{"id":5149,"date":"2025-10-01T04:06:24","date_gmt":"2025-10-01T04:06:24","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5149"},"modified":"2025-10-01T04:06:24","modified_gmt":"2025-10-01T04:06:24","slug":"cisa-2015-cyber-threat-info-sharing-law-lapses-amid-government-shutdown","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5149","title":{"rendered":"CISA 2015 cyber threat info-sharing law lapses amid government shutdown"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Ten years ago, Congress passed a <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/Cybersecurity%2520Information%2520Sharing%2520Act%2520of%25202015.pdf\">major cybersecurity bill<\/a> called the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to empower the federal government to collect and disseminate threat information, while allowing private sector entities to voluntarily share that information with the government and among themselves, protected from adverse legal or regulatory ramifications.<\/p>\n<p>CISA 2015 was slated to expire on Sept. 30, 2025. Now, despite <a href=\"https:\/\/cyberscoop.com\/cyber-threat-information-law-hurtles-toward-expiration-with-poor-prospects-for-renewal\/\">many efforts<\/a> in both the House and Senate, and even with the support of the Trump administration, the cybersecurity sector, and both sides of the aisle, CISA 2015 has expired because it was not extended amid the legislative and political chaos that led to a US government shutdown.<\/p>\n<p>Consequently, cybersecurity defenders have lost the information-sharing liability protection the bill provided, and the government has lost a lot of visibility into threats emerging across the private sector. Given the overheated partisan environment in Washington, it\u2019s unclear how quickly or when Congress will revisit extending CISA 2015 or for how long.<\/p>\n<p>If the law remains lapsed \u201cfor a lengthy period, that will diminish capabilities across the industry to share and enhance real-time sharing of cyber threat indicators,\u201d <a href=\"https:\/\/www.darktrace.com\/people\/nathaniel-jones\">Nathaniel Jones<\/a>, VP of security and AI strategy at Darktrace, who, until two years ago, was a CISA veteran who had served as a section chief and operations officer, tells CSO.<\/p>\n<p>\u201cThe whole purpose of this was to provide an insulating layer over communications that are made by the critical sectors when they need to share information,\u201d <a href=\"https:\/\/www.linkedin.com\/in\/seattlemkh\/\">Mike Hamilton<\/a>, field CISO of Lumifi Cyber and former CISO of Seattle, tells CSO. \u201cNow, the private sector is going to be very reluctant to tell anybody what happens to them.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What CISA 2015 provided<\/h2>\n<p>CISA 2015 explicitly authorized private entities to take certain defensive measures to stop cyberattacks, to monitor their own and customers\u2019 networks for cyber threats \u2014 with written authorization and consent \u2014 and share cyber threat indicators to provide better detection and response to cyber threats.<\/p>\n<p>It provided legal liability protection for how the private sector, which owns most of the critical infrastructure in the US, shares threat information with the US government and private sector peers. Moreover, it placed limits on how shared information can be used and provided several protections against unwanted disclosure.<\/p>\n<p>Among the protections offered by the legislation <a href=\"https:\/\/www.venable.com\/insights\/publications\/2025\/09\/cyber-threat-information-sharing-at-risk-what?utm_source=vuture&amp;utm_medium=email&amp;utm_campaign=20250929%20-%20cyber%20threat%20information%20sharing%20at%20risk%3A%20what%20companies%20should%20consider%20if%20the%20cybersecurity%20information%20sharing%20act%20of%202015%20is%20not%20renewed\">were<\/a>:<\/p>\n<p>Exemptions from anti-trust liability<\/p>\n<p>Exemptions from disclosure under FOIA and state sunshine laws<\/p>\n<p>Continued applicability of privileges and protections, including trade secret protections for shared information<\/p>\n<p>Continued protection of shared information as the commercial, financial, and proprietary information of a non-federal entity when so designated<\/p>\n<p>Exemptions from rules limiting\u00a0<em>ex parte<\/em>\u00a0or informal communications with federal officials<\/p>\n<p>Broad liability protections for information sharing efforts undertaken that are consistent with the laws<\/p>\n<p>\u201cWe always talked about the barriers in the way and the roadblocks to sharing, and that\u2019s what CISA 2015 was supposed to be doing: removing the barriers,\u201d <a href=\"https:\/\/www.venable.com\/professionals\/s\/ari-schwartz\">Ari Schwartz<\/a>, executive director at the Center for Cybersecurity Law and Policy and partner at law firm Venable, tells CSO. \u201cBut what it was really doing was getting easy legal approval for information sharing. CISA 2015 made it so that the lawyers did not have to do a review.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What happens next, and what should CISOs do?