replicated by either the ONCD or the JCDC/AIS, which could be derived 
from the incomplete one currently found on the U.S. Cyber Command 
website. https://www.cybercom.mil/Partnerships-and-Outreach/Private-
Sector-Partnerships/
                private-sector partnerships the mission
    The mission of our unclassified private-sector partnership program 
and forum, otherwise known as UNDER ADVISEMENT, is to engage with 
industry partners, agilely sharing critical information that enables 
both U.S. Cyber Command missions and private-sector partner priorities.
Who We Are
    UNDER ADVISEMENT is U.S. Cyber Command's front door regarding 
information sharing to and from private-sector partners. The immediate 
cyber crises information shared supports U.S. Cyber Command's entire 
mission set while providing vital information to our partners so they 
can further protect and defend their networks from adversary threats.
How We Do It
    U.S. Cyber Command enters into two-way information-sharing 
agreements with partners from across all aspects of the public and 
private sectors. These agreements are designed to enhance and expand 
trust and dialog between our partners and CYBERCOM. Once an agreement 
is in place, members of the UNDER ADVISEMENT program work with our 
partners to facilitate sharing of critical information across multiple 
agreed outlets.
    Question 2. What can the Cybersecurity and Infrastructure Security 
Agency (CISA) do to increase participation in the Automated Indicator 
Sharing (AIS) program?
    Answer. The Cybersecurity and Infrastructure Security Agency's 
Automated Indicator Sharing (AIS) program aims to facilitate the real-
time sharing of cyber threat information among organizations, thereby 
enhancing cybersecurity and preventing attacks. However, recent reports 
from the Department of Homeland Security's Office of Inspector General 
(OIG) have raised concerns about the program's effectiveness and its 
usefulness to participants. Post a clean renewal of CISA 2015, a review 
of the program should be considered as a longer-term goal.
    Current Benefits of CISA AIS are:
   Real-time threat intelligence sharing.--Participants can 
        share and receive machine-readable cyber threat indicators 
        (CTIs) and defensive measures (DMs) in real time to proactively 
        defend their networks.
   Collective knowledge.--Organizations benefit from the 
        collective knowledge of participants, gaining insights into 
        observed threats and vulnerabilities.
   Liability and privacy protections.--The Cybersecurity 
        Information Sharing Act of 2015 (CISA 2015) provides certain 
        legal protections to encourage sharing, including liability 
        protection, privacy protections, and exemption from specific 
        disclosure laws.
    Challenges and Criticisms:
    1. Declining participation.--The number of participants actively 
        sharing information through AIS has decreased significantly in 
        recent years.
    2. Insufficient shared indicators.--The volume of shared CTIs has 
        also declined considerably, raising concerns about the 
        program's ability to facilitate effective real-time threat 
        sharing.
    3. Lack of context.--Some reports indicate that the quality of 
        shared information is not always sufficient, lacking the 
        contextual details necessary for effective threat mitigation.
    4. Outreach and funding issues.--The OIG attributed the decline in 
        participation to CISA's inadequate outreach strategy and 
        difficulties in identifying specific program costs and auditing 
        expenditures.
    Overall Usefulness:
    Despite the reported challenges, the CISA AIS program is a valuable 
tool for enhancing cybersecurity by promoting information sharing and 
collective defense. However, the program's current effectiveness is 
under scrutiny due to the decline in participation and shared threat 
indicators. CISA has acknowledged the issues and is working to address 
them, including the development of a new threat intelligence strategy 
and evaluation of the AIS program's effectiveness. The agency is also 
exploring alternative information-sharing systems, potential technical 
enhancements, and feedback from participants to improve the program.
    From a technical enhancement perspective, the platform needs more 
than technical compliance with STIX and TAXII standards. It should 
offer meaningful metrics, such as scores for timeliness, uniqueness, 
and detection effectiveness. The system must also reduce integration 
friction. Many companies already support the necessary formats but do 
not use AIS due to the additional burden involved.
    One recommendation would be for CISA to offer hosted pilots for 
smaller organizations, provide direct feedback about how shared data is 
used, and build tools that demonstrate how one company's input protects 
others. Perhaps most importantly, AIS should be repositioned as a core 
element of national cyber defense, rather than merely serving as a data 
repository.
    In conclusion, while the CISA AIS program offers potential benefits 
for cybersecurity, its usefulness may currently be limited by the 
reported challenges with participation and information sharing. It 
needs to be revamped if we are to achieve stronger collaboration. 
