⚡NIMITZ TECH NEWS FLASH⚡

“In Defense of Defensive Measures: Reauthorizing Cybersecurity Information Sharing Activities that Underpin U.S. National Cyber Defense”

House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection”

May 15, 2025 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (Linked here):

• Mr. John Miller: Senior Vice President of Policy for Trust, Data, and Technology, General Counsel, Information Technology Industry Council

• Ms. Diane Rinaldo: Private Citizen

• Mr. Karl Schimmeck: Executive Vice President and Chief Information Security Officer, Northern Trust

• Ms. Kate Kuehn: Member and CISO-in-Residence, National Technology Security Coalition
  

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE SUBCOMMITTEE

• Subcommittee Chair Garbarino emphasized that cybersecurity information sharing is essential to defending the U.S. from global cyber threats, with private companies often on the front lines. He explained that the Cybersecurity Information Sharing Act of 2015 (CISA 2015) established a voluntary framework enabling public-private exchange of threat data by offering liability and privacy protections. He noted that the law has helped foster trust, increase information flow, and protect national infrastructure from increasingly sophisticated attacks. Garbarino stated that reauthorizing CISA 2015 is a top priority to avoid weakening the nation's cyber defenses and welcomed input on how to strengthen it.

• Subcommittee Ranking Member Swalwell recalled his role on the Intelligence Committee during the original passage of CISA 2015 and noted the initial lack of cyber threat sharing between the public and private sectors. He stated that the law has since enabled meaningful collaboration, particularly by providing legal protections that encourage private companies to share threat data. Swalwell acknowledged ongoing frustrations from industry about limited federal information sharing and advocated for reforms, including codifying the Joint Cyber Defense Collaborative (JCDC). He urged Congress to reauthorize the law without delay and then pursue improvements, rather than risk letting it expire.

SUMMARY OF WITNESS STATEMENT

• Mr. Miller emphasized the urgent need for Congress to reauthorize the Cybersecurity Information Sharing Act of 2015, warning that a lapse would benefit cyber adversaries like China, Iran, and Russia. He explained that CISA 2015 has enabled real-time, automated sharing of threat intelligence by providing carefully crafted liability and privacy protections. He noted the law has fostered a trusted environment for information sharing across sectors, improving national cybersecurity posture. While acknowledging room for improvement, he urged Congress not to delay reauthorization and suggested updates to reflect evolving technologies, supply chain threats, and public-private partnerships.

• Ms. Rinaldo shared her experience helping craft the original CISA legislation and stressed its continued importance in today’s more complex cyber threat environment. She warned that China's state-sponsored cyber espionage campaigns present a strategic threat, highlighting the need for real-time, bidirectional information sharing. She praised the law’s success in encouraging voluntary sharing and establishing trust, while also pointing out current gaps in speed, participation, and reciprocity. Rinaldo called for reauthorization with strengthened liability protections and mandatory intelligence sharing from government to private industry.

• Mr. Schimmeck stated that CISA 2015 remains a foundational tool for national cyber defense, especially for critical sectors like finance that are frequently targeted by nation-state actors. He explained that the law enables trusted, rapid sharing of threat intelligence, which is essential to preventing and containing cyber attacks. He highlighted the law’s effective privacy protections and unblemished track record, noting that no unrelated personal information has been misused. Schimmeck urged immediate reauthorization, warning that any lapse would weaken U.S. cyber defenses and delay critical response efforts.

• Ms. Kuehn spoke on behalf of the National Technology Security Coalition and underscored the role of CISA 2015 in advancing public-private cybersecurity collaboration. She noted that the law’s liability protections have built trust and encouraged companies to share critical threat indicators with the government. She warned that letting the law lapse would erode these protections and slow threat intelligence sharing at a time of rising nation-state cyber aggression. Kuehn also criticized recent federal moves that weakened advisory structures and called for renewed investment in collaborative cybersecurity initiatives and a clean reauthorization of the law.

