The US’ Cybersecurity Information Sharing Act (CISA) of 2015, an Obama-era cyber security intelligence-sharing law that was allowed to lapse at the end of September as the US government entered a prolonged shutdown, is to receive a new lease of life as part of a continuing resolution to reopen the federal government.
Politicians in Washington DC are this week making tentative progress on ending the shutdown, which has left hundreds of thousands of federal workers working without pay, shuttered America’s national parks, and caused chaos for travelers.
As part of a deal approved in the US Senate on Monday 10 November, CISA will be temporarily reinstated at least until 30 January 2026, although the bill in question still needs to pass the lower House of Representatives in Congress, where it may face more challenges.
Jiwon Ma, a senior policy analyst at the Foundation for the Defense of Democracies (FDD) thinktank’s Center on Cyber and Technology Innovation (CCTI) said the extension would buy time to finalise long-term reauthorisation of CISA 2015, as well as the State and Local Cybersecurity Grant Program (SLCGP).
“Congress now has less than 90 days to decide whether to restore long-term stability to CISA 2015 and SLCGP or continue the cycle of short-term patches that weaken our cyber defences,” she said.
“The extension should be treated as an opportunity to modernise both programs – and there is pending legislation in the House to do just that,” added Ma. “Congress can strengthen CISA 2015 by updating liability protections, clarifying data handling standards, and expanding participation from small and rural critical infrastructure owners and operators that too often remain outside formal information sharing networks.”
Exabeam chief information security officer (CISO) Kevin Kirkwood described the renewal of CISA 2015 as a classic example of DC lawmakers “duct-taping a good idea to a bad habit”, and urged a rethink of what its successor should look like.
“At its core, CISA aimed to foster collaboration between the private sector and government by encouraging voluntary sharing of threat intelligence, something that absolutely matters in today’s threat landscape. But the real value came from the legal shields it offered: liability protections, antitrust exemptions, and FOIA [Freedom of Information Act] immunity. That was the incentive, and it worked. The problem isn’t with the sharing, it’s with the inevitable bloat that comes when federal agencies expand their footprint under the banner of ‘cyber security coordination’,” he said.
“Now that the law has briefly lapsed and Congress is scrambling to reattach it, this is the moment to rethink what version 2.0 should look like. We need a leaner, more focused model that preserves the flow of intelligence but resists the gravitational pull of centralised bureaucracy.
“The answer isn’t more committees, more paperwork, or vague mandates for agencies to “enhance” things with no accountability,” said Kirkwood. “It’s a private-sector-first architecture where the government supports – not steers – the ecosystem. In other words: collaboration without colonisation.”
Shutdown impact to cyber data sharing unknown
Before the shutdown began, cyber experts had warned of the possibility of severe impacts should CISA 2015 be allowed to lapse without an extension or replacement in place – ranging from businesses left in legal limbo unable to share timely data, to reduced capacity for multinational law enforcement operations involving US agencies such as the FBI.
Fortunately, the worst-case scenario – a major nation-state cyber attack affecting a core US government agency – does not seem to have come to pass as far as the public is currently aware.
This said, the true impact of the temporary lapse of CISA 2015 may not become clear for some time.
