A law allowing private companies to share information about cybersecurity threats with the government expired Wednesday after Congress failed to reauthorize the legislation amid a wider shutdown fight.
The Cybersecurity and Information Sharing Act (CISA) of 2015, which initially appeared poised to be extended as part of a temporary stopgap measure, lapsed as lawmakers failed to avert a shutdown — a pause that lawmakers and experts warn could restrict a key pipeline of threat intelligence.
“If we don’t extend these critical authorities, we will lose one of our most effective defenses against cyberattacks, as our adversaries’ attacks continue to grow more aggressive and more sophisticated,” Sen. Gary Peters (D-Mich.) warned Tuesday on the Senate floor.
What CISA does
CISA provided companies with various protections for sharing cyber information. It shielded them from legal liability for monitoring information systems and providing cyberthreat indicators to the federal government.
It also protected companies from antitrust lawsuits for exchanging information or providing assistance related to countering cyberthreats.
“This law has protected our economy, it has protected our infrastructure, and it has protected our government for more than a decade,” Peters added.
“It allows private companies and federal agencies to share real-time threat information before attacks spread, before systems are compromised and before damage becomes irreversible,” he continued.
Peters and Sen. Mike Rounds (R-S.D.) introduced legislation in April to extend the law for another 10 years. However, its reauthorization has become increasingly complicated as Senate Homeland Security and Governmental Affairs Committee Chair Rand Paul (R-Ky.) has sought changes to the measure, according to Axios.
Peters took aim at Paul on Tuesday, suggesting “there is only one person, one person standing in the way” of reauthorization efforts.
As the Tuesday deadline quickly approached with limited movement on a full reauthorization, a temporary extension was added to stopgap measure that sought to keep the government open through Nov. 21.
The continuing resolution ultimately passed the House on Sept. 19 but failed in the Senate as Democrats refused to support the GOP-led measure.
Senate Majority Leader John Thune (R-S.D.) lined up Senate votes Tuesday on competing Democratic and Republican proposals to fund the government, but both proposals were doomed to fail, putting Washington on the path to a government shutdown.
What happens without CISA?
While companies can still share data with the government, the lapse eliminates key protections that encouraged that exchange of information, said David Kennedy, founder of the information security consulting firm TrustedSec.
“The major concern here is that companies will share much less data because that law, and all of those relationships that have been built over the past 10 years may be fractured because of companies’ liability concerns,” Kennedy told The Hill.
Companies also likely will move slower when considering sharing information as decisionmaking shifts from cybersecurity officials to legal experts, said Amy Shuart, vice president of technology and innovation at Business Roundtable.
“CISA 2015 includes some really important protections that allow information sharing to happen more quickly — specifically antitrust exemptions, liability protections, FOIA exemptions — all of those pieces are things that absent CISA 2015, a general counsel is going to have to weigh,” she noted.
Andrew Grosso, an attorney who currently sits on the Association for Computing Machinery’s U.S. Technology Policy Committee, underscored the importance of legal protections, noting “this is a very litigious society.”
He pointed to a scenario in which a person or company provided information that turned out not to be a threat or couldn’t be proven.
“Somebody claims they’ve been hurt by the disclosure, and suddenly the company or the individual is out on a limb,” Grosso said. “They may be sued. Their reputation may be damaged. Other companies may not want to talk to it.”
If companies decline to share information about a data breach, this could leave others ill-prepared, especially those with less advanced security programs, Kennedy added.
“It’s so imperative that there is an open network of communication happening with all of these different companies because that’s really the best way to defend, is to understand what your adversaries are doing and then from there being able to build defensive capabilities with that,” he said.
US faces soaring threats from cyberattacks
CISA’s expiration comes amid an endless stream of cyberattacks on U.S. companies and organizations.
Nine U.S. telecommunications companies were compromised by the China-linked hacking group Salt Typhoon, officials confirmed in December. These hackers were reportedly able to capture audio from people involved in President Trump’s and former Vice President Kamala Harris’s campaigns.
Salt Typhoon also hacked one state’s National Guard network from March to December 2024, according to NBC News.
The Trump campaign revealed in August 2024 that it had been hacked, and the U.S. later indicted three Iranians tied to the Islamic Revolutionary Guard Corp over the cyber intrusion.
“Absent the ability to share information quickly, that puts systems a little more at risk because it means that either you might not have access to information that you otherwise would have, or that you don’t receive it in quite as timely or an actionable moment,” Shuart said.
“With a cyberattack, time matters, and so it’s really critical to have that information flowing as quickly as possible,” she added.
Thune and Senate Democratic Leader Chuck Schumer (N.Y.) have already set up another round of procedural votes Wednesday on partisan proposals to end the shutdown, but likely to no avail.
Thune said the Senate will be out of session Thursday to observe the Jewish holiday Yom Kippur, but senators expect to return Friday and resume work toward ending the shutdown.