<\/h2>\n<p>Most Capitol Hill observers believe that, given the broad support that CISA 2015 has received, Congress will inevitably find a solution that ends the government shutdown and, in so doing, pass at least a temporary extension of CISA 2015.<\/p>\n<p>\u201cIn both the short and long term, I am committed to finding the best path forward alongside my colleagues in the House and Senate to reauthorize and enhance these essential authorities,\u201d <a href=\"https:\/\/garbarino.house.gov\/\">Andrew Garbarino (R-NY)<\/a>, chairman of the House Committee on Homeland Security, told CSO in a statement.<\/p>\n<p>\u201cThere might be just a short-term window where they\u2019ll disconnect it and then try to figure out the longer extension,\u201d Darktrace\u2019s Jones says. \u201cAt the moment, the proposal is 10 years, which I think makes more sense, but I think people will look to give it a temporary stopgap.\u201d<\/p>\n<p>The real question is how long it will take Congress to extend CISA 2015. Experts stress that the damage to US cybersecurity from a lapse in CISA 2015 is directly correlated with just how long it stays lapsed. \u201cIf it\u2019s a short window, I don\u2019t think there\u2019s going to be a lot of impact,\u201d Lumifi\u2019s Hamilton says.<\/p>\n<p>Venable\u2019s Schwartz thinks that the situation will become increasingly problematic the longer Congress waits to act. \u201cIf it\u2019s two days, it\u2019s not going to be that impactful for companies,\u201d he says. \u201cIf it goes for some period of time, not having this provision is going to have an impact.\u201d<\/p>\n<p>\u201cIt\u2019s one thing if there\u2019s an incident and people aren\u2019t sharing information about the incident for one day because their lawyers said, \u2018Let\u2019s just hold on and see what happens tomorrow,\u2019\u201d Schwartz says. \u201cIf everyone starts doing that over a month, that becomes more problematic.\u201d<\/p>\n<p>Schwartz also thinks that organizations that operated under negotiated information-sharing arrangements prior to CISA\u2019s 2015 passage might fare better because they have existing legal frameworks to fall back on. \u201cIf it was done before 2015, then you have some sharing agreements that are probably still in place for the ISACs,\u201d he says, referring to <a href=\"https:\/\/www.csoonline.com\/article\/567485\/what-is-an-isac-or-isao-how-these-cyber-threat-information-sharing-organizations-improve-security.html\">Information Sharing and Analysis Centers<\/a>. \u201cThere may be some things that they have to update a little bit, but it\u2019s not that much.\u201d<\/p>\n<p>The impact of the law\u2019s lapse will also vary sector by sector. \u201cFor some sectors, it\u2019s going to be a lot less than other sectors that weren\u2019t sharing before, didn\u2019t have the agreements in place, or weren\u2019t working on the agreements,\u201d Schwartz emphasizes. \u201cThat\u2019s going to be quite a lot of work for them.\u201d<\/p>\n<p>However, Schwartz advises CISOs to work closely with in-house or external counsel prior to any future information-sharing efforts lest they be held liable for any legal missteps.<\/p>\n<p>\u201cYou need to go to the lawyers,\u201d he says. \u201cYou need legal reviews. If you\u2019re a CISO, you have to go to your inside counsel and tell them, \u2018We heard this law is not passing, and we want to make sure that we\u2019re not doing anything that\u2019s going to give the company liability down the road.\u2019\u201d<\/p>\n<p>This level of legal review will no doubt slow down any sharing of threats of possible defense techniques. \u201cThe lawyers are going to look into it and review the types of sharing that have been going on, what laws might be violated, and whether there are agreements in place for what happens to it on the other side,\u201d Schwartz says.<\/p>\n<p>He adds, \u201cThere will still be information sharing, but we\u2019ve gone multiple steps backwards.\u201d<\/p>\n<p><em><strong>Update, Sept. 1:\u00a0<\/strong>A CISA spokesperson told CSO in a statement, \u201cAs America\u2019s cyber defense agency, CISA remains fully committed to safeguarding the nation\u2019s critical infrastructure. While a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions.\u201d The spokesperson added. \u201cThe Cybersecurity Information Sharing Act of 2015 remains vital to this mission and allowing it to lapse would be a serious blow. CISA will continue its mission, but America\u2019s defenders deserve both the tools and the support to meet growing threats.\u201d<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Ten years ago, Congress passed a major cybersecurity bill called the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to empower the federal government to collect and disseminate threat information, while allowing private sector entities to voluntarily share that information with the government and among themselves, protected from adverse legal or regulatory ramifications. CISA 2015 [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5136,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5149"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5149"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5136"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}