SUMMARY OF KEY Q&A

• Rep. Gimenez asked how today’s cyber threat environment compares to ten years ago. Mr. Miller responded that the threat landscape has grown significantly more complex with new challenges such as ransomware, AI-driven threats, and more sophisticated nation-state actors, but credited CISA 2015 with enabling scalable information sharing to meet these evolving risks. Rep. Gimenez then asked whether cybersecurity companies share threat information freely or keep it proprietary. Mr. Miller stated that entities across ISACs and similar sharing alliances are indeed exchanging threat data broadly, and there are fewer barriers than before CISA 2015. Rep. Gimenez asked whether defenders or attackers are winning in the AI arms race. Mr. Miller answered that while defenders are making strong use of AI, the threat actors are also innovating rapidly, requiring constant vigilance.

  Rep. Gimenez suggested that investing in AI as a defensive tool might be the only way to match adversaries' manpower and asked for Mr. Schimmeck’s view. Mr. Schimmeck agreed, stating that just like in the private sector, government investment in AI is essential for bolstering both offensive and defensive cyber capabilities.

• Rep. Magaziner expressed concern about proposed cuts to CISA’s budget by the Trump and Musk administration and asked Ms. Kuehn to comment on how workforce reductions would impact the agency. Ms. Kuehn warned that such cuts would severely weaken CISA’s ability to respond to threats, especially as it plays a key role in managing risks from generative AI, coordinating public-private partnerships, and supporting small and medium-sized businesses. Rep. Magaziner emphasized that cyberattacks target not just large entities but also local governments and utilities, and pressed on the importance of a robust CISA workforce. Ms. Kuehn shared a story of a small business forced to shut down due to a ransomware attack, stressing that many essential but resource-limited institutions rely on CISA’s programs to maintain basic cybersecurity resilience.

• Rep. Ogles asked how CISA could be improved during reauthorization to make it more robust. Mr. Miller recommended refining definitions such as "cyber threat indicator" to include emerging threat types like software supply chain attacks, and advised making targeted, surgical updates rather than wholesale changes to the law. Rep. Ogles then asked about the role of JCDC and how it could support broader information sharing. Mr. Miller responded that JCDC plays a valuable role in operational collaboration but depends fundamentally on the liability protections and authorizations provided by CISA 2015.

  Rep. Ogles then asked whether CISA adequately protects against threats from China. Ms. Rinaldo answered that since most networks are privately owned, better information flow from government to business—along with improved security clearance access for technical personnel—would enhance protection without requiring statutory changes.

• Ranking Member Swalwell asked Ms. Kuehn to explain how JCDC facilitates information sharing and why its existence is important to the success of CISA 2015. Ms. Kuehn explained that JCDC allows rapid, real-time distribution of threat information between industry and government, and stressed the importance of expanding its reach and preserving legal protections through reauthorization. Ranking Member Swalwell then raised concerns about the security clearance system and asked whether its current structure hinders effective cybersecurity. Ms. Kuehn responded that the system needs reevaluation, pointing out that many cybersecurity experts never hold clearances despite decades of experience, and called for more inclusive and practical clearance policies. Ranking Member . Swalwell agreed on the need for improvement but reiterated that avoiding a lapse in CISA 2015 must be the top priority, and asked if Ms. Kuehn supported a clean reauthorization. Ms. Kuehn confirmed that she did, recommending a clean reauthorization followed by optimization efforts once the law is secure.

• Chair Garbarino asked the panel what would happen if CISA 2015 were not reauthorized. Mr. Miller warned that its expiration would immediately chill information sharing, especially automated sharing at scale, due to the loss of liability protections and legal certainty. Ms. Rinaldo added that without CISA, legal departments—not cybersecurity leads—would determine sharing decisions, creating harmful delays. Mr. Schimmeck echoed these concerns and added that a lapse would especially disadvantage small and medium-sized firms, forcing them into inefficient, bilateral sharing arrangements. Ms. Kuehn reinforced that pre-2015 sharing was informal and slow, emphasizing that delays caused by legal uncertainty would weaken both proactive and reactive cyber defense strategies.

