Introduction
On September 30, 2025, a cornerstone of America’s cybersecurity defense strategy quietly expired—a casualty of political dysfunction and government shutdown drama. The Cybersecurity Information Sharing Act of 2015 (CISA 2015), which for a decade facilitated the voluntary exchange of cyber threat intelligence between private companies and federal agencies, reached its sunset clause without congressional reauthorization.[1] The implications of this lapse extend far beyond bureaucratic inconvenience, potentially weakening the nation’s collective ability to detect, prevent, and respond to cyberattacks from sophisticated adversaries including Russia, China, Iran, and North Korea.
In a swift bipartisan response, Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced the “Protecting America from Cyber Threats Act” to restore these critical protections and extend them for an additional ten years.[2] Yet as legal uncertainty permeates corporate boardrooms and cybersecurity operations centers, the question remains: How much damage has already been done?
The Foundation: What CISA 2015 Accomplished
The Cybersecurity Information Sharing Act of 2015 established a framework that encouraged private sector organizations to voluntarily share cyber threat indicators with the Department of Homeland Security (DHS).[3] These indicators include malware signatures, software vulnerabilities, malicious IP addresses, and other technical details that help identify and neutralize cyber threats before they cause widespread damage.
The law’s genius lay in its liability protections. Companies that shared threat information in good faith received legal safe harbor, shielding them from antitrust concerns and potential lawsuits that might arise from data sharing activities.[4] This framework proved instrumental in addressing major cyberattacks including the SolarWinds supply chain compromise, and ongoing campaigns by Chinese state-sponsored groups like Volt Typhoon and Salt Typhoon.[2]
Over the past decade, this information sharing ecosystem has helped defend critical infrastructure across multiple sectors—hospitals that store patient data, financial systems processing billions of transactions daily, and energy grids powering entire cities.[2] When a company detected a new attack method, sharing that intelligence allowed others to implement defenses before falling victim to the same threat.
The Expiration Crisis: How We Got Here
The sunset provision embedded in CISA 2015 established September 30, 2025, as the expiration date, requiring congressional action for renewal.[5] Despite warnings from cybersecurity professionals and advocacy from industry groups representing sectors from aviation to retail, Congress failed to pass reauthorizing legislation before the deadline.[6]
The timing proved particularly unfortunate, coinciding with a government shutdown triggered by Congress’s failure to pass funding legislation.[7] As political battles consumed Washington, the quiet expiration of cybersecurity protections received insufficient attention—until it was too late.
Multiple industry coalitions, including the American Public Power Association, Airlines for America, American Gas Association, Bank Policy Institute, and the National Association of Manufacturers, had urged Congress to act.[8] Their warnings went unheeded, and on October 1, 2025, American companies woke to a fundamentally altered legal landscape for cyber threat intelligence sharing.
Immediate Consequences: Lawyers Enter the Chat
The practical impact of CISA 2015’s expiration became apparent almost immediately. Without statutory liability protections, corporate legal departments began exercising extreme caution regarding what threat information could be shared with federal agencies.[9] While no law explicitly prohibits voluntary information sharing, the absence of legal safe harbor creates significant uncertainty about potential civil liability, antitrust implications, and privacy law compliance.
Saša Zdjelar, Chief Trust Officer at ReversingLabs, a company that maintained extensive threat repositories under CISA protections, described the situation as “a textbook case of political dysfunction creating real-world security vulnerabilities.”[7] His company, like many others, now faces difficult decisions about whether to continue sharing intelligence that previously helped build comprehensive defenses against emerging threats.
Industry experts have warned that information sharing could decline by up to 80 percent without legal protections—a catastrophic reduction in the collaborative intelligence that has underpinned national cyber defenses for the past decade.[10] Each company that opts for legal caution over information sharing creates a blind spot in the nation’s collective threat awareness, potentially allowing adversaries to exploit vulnerabilities that could have been identified and addressed.
The Bipartisan Solution: Protecting America from Cyber Threats Act
Recognizing the urgency of the situation, Senator Gary Peters, Ranking Member of the Homeland Security and Governmental Affairs Committee, and Senator Mike Rounds introduced bipartisan legislation to restore and extend cybersecurity information sharing protections.[2]
The Protecting America from Cyber Threats Act—renamed from the original CISA to avoid confusion with the Cybersecurity and Infrastructure Security Agency—would reauthorize the expired framework for ten years.[11] The legislation maintains the core liability protections that encouraged voluntary sharing while incorporating comprehensive privacy safeguards to prevent personally identifiable information (PII) from being included in threat reports.[2]
“This bipartisan bill renews a proven framework that has helped defend critical networks at our hospitals, financial systems, and energy grids from cyberattacks for a decade,” Senator Peters stated. “We must quickly renew these longstanding cybersecurity protections that encourage companies to voluntarily share information about cybersecurity threats with the federal government to ensure we are prepared to defend our national and economy security against relentless attacks from cybercriminals and foreign adversaries.”[2]
Senator Rounds emphasized the legislation’s urgency: “The lapse in this legislation due to the government shutdown leaves our nation vulnerable to cyber attacks. Our legislation would extend these provisions for an additional 10 years.”[2]
The bill has garnered substantial support from business organizations representing diverse sectors of the American economy, including the Business Roundtable, Business Software Alliance, Chamber of Commerce, Edison Electric Institute, and USTelecom.[2] This broad coalition reflects the widespread recognition that cybersecurity is not merely a technical issue but a fundamental business concern with national security implications.
