During a House Homeland Security Committee hearing held before the Congressional recess, Rep. Eric Swalwell (D-CA) questioned experts about the consequences of CISA expiring.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00Thank you, gentlemen. I now recognize the Ranking Member,
00:04gentleman from California, Mr. Swalwell, for five minutes of questions.
00:07Mr. Schwartz, how should CISA revise its comment process to better engage stakeholders? And how
00:14would you recommend CISA structure additional feedback opportunities to maximize stakeholder
00:19input without unduly delaying issuing a final rule? CISA has the tools today to do this,
00:27and Congress gave them the tools to engage with the private sector in a way that they can get
00:34direct advice on issues and do it under, protected from FACA, protected from Freedom
00:43of Information Act, so that companies can feel free to share and that it only goes into
00:47the process of writing this rule. And they should use that to define their ex parte process.
00:53It is the CPAC authority that provides them to do that, and that's exactly what we recommend
00:58that they do. To each witness, and feel free to jump in. I'll start. A decade ago, actually,
01:05sorry, a new question for each witness. Congress passed the Cybersecurity Information Sharing Act
01:12of 2015, which facilitates the voluntary sharing of cybersecurity information between the private
01:18sector and the government. It expires, as I noted in my opening remarks in September.
01:22What are the consequences of CISA expiring?
01:30Ms. Hawks. I'll start. So, the CISA 2015 protections really form the foundation for
01:36how we collaborate, not just with government, but also across industry to ensure that we are
01:42sharing necessary information to protect everybody. So, it's a key foundation for our
01:46collective defense. It provides information sharing protections, liability protections,
01:51antitrust protections. And we've now had the benefit of that for the last 10 years. And I
01:55think over that time, we've certainly seen an increase in collaboration. I think our sector
02:00has always collaborated well within itself, but the expansion to across sectors and with other
02:04companies has been very valuable. We would hate to see that disappear and that we walk back some of
02:11the gains that we've made in that space. And also, as we noted earlier, CERCIA itself, with respect
02:17to incident reporting, refers back to the CISA 2015 protections. So, as we're getting ready to
02:23share more sensitive information, more detailed information to the government, we do want to make
02:28sure that it is well protected. Yeah, Mr. Mayor. Thank you. So, at a minimum, we think it's
02:35absolutely essential that the CISA 2015 Act be reauthorized. As pointed out, I think we've
02:42learned things in the last 10 years, what has encouraged additional information sharing, what
02:47has constrained it. So, there are opportunities to make enhancements, improvements in the law.
02:52The cost of not doing this is monumental. It'll cause companies to be very careful about what
02:57they submit, reluctant to submit with the protections that Heather alluded to. And we'll
03:04be undermining our national security if we don't have something in place to either continue it in
03:09its current form, but ideally to reflect what we've learned over the past decade. Yeah, Mr. Schwartz.
03:14Yeah, so we've seen information sharing organizations grow around this law, and that they are
03:23specifically created, the Cyber Threat Alliance, for example, is specifically built around this law.
03:29The way that the financial sector, ISAC, shares out with other groups, not
03:34internally, but with other organizations, is built around the pieces of this law. If this
03:40law disappears, they will have to redo how they are structured, and we will lose
03:46critical time just doing that. I would just say this, I'm okay with, I believe in
03:52the principles of sunk cost, and just because you've been doing it doesn't mean that's the best
03:55way to do it, but is it beneficial? But it will definitely slow, and in some cases
04:02totally stop, information sharing that has prevented threats, and prevented incidents
04:07from happening. Great, thanks. So I want to spike in here. I agree with everything that my fellow
04:12panelists have said, so I'll just associate myself with that. Those protections, I sort of
04:18think of it north-south, industry and government sharing information east-west across critical
04:21sectors, has really grown up because of those protections in CISA. I just want to respond a
04:26little bit to something that Mr. Higgins was saying. Incident reporting and information sharing are
04:32both incredibly valuable, but understanding what the difference between those two things
04:36is. Information sharing is about ongoing threats, where we don't have full certainty of what an
04:43adversary might be doing, and sharing tactics, techniques, and procedures across critical sectors
04:47so we can all collectively defend is incredibly valuable. Incident reporting has value too. Once
04:52we know what that risk was, helping to identify those patterns, helping to socialize those broadly,
04:57helping government to set priorities, helping to set policy that is informed by what is actually
05:02happening in cyberspace is incredibly valuable. So we like incident reporting. We like information
05:09sharing. It just needs to be done with protections and in an effective way that, again, government
05:15can ingest all of this and not put undue burden on the people who are just trying to defend networks.
05:19Appreciate that and yield back.