The Political Choreography Behind CISA's (Potentially) Clean Reauthorization

Despite two years to address constitutional overreach, Congress manufactures an emergency reauthorization over genuine reform

Jun 07, 2025

If you like articles from The Big Con, hit the like button, subscribe, comment, and recommend us in your Substack recommendations. It helps get the newsletter to more people.

On May 15, 2025, four cybersecurity experts sat before the House Homeland Security’s Cybersecurity and Infrastructure Protection Subcommittee with a unified message: reauthorize CISA 2015 immediately, no questions asked. What they didn't mention was that the committee had spent two years avoiding those questions.

Understanding why no one wanted to discuss CISA's constitutional problems requires following a decade-long evolution from cybersecurity tool to censorship concern:

2015: Obama signed the CISA 2015 (Cybersecurity Information Sharing Act) to enable voluntary cybersecurity information sharing between the private sector and the government.
2018: Trump signed the CISA Act, creating the agency to protect critical infrastructure from foreign cyber threats.
2020-2022: Under Biden, the CISA agency expands its mission to include domestic "misinformation" monitoring and content moderation partnerships.
2023: House Judiciary Committee investigates and documents CISA agency's constitutional overreach in "Weaponization of CISA" report.
2025: With the CISA 2015 Act's information sharing authorities set to expire in September, a reauthorization hearing focuses solely on cybersecurity benefits.

When constitutional violations come packaged with valuable government services, Congress seems to have a remarkable ability to develop selective blindness. The CISA reauthorization hearing exposed this fundamental truth about modern governance: agencies that provide benefits to powerful constituencies can violate their statutory authority, face formal congressional investigation, and still avoid meaningful constraints simply by leveraging the value of their legitimate functions.

Industry pressure from the cybersecurity sector has proven devastatingly effective across party lines, while bureaucratic resistance frames any limitations as dangerous constraints on necessary evolution. Both parties have discovered that they benefit from information-sharing capabilities and broader censorship tools when in power, creating bipartisan complicity to avoid reform. An artificially tight deadline prevents the thorough deliberation that constitutional questions deserve, while complexity avoidance allows everyone to maintain the fiction that cybersecurity and civil liberties are entirely separate issues.

Rather than using reauthorization as leverage to fix identified problems, the committee members appear willing to extend problematic authorities, pushing constitutional issues to a later date. The strategically selected expert witnesses' unanimous support for "clean reauthorization" served the committee's desire to avoid difficult questions while ensuring fundamental problems persist unchecked for another authorization cycle. This approach suggests that constitutional violations may be tolerated when they are packaged with valuable government services that powerful constituencies want to preserve.

The hearing thus represents both a successful example of bipartisan cooperation on legitimate cybersecurity needs and a troubling example of how constitutional accountability can be avoided through strategic issue compartmentalization. If you want to see if the hearing was as boring as it sounds, give it a watch.

Avoiding the Hard Questions: A Curated Panel's Perspective

The House Homeland Security Subcommittee assembled four witnesses who presented a remarkably unified front in favor of clean reauthorization, despite representing different sectors of the cybersecurity ecosystem. Notably absent were any voices raising constitutional concerns about CISA's mission expansion—a deliberate omission that allowed the hearing to focus narrowly on technical cybersecurity benefits while sidestepping the issue of domestic censorship activities.

The reauthorization hearing's narrow focus on cybersecurity information sharing deliberately sidestepped the House Judiciary Committee's findings about CISA's constitutional overreach. Even Republican committee members avoided raising questions about CISA's expansion into domestic speech monitoring, suggesting a bipartisan desire to separate CISA’s reauthorization from broader constitutional concerns.

Given this strategic framework, the committee's witness selection reinforced their avoidance strategy, assembling four voices who could speak passionately about cybersecurity benefits without raising uncomfortable constitutional questions.

John Miller
Senior Vice President of Policy for Trust, Data, and Technology, General Counsel, Information Technology Industry Council
Miller walked the committee through CISA 2015's four-year legislative odyssey while representing 80 tech companies that profit handsomely from current arrangements. He painted the law as a masterpiece of stakeholder negotiation that transformed cybersecurity from "informal phone calls to automated sharing at scale," warning that any lapse would be an "unforced error" that would gift victories to cybercriminals. His message was clear: don't fix what isn't broken, especially when breaking it might hurt the bottom line of his members, who have built entire business models around government information-sharing partnerships.

Diane Rinaldo
Citizen and Former House Intelligence Committee Staff
Having shepherded CISA 2015 from conception to passage during her tenure on the House Intelligence Committee, Rinaldo spoke with the passionate defensiveness of someone watching critics attack her life's work. She emphasized China's "unrelenting assault" on American economic interests while acknowledging the law's gaps—limited small business participation, sluggish information flows, and persistent trust deficits. Her core frustration: Congress should require, not just allow, federal agencies to share intelligence with private partners, flipping the voluntary framework into a mandate that would strengthen her original vision.