  Chair Garbarino then asked Mr. Schimmeck to describe how his firm uses CISA’s authorities in practice. Mr. Schimmeck explained that his company uses DHS’s AIS program and other flexible channels to share threat information with both government and peers, stressing that information sharing in financial services is essential to maintaining system-wide trust.

• Rep. Gimenez asked whether the U.S. is investing enough in artificial intelligence to counter the growing threat of AI-driven cyberattacks. Ms. Kuehn responded that while the private sector is investing heavily, the U.S. government should strengthen public-private partnerships with both large developers and small AI defenders to build an effective mutual defense system.

  Rep. Gimenez followed up by asking whether agencies are unified in their approach to AI defense or operating independently. Ms. Rinaldo explained that most agencies are pursuing fragmented, function-specific strategies, and emphasized the potential of AI in next-generation networks like 6G for threat detection and resilience. Rep. Gimenez then asked whether U.S. adversaries, particularly China, are taking a more focused approach. Ms. Rinaldo confirmed that China strategically supports individual national champions like Huawei to dominate global markets, unlike the U.S. sector-wide model.

• Rep. Ogles asked Mr. Schimmeck how AI is impacting the financial sector and what improvements might be needed in future updates to CISA. Mr. Schimmeck responded that while AI is still in early stages, firms are investing heavily and improvements to the AIS system—including modernization for AI-driven information sharing—will be essential.

  Rep. Ogles then asked Ms. Kuehn how small, rural jurisdictions with limited IT resources can be better protected against sophisticated cyberattacks. Ms. Kuehn stressed the importance of public-private partnerships to modernize outdated infrastructure and educate smaller operators, noting that a large portion of critical infrastructure is maintained by small to mid-sized businesses vulnerable to legacy exploits.

• Ranking Member Swalwell asked how the loss of CPAC has impacted cybersecurity information sharing. Ms. Kuehn explained that the elimination of CPAC and other advisory bodies has reduced the ability to provide expert public-private feedback on emerging threats and undermined educational collaboration necessary for proactive defense. Ranking Member Swalwell asked whether DHS has provided any timeline for reinstating CPAC or establishing feedback mechanisms. Ms. Kuehn said she was unaware of any such timeline and recommended structuring a new CPAC with a mix of government, private sector practitioners, and executive-level business leaders to reflect the operational nature of modern cybersecurity risks.

• Chair Garbarino asked how privacy concerns in the original CISA debate were resolved. Ms. Rinaldo explained that extensive stakeholder engagement led to critical safeguards such as mandatory anonymization and post-incident review, resulting in no known privacy violations since the law’s passage.

  Chair Garbarino then asked whether any privacy concerns have emerged over the past decade. Mr. Miller responded that none had arisen, and he credited both the anonymization requirement and the decision to route sharing through DHS—as a civilian interface—as key protections that maintained public trust.

  Chair Garbarino asked Mr. Schimmeck for his perspective on privacy safeguards. Mr. Schimmeck emphasized that the financial sector takes privacy seriously and that the law’s protections have effectively supported secure, responsible information sharing.

  Chair Garbarino asked Ms. Kuehn for her view as well. Ms. Kuehn agreed that privacy concerns have not materialized and advocated for clean reauthorization without changes to privacy language, noting that the current framework works well.

  Chair Garbarino concluded by asking the witnesses how CISA 2015 improved private-to-private information sharing. Mr. Miller answered that CISA enabled a significant increase in private-sector collaboration through structures like ISACs, which especially benefit small and medium-sized enterprises by providing scalable access to threat intelligence without requiring large cybersecurity budgets.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.