Concerns over Cybersecurity Information Sharing Amid Government Changes
On Tuesday, business leaders expressed their apprehensions to lawmakers regarding the potential reduction in cyber threat information sharing, sparked by the recent decision of the Trump administration to disband a key critical infrastructure advisory committee.
Impact of CIPAC’s Disbandment
The Critical Infrastructure Partnership Advisory Council (CIPAC) was among several government advisory bodies eliminated last week by Homeland Security Secretary Kristi Noem, who asserted that the committee had accomplished its objectives and was now deemed “unnecessary.”
Testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, industry representatives asserted the critical nature of CIPAC. They highlighted its unique status that allows for the exchange of sensitive information between government and industry stakeholders without the risk of public disclosure, a privilege not afforded to standard advisory committees.
Scott Aaronson, senior vice president of energy security and industry operations at the Edison Electric Institute, emphasized the importance of this partnership: “It’s not our place to decide how government organizes, but I want to highlight the value of industry-government partnership, and CIPAC provides extraordinary protections for those partnerships and those partnership activities.”
Information Sharing at Risk
Ari Schwartz, coordinator of the Cybersecurity Coalition, acknowledged the excess of federal advisory committees but insisted that “we get more information from the government because it exists,” particularly referencing CIPAC.
Scott Aaronson further noted that the future of information exchange rests on what may replace CIPAC, should the committee be abolished without a suitable substitute.
Legislative Concerns: CISA Expiration
The subcommittee’s chairman, Rep. Andrew Garbarino (R-N.Y.), expressed understanding for the industry’s concerns, stating, “We don’t want industry not sharing information with us, we don’t want industry not sharing information with each other — because when that happens, it just increases the vulnerability that is out there.”
Another point of contention for industry representatives is the impending expiration of the Cybersecurity Information Sharing Act of 2015 (CISA), which is set to lapse at the end of September. This law provides essential legal protections for the confidential sharing of information between government entities and businesses.
“The foundation for not just how we collaborate with government but across industry,” explained Heather Hogsett, senior vice president and deputy head of BITS at the Bank Policy Institute. She underlined that the elimination of CISA could hinder the progress made in information sharing among different sectors.
Future Implications
Additionally, legislative measures such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022, currently undergoing rulemaking, rely on the framework established by the 2015 law. Hogsett noted the necessity of keeping information sharing robust and well-protected as sensitive data is discussed more frequently.
Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, called for the reauthorization of the CISA, advocating for its update to align with contemporary cybersecurity issues. He accentuated, “At a minimum, we think it’s absolutely essential that the CISA 2015 act be reauthorized.”
Garbarino echoed his support for renewing the legislation, though he noted that its future would depend on outcomes in the Senate, where legislation related to the Department of Homeland Security has faced delays under Senate Homeland Security and Governmental Affairs Chairman Rand Paul (R-Ky.).