Karl Schimmeck
Executive Vice President and Chief Information Security Officer, Northern Trust
Speaking for an industry that's become "fundamentally reliant" on CISA 2015's legal protections, Schimmeck delivered perhaps the hearing's most urgent testimony, warning that any lapse would make America "more vulnerable to cyber attacks the very next day." He wielded the financial sector's perfect privacy record—zero inappropriate data sharing incidents in a decade—as a shield against critics while emphasizing the daily peer-to-peer collaboration between CISOs that the law enables. His message carried the weight of Wall Street's collective anxiety: don't mess with the legal framework that keeps the money flowing and the hackers at bay.

Katherine (Kate) Kuehn
Member and CISO-in-Residence, National Technology Security Coalition
Kuehn brought a ground-level perspective to the hearing, emphasizing that 80% of critical infrastructure sits with small- and medium-sized businesses that lack the resources for sophisticated cybersecurity operations. She portrayed CISA as their lifeline, lamenting the recent termination of advisory bodies that facilitated collaboration. Her discussion of AI threats—"malicious, malfunction, and mistake"—captured the evolving complexity of modern cyber warfare, from nation-state "Typhoon" campaigns to simple software failures that can cripple infrastructure. Her plea for clean reauthorization carried the urgency of someone who sees vulnerability everywhere and views government partnership as the only viable defense.

None wanted to jeopardize reauthorization by addressing constitutional questions that might complicate passage.

How Security Imperatives Eclipsed Constitutional Accountability

Perhaps most revealing was the collective urgency surrounding the September deadline, which all participants treated as an unavoidable fact rather than a self-imposed constraint. This artificial pressure served everyone's interests: witnesses avoided scrutiny by claiming delays would endanger national security, while committee members justified their narrow focus through calendar constraints. What made this particularly disingenuous was that Congress has had two years since the House Judiciary's 2023 investigation to address CISA's constitutional overreach, yet chose to wait until the last moment to force a crisis atmosphere precluding meaningful reform.

This manufactured emergency became the backdrop for remarkable political choreography, where all participants performed an elaborate dance around constitutional questions that have consumed other parts of Congress. The unanimous support for clean reauthorization demonstrated the power of the cybersecurity industry's consensus, with witnesses speaking in lockstep about the urgent need to extend current authorities without modification. The deadline became a convenient excuse for intellectual shortcuts, allowing all parties to avoid reconciling competing values in favor of extending the status quo under emergency action.

Privacy protections were choreographed as elegant diversions against broader constitutional scrutiny. Witnesses repeatedly emphasized the 10-year track record showing no privacy violations in cybersecurity information sharing—technically accurate but deliberately narrow framing that enabled claims of constitutional compliance while completely avoiding House Judiciary findings about CISA's expansion into domestic speech monitoring, creating a rhetorical firewall between "good" cybersecurity and "problematic" censorship.

The ever-evolving threat landscape narrative—from AI attacks to China's "Typhoon" operations—served dual purposes beyond genuine security concerns. While these threats are real and sophisticated, their constant invocation created urgency that made constitutional questions seem like dangerous luxuries, effectively transforming careful legislative review into an emergency response where delay equaled danger.

The bipartisan embrace of public-private partnerships revealed how thoroughly the cybersecurity-industrial complex has captured both parties. Republicans enthusiastically endorsed deeper government-industry integration while Democrats praised cooperation without questioning conflicts of interest. This convergence exposed cybersecurity as a rare arena where ideological differences dissolve in favor of shared institutional interests, with both parties treating information sharing as completely separate from CISA's exposed mission expansion.

The emphasis on information sharing ecosystem maturation revealed how deeply embedded these relationships have become. The witnesses didn't just advocate for reauthorization—they described a complex web of Information Sharing and Analysis Centers (ISACs) that facilitate cybersecurity collaboration within sixteen infrastructure industries (energy, finance, healthcare, etc.), automated sharing systems, and collaborative frameworks that have become so integral to daily operations that any disruption seems unthinkable.

Meanwhile, a unanimous concern for small businesses provided politically palatable cover for expanded government programs, cleverly transforming a controversial agency into a bipartisan defense of American enterprise. This institutional entrenchment has created momentum where practical benefits have become more politically powerful than constitutional concerns, suggesting that sufficiently sophisticated government-industry partnerships become effectively immune to reform.

The Fault Lines Beneath the Surface

While the hearing displayed remarkable bipartisan harmony, the most significant tension was what nobody would discuss: the constitutional questions raised by the Judiciary Committee's 2023 investigation. The silence was deafening—if committee Republicans truly believed CISA exceeded its statutory authority when expanding into domestic speech monitoring, why didn't a single member raise these concerns? This suggests either tacit acceptance of CISA's broader mission or a calculated decision that cybersecurity benefits outweigh constitutional principles. Democrats, meanwhile, likely view CISA's mission expansion as a necessary adaptation to modern threats, reflecting their comfort with expansive government authority, though they were equally careful to avoid explicitly defending these controversial activities in a public forum.

