Trade groups worry information sharing will worsen without critical infrastructure panel, CISA law renewal

Business groups told lawmakers Tuesday that they fear cyber threat information sharing could drop off in light of the Trump administration’s move to eliminate a critical infrastructure committee and given the pending expiration of a 2015 law.

The Critical Infrastructure Partnership Advisory Council (CIPAC) fell among a swath of government advisory committees that Homeland Security Secretary Kristi Noem scrapped last week, with Noem saying they had fulfilled their purposes and were now “unnecessary.”

Industry witnesses testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection said CIPAC was, in fact, vital. That’s because it’s not just an advisory committee, they said: The panel is exempt from a law mandating public meetings of federal advisory committees, thereby ensuring government and industry members can exchange sensitive information without fear of disclosure.

“It’s not our place to decide how government organizes, but I want to highlight the value of industry-government partnership, and CIPAC provides extraordinary protections for those partnerships and those partnership activities,” said Scott Aaronson, senior vice president of energy security and industry operations at the Edison Electric Institute.

Ari Schwartz, coordinator of the Cybersecurity Coalition, said it’s true that there are too many federal advisory committees. But “we get more information from the government because it exists,” Schwartz said, referring to CIPAC during questions from California Rep. Eric Swalwell, the top Democrat on the subcommittee.

Whether there’s another way to ensure similar safeguards for sharing cyber threat information without CIPAC “depends on what it is ultimately replaced with,” Aaronson testified.

The chairman of the subcommittee, Rep. Andrew Garbarino, R-N.Y., said he was sympathetic to the industry arguments.

“I’m going to look into this and hopefully speak to the administration to try to fix this,” he said. “We don’t want industry not sharing information with us, we don’t want industry not sharing information with each other — because when that happens, it just increases the vulnerability that is out there.”

Industry witnesses said another risk to information sharing is the potential expiration of the 2015 Cybersecurity Information Sharing Act, commonly referred to as 2015 CISA, which is due to sunset at the end of September. That law provides more extensive legal protections for confidential information sharing between industry and government, and between businesses.

The law forms “the foundation for not just how we collaborate with government but across industry,” said Heather Hogsett, senior vice president and deputy head of BITS at the Bank Policy Institute. Under the law, the financial services sector expanded how it collaborates with other industry sectors, and she said “we would hate to see that disappear and walk back some of the gains we’ve made in that space.”

Furthermore, another law — the Cyber Incident Reporting for Critical Infrastructure Act of 2022 — depends on it, Hogsett said. That law, currently in the rulemaking process, establishes the circumstances under which victims of cyberattacks must report details about incidents to the federal government. 

“As we’re getting ready to share more sensitive information, more detailed information to the government, we do want to make sure it’s well-protected,” she said.

The 2015 law could use an update to reflect cybersecurity as it exists today, said Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, The Broadband Association. “At a minimum, we think it’s absolutely essential that the CISA 2015 act be reauthorized,” he testified.

Garbarino also said he supports renewing that law, but its fate depends on how it goes in the upper chamber, where Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., has held up other DHS-related legislation, such as an extension of the since-expired law that established the Chemical Facility Anti-Terrorism Standards program.