The Expiration of the Cybersecurity Information Sharing Act: A Sea Change in Cyber Defense
On September 30, 2025, the Cybersecurity Information Sharing Act (CISA 2015) officially expired, marking the end of a decade-long framework designed to facilitate the safe and consistent sharing of cyber-threat data between government and industry. For the first time in ten years, the United States stands without the legal backbone that supported its public-private threat intelligence ecosystems. As adversaries increasingly leverage automation, artificial intelligence, and geopolitical distractions, this lapse is far more than mere procedural oversight; it signals a weakening of the trust, speed, and collaboration essential for national resilience.
Immediate Repercussions in Cyber Defense
Since the law’s expiration, significant disruptions have emerged across various sectors within the U.S. cyber defense framework. Federal agencies and private companies have begun scaling back their voluntary exchanges of threat intelligence—once a robust system enabling near-real-time detection and coordinated responses to cyber threats. Preliminary data show that the volume of shared indicators of compromise has plummeted by more than 70%.
Sector-specific Information Sharing and Analysis Centers (ISACs) have reported that they now face 24-48-hour delays in alert dissemination, a task that was once automated under CISA 2015. The implications are visible across numerous critical sectors:
- Healthcare networks have experienced a 12% increase in ransomware activity, largely due to delayed coordination on threat signatures.
- Energy and utilities operators are reporting longer response times when dealing with nation-state attempts to probe operational technology (OT) systems.
- Financial institutions are suffering reduced visibility into cross-border fraud and business email compromise schemes that rely on the rapid sharing of intelligence.
In the absence of legal clarity and liability protections under CISA 2015, organizations are becoming hesitant to report cyber incidents or share indicators of compromise, inadvertently creating data silos at a time when connectivity is paramount.
A Bridge to Collaboration: What CISA Provided
Enacted in 2015, CISA was designed to build a legal and operational bridge between federal entities and private industry to facilitate the exchange of critical threat indicators like malware signatures and attack tactics. The law achieved this balance through key components: liability protections that allowed companies to share information without fear of legal repercussions and privacy safeguards ensuring that personal data was stripped away before any transfer occurred.
This model of mutual trust fostered a dynamic flow of cyber intelligence, creating a safety net for hospitals, banks, utilities, and defense contractors alike against threats from both nation-state actors and criminal organizations.
The Induced Blindness: A Legal and Operational Vacuum
The absence of CISA creates a two-fold problem: first, federal entities find themselves blind to threats originating from private networks, and second, private companies lose out on valuable federally curated threat indicators and cross-sector analytical insights. This fragmentation poses severe risks—especially as adversarial groups, particularly those linked to nations like China and Russia, escalate their intrusions into vital U.S. infrastructure.
Legislative Path Forward: Congressional Efforts
Recognizing the urgent need for a renewed framework, members of the U.S. Homeland Security and Governmental Affairs Committee are crafting a path forward. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) have introduced the “Protecting America from Cyber Threats Act,” aiming to restore key elements of the cybersecurity provisions that just lapsed. Stakeholders across the tech industry are rallying for speedy passage, as this new law seeks to reauthorize the framework that allows for voluntary sharing of threat indicators, thus playing an essential role in preventing data breaches and bolstering the federal government’s response capabilities against external cyber threats.
The Emerging Landscape of Cybersecurity Legislation
The expiration of CISA 2015 is not simply a bureaucratic shortcoming; it’s a step backward in national security with significant global repercussions. Each day without reauthorization diminishes the trust, coordination, and shared visibility vital to safeguarding America’s critical systems. Today’s cyber threats are increasingly sophisticated, leveraging technologies such as AI that facilitate faster, smarter, and more interconnected attacks.
Going forward, it is essential to redefine the parameters of information-sharing laws to align them with the realities of a rapidly evolving cyber landscape. Such a modernized framework should:
- Enable real-time, automated data exchange between trusted partners across various sectors.
- Incentivize responsible sharing through updated liability protections and clearer privacy standards.
- Integrate AI-driven analytics to expedite threat identification and contextualization.
- Expand international cooperation to safeguard the global digital economy collectively.
The foundational principles that made CISA effective—trust, transparency, and accountability—must guide any renewed efforts. Collaboration among policymakers, Chief Information Security Officers (CISOs), and researchers will be crucial in creating a cohesive environment for actionable intelligence to flow as quickly as the threats themselves.
In the realm of cybersecurity, no single entity can defend alone. Building a web of visibility, trust, and collaboration is essential to fortify defenses against an evolving landscape of cyber threats.
Written by Michael Centrella, head of public policy at SecurityScorecard and former assistant director at the U.S. Secret Service.