Still, the work necessary cannot be fully executed before the 
expiration of CISA 2015 and should not be considered in a clean renewal 
strategy.
    Question 3. How has the Cybersecurity Information Sharing Act of 
2015 (CISA 2015) changed the information-sharing environment among 
private-sector entities?
    Answer. The Cybersecurity Information Sharing Act of 2015 
significantly altered private-sector cybersecurity information sharing 
by creating a legal framework that encourages voluntary sharing of 
cyber threat indicators and defensive measures with both the Government 
and other private entities. This framework provides protections and 
incentives for companies to share information, including antitrust 
exemptions and immunity from specific disclosure laws.
    Protections Include:
   Legal Protection for Sharing.--CISA 2015 provides 
        protections from legal liability when organizations voluntarily 
        share cyber threat information with both the Federal 
        Government, through the Department of Homeland Security (DHS), 
        and other entities in the private sector.
   Antitrust Exemptions.--The act permits companies to 
        collaborate and share information without the risk of antitrust 
        scrutiny by providing exemptions from antitrust laws.
   Immunity from Disclosure Laws.--CISA 2015 shields shared 
        information from specific disclosure laws, such as open 
        Government and Freedom of Information Act requests, to 
        encourage more open sharing.
   Non-Waiver of Protections.--Sharing information under the 
        guidance of CISA 2015 does not waive any other applicable 
        protections or privileges.
   Centralized Sharing.--CISA 2015 established a centralized 
        mechanism for sharing information with DHS as the primary point 
        of contact through the AIS Initiative.
   Focus on Cyber Threat Indicators and Defensive Measures.--
        CISA 2015 encourages the sharing of cyber threat indicators, 
        such as malicious IP addresses, and defensive measures, 
        including security patches.
   Ex Parte Communications Waiver.--The sharing of cyber threat 
        information with the Federal Government, under CISA 2015, is 
        not considered ex parte communication.
   No Mandate for Sharing.--While CISA 2015 encourages sharing, 
        it does not require private entities to share information, 
        which is a key point of the act. Sharing is voluntary and helps 
        establish the trust necessary for transparent communications.
    CISA 2015 marked a turning point in public-private cybersecurity 
collaboration. In summary, it provides the critical legal protections 
outlined, which encourage the private sector to share threat indicators 
more confidently, primarily through ISACs and coordinated efforts with 
CISA. By addressing liability, privacy, and antitrust concerns, the act 
helps shift cybersecurity from a siloed effort to a more collective 
defense model.
    The act also promotes the use of standardized data formats, which 
improved technical compatibility and laid the groundwork for broader 
sharing across sectors. Over time, even this has led to stronger 
partnerships and faster threat awareness. While there have been 
challenges and developments that must be addressed, a clean renewal of 
CISA 2015 is the most effective way to maintain information sharing and 
the partnership in the future.
    Question 4. Is there any ambiguity in CISA 2015's definitions, such 
as for cyber threat indicators or defensive measures? If so, please 
explain.
    Answer. Yes, there are acknowledged ambiguities in the definitions 
within the Cybersecurity Information Sharing Act of 2015 (CISA 2015), 
particularly regarding its scope and application. These ambiguities, 
however, can be addressed in subsequent modifications to CISA 2015 
after a clean renewal of the current act, modernization of the current 
public/private sharing organizations, and a potential revamp of CISA. 
The main examples of ambiguities are:
   Substantial Cyber Incidents.--While CISA's approach to 
        covered cyber incidents is limited to ``substantial'' 
        incidents, the definition of ``substantial'' has been 
        interpreted broadly, leading to ambiguities regarding which 
        incidents fall under the reporting requirements.
   Third-Party Incidents.--The definition of ``third-party'' 
        incidents, encompassing incidents involving vendors and 
        suppliers of covered entities, has been read broadly.
   Cybersecurity Threat.--While the act defines ``cybersecurity 
        threat'' as an action on or through an information system that 
        may result in an unauthorized effort to impact its security or 
        data adversely, it also includes exemptions for activities that 
        are solely violations of consumer agreements and authorized 
        activities that incidentally cause adverse effects.
   Definition of ``Cyber Threat Indicator''.--Since CISA 2015, 
        the recommendation has been made to expand the definition of 
        ``cyber threat indicator'' to address emerging threats such as 
        AI-related issues and supply chain vulnerabilities.
