Ten years ago, Congress passed a major cybersecurity bill called the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to empower the federal government to collect and disseminate threat information, while allowing private sector entities to voluntarily share that information with the government and among themselves, protected from adverse legal or regulatory ramifications.
CISA 2015 was slated to expire on Sept. 30, 2025. Now, despite many efforts in both the House and Senate, and even with the support of the Trump administration, the cybersecurity sector, and both sides of the aisle, CISA 2015 has expired because it was not extended amid the legislative and political chaos that led to a US government shutdown.
Consequently, cybersecurity defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. Given the overheated partisan environment in Washington, it’s unclear how quickly or when Congress will revisit extending CISA 2015 or for how long.
If the law remains lapsed “for a lengthy period, that will diminish capabilities across the industry to share and enhance real-time sharing of cyber threat indicators,” Nathaniel Jones, VP of security and AI strategy at Darktrace, who, until two years ago, was a CISA veteran who had served as a section chief and operations officer, tells CSO.
“The whole purpose of this was to provide an insulating layer over communications that are made by the critical sectors when they need to share information,” Mike Hamilton, field CISO of Lumifi Cyber and former CISO of Seattle, tells CSO. “Now, the private sector is going to be very reluctant to tell anybody what happens to them.”
What CISA 2015 provided
CISA 2015 explicitly authorized private entities to take certain defensive measures to stop cyberattacks, to monitor their own and customers’ networks for cyber threats — with written authorization and consent — and share cyber threat indicators to provide better detection and response to cyber threats.
It provided legal liability protection for how the private sector, which owns most of the critical infrastructure in the US, shares threat information with the US government and private sector peers. Moreover, it placed limits on how shared information can be used and provided several protections against unwanted disclosure.
Among the protections offered by the legislation were:
Exemptions from anti-trust liability
Exemptions from disclosure under FOIA and state sunshine laws
Continued applicability of privileges and protections, including trade secret protections for shared information
Continued protection of shared information as the commercial, financial, and proprietary information of a non-federal entity when so designated
Exemptions from rules limiting ex parte or informal communications with federal officials
Broad liability protections for information sharing efforts undertaken that are consistent with the laws
“We always talked about the barriers in the way and the roadblocks to sharing, and that’s what CISA 2015 was supposed to be doing: removing the barriers,” Ari Schwartz, executive director at the Center for Cybersecurity Law and Policy and partner at law firm Venable, tells CSO. “But what it was really doing was getting easy legal approval for information sharing. CISA 2015 made it so that the lawyers did not have to do a review.”
What happens next, and what should CISOs do?
Most Capitol Hill observers believe that, given the broad support that CISA 2015 has received, Congress will inevitably find a solution that ends the government shutdown and, in so doing, pass at least a temporary extension of CISA 2015.
“In both the short and long term, I am committed to finding the best path forward alongside my colleagues in the House and Senate to reauthorize and enhance these essential authorities,” Andrew Garbarino (R-NY), chairman of the House Committee on Homeland Security, told CSO in a statement.
“There might be just a short-term window where they’ll disconnect it and then try to figure out the longer extension,” Darktrace’s Jones says. “At the moment, the proposal is 10 years, which I think makes more sense, but I think people will look to give it a temporary stopgap.”
The real question is how long it will take Congress to extend CISA 2015. Experts stress that the damage to US cybersecurity from a lapse in CISA 2015 is directly correlated with just how long it stays lapsed. “If it’s a short window, I don’t think there’s going to be a lot of impact,” Lumifi’s Hamilton says.
Venable’s Schwartz thinks that the situation will become increasingly problematic the longer Congress waits to act. “If it’s two days, it’s not going to be that impactful for companies,” he says. “If it goes for some period of time, not having this provision is going to have an impact.”
“It’s one thing if there’s an incident and people aren’t sharing information about the incident for one day because their lawyers said, ‘Let’s just hold on and see what happens tomorrow,’” Schwartz says. “If everyone starts doing that over a month, that becomes more problematic.”
Schwartz also thinks that organizations that operated under negotiated information-sharing arrangements prior to CISA’s 2015 passage might fare better because they have existing legal frameworks to fall back on. “If it was done before 2015, then you have some sharing agreements that are probably still in place for the ISACs,” he says, referring to Information Sharing and Analysis Centers. “There may be some things that they have to update a little bit, but it’s not that much.”
The impact of the law’s lapse will also vary sector by sector. “For some sectors, it’s going to be a lot less than other sectors that weren’t sharing before, didn’t have the agreements in place, or weren’t working on the agreements,” Schwartz emphasizes. “That’s going to be quite a lot of work for them.”
However, Schwartz advises CISOs to work closely with in-house or external counsel prior to any future information-sharing efforts lest they be held liable for any legal missteps.
“You need to go to the lawyers,” he says. “You need legal reviews. If you’re a CISO, you have to go to your inside counsel and tell them, ‘We heard this law is not passing, and we want to make sure that we’re not doing anything that’s going to give the company liability down the road.’”
This level of legal review will no doubt slow down any sharing of threats of possible defense techniques. “The lawyers are going to look into it and review the types of sharing that have been going on, what laws might be violated, and whether there are agreements in place for what happens to it on the other side,” Schwartz says.
He adds, “There will still be information sharing, but we’ve gone multiple steps backwards.”
No Responses