Beyond avoiding constitutional issues, other philosophical divides emerged that participants carefully sidestepped. On the reauthorization approach, Republicans demonstrated their commitment to congressional oversight, with members like Rep. Ogles pushing for targeted improvements and definitional updates during the reauthorization process. This reflected their view that Congress should scrutinize and refine existing authorities rather than provide a rubber stamp for reauthorization. Democrats exhibited institutional protective instincts, with Rep. Swalwell's emphatic warnings against risking any changes that might delay passage, perhaps revealing fears that opening the legislative process to amendments could invite broader attacks on CISA's expanded mission.

The resource allocation debate exposed each party's foundational governing philosophy. Democrats, led by Rep. Magaziner's passionate defense of CISA's budget, reflected their core belief that an effective government requires robust funding and a well-staffed workforce. They positioned proposed budget cuts as ideological sabotage of essential public services. Notably, the House-passed 2025 Homeland Security Appropriations bill would actually allocate $2.93 billion for CISA, about $100 million more than its current budget, suggesting the "cuts" debate may have been more political theater than fiscal reality. Republicans, while advocating for adequate funding, consistently pivoted toward private sector solutions and investments in artificial intelligence (AI). This showcased their skepticism that bureaucratic expansion, which increases government spending, necessarily leads to improved outcomes.

The Reform Gap: What Should Happen vs. What Will Happen

While the hearing avoided constitutional questions in favor of industry talking points, genuine reform requires confronting what no participant wanted to discuss. The following recommendations represent what accountability would look like if Congress prioritized constitutional compliance alongside legitimate cybersecurity needs, acknowledging both CISA's valuable functions and its documented violations.

Constitutional Safeguards (What Should Happen)

Real constitutional protection requires clear boundaries and enforceable limitations, not the vague language that enabled CISA's mission creep in the first place.

Explicit mission limitations. Prevent domestic content monitoring, clearly define "critical infrastructure" to exclude "cognitive infrastructure," and require a foreign threat focus with congressional approval for mission expansion
Robust oversight mechanisms. Establish quarterly reports on non-cybersecurity activities, constitutional compliance audits, and penalties for exceeding statutory authority
First Amendment protections. Prohibit communications with social media platforms about content, and ban funding domestic speech monitoring organizations
Transparency requirements. Require public databases of government-platform communications, annual third-party funding disclosure, and real-time domestic social media surveillance and censorship reporting

Accountability Measures (What Congress Avoids)

Genuine accountability demands confronting past violations, not just preventing future ones through hollow promises of better behavior.

Retroactive investigation. Investigate all CISA domestic activities since 2020, audit "disinformation" organization funding, and analyze documented "switchboarding" operations
Leadership accountability. Demand congressional testimony from Director Easterly on "cognitive infrastructure" comments and require explanations of domestic monitoring authority
Structural reforms. Separate cybersecurity from domestic monitoring functions and establish independent civil liberties oversight
Advisory oversight. Require congressional approval for advisory committee members

Cybersecurity Improvements (What the Witnesses Want)

These represent the legitimate technical improvements that could be implemented alongside constitutional safeguards, proving that security and civil liberties need not be mutually exclusive.

Modernized threat definitions. Update "cyber threat indicator" definitions for AI attacks, supply chain compromises, and operational technology vulnerabilities
Enhanced collaboration infrastructure. Improve automated sharing systems, enhance Joint Cyber Defense Collaborative (JCDC) capabilities that enable real-time operational coordination between the government and the private sector, restore advisory bodies, and expand ISACs participation
Resource and process improvements. Ensure adequate cybersecurity funding and reform security clearances for technical experts
Comprehensive information sharing. Mandate bidirectional information sharing and support small business cybersecurity capabilities

Realistic Compromise (What Might Happen)

Compromising allows everyone to claim victory: cybersecurity interests get their reauthorization, constitutional hawks get their reporting requirements, and Congress avoids the hard work of actually reconciling competing values, ensuring that fundamental problems persist while creating the illusion of accountability and reform.

Clean reauthorization with a shortened sunset clause of perhaps two years instead of a longer term, forcing another review before the next election cycle while creating a separate track for constitutional reforms that may never materialize
Enhanced reporting requirements, including annual constitutional compliance reports, quarterly briefings on mission scope, and enhanced congressional notification requirements that provide the appearance of oversight without meaningful constraints
Advisory committee reforms that add constitutional law experts and civil liberties representatives to symbolically balance civil liberties while preserving industry influence, with congressional approval for some members
Limited scope clarifications that improve language on foreign cybersecurity threats and establish clear boundaries on domestic activities that sound meaningful but lack enforcement mechanisms

There’s still time until it happens. So, call the White House, your representative, your senator. Tell them what you want.

The Big Con