    These ambiguities can raise operational questions in addition to 
concerns around legal risk, and impact how entities implement and 
comply with CISA 2015, particularly concerning information sharing and 
incident reporting. Companies often worry about crossing legal lines, 
especially when using sinkholing, beaconing, or deception techniques. 
The statute prohibits anything that causes ``damage,'' but it does not 
clearly outline what counts as damage in a cyber context. Even the 
phrase ``timely removal of personal information'' lacks a specific time 
frame, which leads to differing interpretations and inconsistent 
application.
    These ambiguities create risk for legal teams and discourage 
organizations from sharing data that may otherwise be valuable and have 
led to discussions surrounding the CISA 2015 reauthorization, 
suggesting a need to address these ambiguities, possibly by amending 
definitions or expanding liability protections to encourage greater 
sharing of information now. This can, though, be accomplished post a 
clean renewal of CISA 2015 and would still enable the desired outcome 
of on-going efforts to refine the law and address potential issues 
related to its interpretation and effectiveness as new technologies. 
One short-term solution suggestion would be for CISA to continue to 
release more guidance to help clarify aspects of the law and assist 
non-Federal entities in sharing cyber threat information.
    Question 5. How important is the antitrust exemption in CISA 2015? 
Please explain and provide any examples that would help illustrate your 
point.
    Answer. The antitrust exemption in CISA 2015 is considered crucial 
for promoting cybersecurity information sharing, particularly within 
the private sector. It encourages collaboration, facilitates broader 
information sharing, enhances collective defense, and minimizes legal 
risks for companies. In essence, the antitrust exemption, alongside 
other legal protections provided by CISA 2015, plays a crucial role in 
enabling and encouraging the voluntary sharing of cyber threat 
information, which is considered vital for defending against modern 
cyber threats and strengthening national cybersecurity.
    While the antitrust exemption is critically important, it is 
underutilized. In a few high-profile incidents, such as the response to 
Log4Shell, the exemption enabled competitors to coordinate quickly and 
share detection signatures. But these examples remain rare and could be 
examined post a clean renewal of CISA 2015 as an area for improvement. 
Legal departments often remain cautious because the statutory language 
is narrow and unfamiliar. Without more clarity or precedent, many 
companies still avoid open collaboration.
    To make the exemption more effective, the Government, via either 
the ONCD or CISA, should publicize success stories and clarify 
boundaries. Clear guidance about what is and is not permitted would go 
a long way toward increasing confidence and use of this vital 
provision. Trying to address this improvement now, however, may 
jeopardize the renewal of the act, and is not recommended; it may, 
however, be an area for consideration in the future.
    Question 6. The existing statute states that the Federal Government 
must share ``timely'' information. Do you believe that the Federal 
Government is succeeding in this role, and does this extend to both 
Classified and unclassified information? Please explain.
    Answer. Consistency is critical, and while there has been 
improvement in the release of public joint advisories across CISA, NSA, 
and FBI, there has been little consistency. Without CISA 2015, there is 
a significant concern about ``timely'' sharing that needs to be 
addressed. The perception is that it often falls to the private sector 
to provide anchor points for further industry examination from the 
information provided by the Federal Government. If we were to lose the 
protections of information sharing that CISA 2015 provides, there would 
be significant concerns about how these critical anchor points would be 
disseminated.
    In addition, as we highlighted, without a revamp of the AIS 
program, which could not be accomplished before the CISA 2015 renewal 
deadline, the current AIS feeds continue to deliver data with variable 
delays. The quality of that information is inconsistent, as noted with 
the incorrect Yara rules in many reports.
    In cybersecurity, time matters. In discussions with the broader 
private-sector community, the primary concern is that our critical 
national infrastructure is increasingly becoming a target for non-state 
aggressors. Only through enhanced information sharing, such as that 
established in CISA 2015, will we be able to ensure its longevity. A 
clean renewal of CISA 2015 is one of the key ways we can start to take 
the steps necessary to enhance and improve a ``timely'' response from 
the Federal Government on cybersecurity, build more trust with the 
private sector, and address the rapidly-changing threat landscape.
    In addition, from a ``timely'' information-sharing perspective, the 
goal of the Federal Government should be to shorten distribution cycles 
and modernize its communication methods, like the AIS program, to 
facilitate stronger and more accurate reporting of critical 
cybersecurity incidents, whether Malicious, Malfunction, or Mistake-
driven that may impact the private sector. The sharing facilitated by 
CISA 2015 is crucial to achieving this goal.

                                 [all]