Terry Gerton Well, I know you’ve got a lot of experience in this, but I just want to start with some background. The Cybersecurity Information Sharing Act (CISA 15) created an information sharing and legal protections framework, but it didn’t mandate participation, did it?
John Miller No, no, it did not mandate participation back in 2015 and the several years prior that the bill was being negotiated by Congress as well as private sector and other stakeholders. The thinking was that it was really important to have voluntary information sharing. So I think the bill with structured really so as to incentivize sharing by the private sector, and there were a number of different liability protections, in particular, that were put in place to protect both the monitoring of information systems by entities and also by entities like cybersecurity companies on behalf of other entities, whether they’re federal stakeholders or other private customers. There were also liability protections for that sharing itself. And then also some important protections regarding limiting regulatory uses. Exempting the material shared from information disclosure laws like [the Freedom of Information Act], as well as antitrust protections.
Terry Gerton Well, it seems like that structure must have been pretty effective because the network has grown substantially since the law was enacted. And now it even includes state, local and tribal governments, along with federal agencies and industries. Why was it so important to bring the state and local governments into the network as well?
John Miller Yeah, it’s a great question because I think that the state and local, territorial and tribal entities are probably often overlooked. I think a lot of people when they think about a federal information sharing law are, I mean, appropriately thinking about the federal government and the Department of Homeland Security and what is now Cybersecurity Infrastructure Security Agency (CISA), which again, they’re both named CISA but they’re not the same thing; that is important. The federal hub that was created is very important and we can get a little bit more into the automated indicator sharing system that was set up here. It’s really important to — you asked the question about state and locals — I would look at CISA 15 and the information sharing system that it set up as a force multiplier. I mean, there are some very large, well-resourced companies and federal agencies and others who perhaps have access to more indicators and are able to also spend the resources to make sure that they’re getting access. That’s not the case with small and medium-sized businesses in the private sector, and it’s not case with state and locals. So it’s really even more important that they are participating, I would argue, in a system like this. And also, there’s both direct participation by companies and by state and local governments and others, but then also very importantly, the whole network of information sharing and analysis centers (ISACs), as well as other kind of ISAC-like entities, information sharing and analysis organizations (ISAOs). That whole ecosystem really grew up during the same time period really, in 2012 to 2015 and beyond. There were a number of executive orders during the Obama administration, but really, importantly, when you think about all the increased participation in those ISACs — and there is a state and local, tribal and territorial ISAC — all of those ISACs for all the 16 critical infrastructure sectors, like the IT ISAC, that’s the one I’m most familiar with. But for every critical infrastructure sector, they’re all participating in the National Council of ISACs, and then the ISACs are all kind of plugged in with the federal government, not only through the automated indicator sharing system, but through [the National Cybersecurity and Communications Integration Center (NCCIC) and otherwise. Arguably the smaller the entity is benefiting from sharing because effectively these kind of umbrella organizations are sharing and with an eye toward protecting them on their behalf really
Terry Gerton I’m speaking with John Miller, the senior vice president of policy and general counsel for the Information Technology Industry Council. So with what we were just talking about, setting up this sharing infrastructure where even the smallest players can get access to cyber attack indicators and other sorts of information, you’re not the first person to come forward and say CISA 15 really needs to be reauthorized on time, which is this coming September. What do you think the biggest risks are if that doesn’t happen?
