Panel urges narrow technical updates to CISA 2015 for supply‑chain, AI and indicator sharing
May 16, 2025 | Homeland Security: House Committee, Standing Committees - House & Senate, Congressional Hearings Compilation
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Industry witnesses told a House Homeland Security Subcommittee that CISA 2015 should be reauthorized quickly but amended later with narrowly tailored changes to reflect software supply‑chain risks, artificial intelligence‑driven threats, and modernization of sharing systems.
John Miller of the Information Technology Industry Council recommended a focused rubric: assess whether existing statutory definitions—such as “cyber threat indicator”—adequately capture today’s threats, including software supply‑chain signals. He suggested considering additions that would allow companies to share information about suspect suppliers and software‑supply incidents under the statute’s liability protections.
On artificial intelligence, witnesses described both opportunity and risk. Miller said artificial intelligence “can be used both, as a sword and a shield,” echoing committee discussion that defenders and adversaries alike are adopting AI capabilities. Carl Schimek and others urged investment in automated and AI‑enabled defensive tools and recommended exploring how to modernize Automated Indicator Sharing (AIS), which was designed a decade ago and now faces new data types and higher volumes.
Why it matters: Testimony emphasized the need to preserve the law’s protective framework while ensuring statutory definitions and federal programs keep pace with novel threats—ransomware, operational technology intrusions, software‑supply‑chain attacks and AI‑driven campaigns. Panelists recommended updates that would expand the law’s coverage in narrowly defined ways (for example, to allow sharing of supply‑chain indicators) and to invest in modernized platforms for rapid, machine‑readable exchange.
Committee considerations: Several members and witnesses urged a two‑step approach: (1) clean reauthorization to avoid a statutory gap, then (2) prompt committee work to draft and consider targeted amendments (definitions, AIS modernization, and codification or functional replacement of advisory councils). Witnesses offered to provide technical suggestions to staff.
Ending: The subcommittee collected technical recommendations and asked witnesses to submit more precise language for possible floor or committee consideration—moving the debate from whether to reauthorize toward how to calibrate limited, technical updates after renewal.
John Miller of the Information Technology Industry Council recommended a focused rubric: assess whether existing statutory definitions—such as “cyber threat indicator”—adequately capture today’s threats, including software supply‑chain signals. He suggested considering additions that would allow companies to share information about suspect suppliers and software‑supply incidents under the statute’s liability protections.
On artificial intelligence, witnesses described both opportunity and risk. Miller said artificial intelligence “can be used both, as a sword and a shield,” echoing committee discussion that defenders and adversaries alike are adopting AI capabilities. Carl Schimek and others urged investment in automated and AI‑enabled defensive tools and recommended exploring how to modernize Automated Indicator Sharing (AIS), which was designed a decade ago and now faces new data types and higher volumes.
Why it matters: Testimony emphasized the need to preserve the law’s protective framework while ensuring statutory definitions and federal programs keep pace with novel threats—ransomware, operational technology intrusions, software‑supply‑chain attacks and AI‑driven campaigns. Panelists recommended updates that would expand the law’s coverage in narrowly defined ways (for example, to allow sharing of supply‑chain indicators) and to invest in modernized platforms for rapid, machine‑readable exchange.
Committee considerations: Several members and witnesses urged a two‑step approach: (1) clean reauthorization to avoid a statutory gap, then (2) prompt committee work to draft and consider targeted amendments (definitions, AIS modernization, and codification or functional replacement of advisory councils). Witnesses offered to provide technical suggestions to staff.
Ending: The subcommittee collected technical recommendations and asked witnesses to submit more precise language for possible floor or committee consideration—moving the debate from whether to reauthorize toward how to calibrate limited, technical updates after renewal.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