John Miller I think if we take a step back to 2015 and previously, some who maybe are skeptics of the law’s value will say, well, we were sharing information before 2015. True. But I think a couple of points that are really important, if you talk to the people who were around then — and I don’t mean lawyers; it isn’t just myself, but the real cyber protectors and defenders out there, the operational folks — they will remind you that oftentimes we were sharing threat information via spreadsheets back then. Which is clearly not a scalable system to protect the many, as we were just talking about, the smaller companies and government agencies and entities at the state and tribal and territorial level. So one of the other innovations that was a part of CISA was it tasked the Department of Homeland Security with developing an automated indicator sharing system. Which really allowed, it kind of helped really promote and help a couple of different information sharing standards which are kind of known as [Structure Threat Information Expression (STIX) and Trusted Automated Exchange of Information (TAXII)] to take hold. And it also really paved the way for sharing automated indicators at scale. And so that is all happening today because of the law. And again, would some of that still continue even if the law went away? Perhaps, but it wouldn’t necessarily be the case that [the Department of Homeland Security] and now CISA, the agency, would still be able to share that information in an automated way because that has its origins and its roots in statute. So if the statute goes away, are they authorized to still do that? I think it’s an open question. So I think the bottom line is folks who don’t think CISA is important are probably overlooking the fact and taking for granted what the law has helped. And maybe just to add one more thing, the law itself, I would also argue, as well as incentivizing all this direct sharing that we’ve been talking about, it really, it also is foundational for a lot of other public-private partnership-type activities that have grown up again and evolved since CISA 2015. And just one more recent example that your listeners may be aware of, I think everyone’s heard of the Joint Cyber and Defense Collaborative (JCDC) the past several years. Even though that is, again, that is focused on operational collaboration, but the information shared through CISA 2015, arguably you wouldn’t be able to have the JCDC without those types of liability protections, or at least some companies who are perhaps more risk averse would not participate. So I do think we should look at this 2015 as foundational, not only to information sharing, but also to some of these other cybersecurity public-private partnerships.
Terry Gerton Well, you’ve recently testified, so Congress is holding hearings on this. What’s your sense of whether they’re gonna take this up in a timely fashion, and if so, what changes they might make in the process?
John Miller Well, I will say this: The hearing — and this was a, you know, House Homeland Cybersecurity Subcommittee hearing — I would say that both Chairman [Andrew] Garbarino (R-N.Y.) and Ranking Member [Eric] Swalwell (D-Calif.), as well as all the members of the subcommittee at the hearing. I mean, it was a fairly united front. There wasn’t anyone disagreeing that we should be reauthorizing this. And I’ve testified at a number of hearings over the years. This one was perhaps the one where there was the the most consistent messaging amongst all the witnesses on the panel. And everyone said, “Hey, we need to reauthorize this legislation before it expires September 30th this year.” That might sound like a lot of time for those who don’t pay attention to Congress, but that’s not a ton of time. So that, I mean, the message that we heard on the panel, which I certainly agree with, is let’s not let the perfect be the enemy of the good. And even though we could perhaps make some changes and tweaks here, if it’s going to come at the price of having a lapse in these authorities, we shouldn’t do it. We should do a clean reauthorization and then work on changes in a more deliberate fashion if we can. That said, as I testified, if Congress wants to try to make some changes in the next couple of months, because again we can’t really count August either in that equation as being a productive work period necessarily. ITI and our members, me personally, we’re all happy to help, but we just don’t want to jeopardize the reauthorization. I will say in terms of what type of changes are very reasonable to contemplate here, I will say one type that we should consider and one type that probably doesn’t need to be considered. The type of that we should be considering is, let’s be realistic. The threat landscape and technology has changed a lot in the past decade, right. There are various threats that we weren’t necessarily thinking of back then such as ransomware, such as software supply chain attacks, and we really would want to kind of do an overlay, and also artificial intelligence we could throw in there from both an offensive and defensive measure standpoint. I think we should look at the very specific types of information that the law authorized companies and others to share and provided liability protections for and kind of overlay them with the new 2025 threat landscape to try to figure out if there are any gaps. And if there were, it would be possible to make surgical revisions to the law because you could just add a few categories of protected cyber threat indicators, for instance. That would be one way to go about it. The one thing that I think is notable: There was a lot of privacy controversy around this law back in the 2012-2015 timeframe when it was being negotiated. That’s understandable because that was also the same period time where we had the Snowden disclosures and there was a lot of concern about surveillance. It’s very notable that the structure of the bill and and the privacy protections that are built into this law apparently have worked because there have been something along the lines of 17 inspector general reports and other government reports regarding the law. And I’m not aware of a single instance of privacy leakage or personally identifiable information that has been breached, if you will, of an American or any citizen during that time. So the good news is we don’t have to get into that very contentious privacy debate this time around in my view.
Terry Gerton Well, thanks for raising all of those recommendations. I mean, it’s obvious that reauthorization is gonna be important. It’s not clear what will happen if it lapses, but we’ll see and we’ll keep our eye on this over the summer and see if they’re ready to go in September.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