The Broader Context: A Landscape of Emerging Threats
The expiration of CISA 2015 occurs against a backdrop of intensifying cyber threats from state-sponsored actors and sophisticated criminal organizations. Chinese government-backed groups have conducted extensive reconnaissance of American critical infrastructure, positioning themselves for potential disruption operations.[12] Russian cyber units have repeatedly targeted energy systems, while Iranian and North Korean actors pursue both espionage and financially motivated attacks.[2]
Recent legislative efforts have attempted to address specific threat vectors. The Strengthening Cyber Resilience Against State-Sponsored Threats Act, which passed the House of Representatives in December 2024 and was reintroduced in April 2025, focuses specifically on countering Chinese cyber operations targeting U.S. critical infrastructure.[13] While this legislation addresses an important dimension of the threat landscape, it does not replace the broader information sharing framework established by CISA 2015.
Meanwhile, workforce development initiatives like the Cyber PIVOTT Act aim to address the chronic shortage of cybersecurity professionals by creating skills-based training pathways.[14] Executive orders from both the outgoing and incoming administrations have emphasized the importance of modernizing federal cybersecurity capabilities, including advancing phishing-resistant authentication and enabling government-wide visibility of attacker activity.[15]
These various initiatives underscore a fundamental reality: cybersecurity is not a problem that can be solved by any single law, agency, or sector working in isolation. The strength of America’s cyber defenses depends on collaboration—exactly the type of collaboration that CISA 2015 facilitated and that now hangs in legal uncertainty.
What Happens Next: Legal Uncertainty and Adaptation
Even without statutory protections, companies can legally continue sharing cyber threat information with government agencies and other private entities.[16] However, the legal calculus has fundamentally changed. Corporate counsel must now evaluate sharing decisions through the lens of potential antitrust concerns, privacy law compliance under various state and federal regimes, and general civil liability exposure.
This legal complexity creates friction that may not entirely halt information sharing but will certainly slow it down and reduce its comprehensiveness. Companies may share less detailed information, implement additional review processes before sharing, or limit sharing to only the most critical threats where the security benefit clearly outweighs legal uncertainty.
The cybersecurity community has already observed these effects in action. Lawyers are increasingly involved in decisions that were previously straightforward operational matters handled by security teams.[9] This added bureaucratic layer consumes time and resources while potentially delaying the dissemination of time-sensitive threat intelligence.
For federal agencies like CISA (the Cybersecurity and Infrastructure Security Agency), the loss of comprehensive private sector intelligence creates significant blind spots. While large-scale attacks against major corporations may still be reported, the early warning signals of emerging threats—reconnaissance activities, initial compromise attempts, novel exploitation techniques—may go unreported until they escalate into major incidents.
Conclusion: The Cost of Inaction
The expiration of the Cybersecurity Information Sharing Act represents more than a legislative oversight—it exemplifies how political dysfunction can create concrete national security vulnerabilities. For a decade, CISA 2015 provided a proven framework for public-private cybersecurity collaboration, helping to identify and neutralize threats from the world’s most sophisticated adversaries.
The bipartisan Protecting America from Cyber Threats Act offers a path forward, restoring critical protections while extending them for another decade. The broad industry support for this legislation demonstrates that cybersecurity is one of the rare issues where partisan divides fade in recognition of shared national interest.
Yet as each day passes without reauthorization, the information sharing ecosystem that took years to build continues to erode. Companies exercise legal caution while adversaries exploit the resulting blind spots. The question is not whether Congress will eventually act—the question is how much damage will be done before it does.
In an era where cyberattacks can disable hospitals, disrupt supply chains, steal sensitive data, and threaten critical infrastructure, the ability to share threat intelligence quickly and comprehensively is not a luxury—it is a necessity. America’s adversaries are not waiting for Congress to resolve its political disputes. Every moment of delay is an opportunity for those who wish to do harm.
The clock that ran out on September 30, 2025, can be reset. But first, Congress must recognize that cybersecurity is too important to be another casualty of political gridlock. The Protecting America from Cyber Threats Act deserves swift passage, not for partisan advantage, but for the security of the nation’s digital infrastructure and the millions of Americans who depend on it.
References
[1] Mayer Brown. (2025, October). “Cybersecurity Information Sharing Act of 2015 Lapses.” Insights. https://www.mayerbrown.com/en/insights/publications/2025/10/cybersecurity-information-sharing-act-of-2015-lapses
[2] U.S. Senate Committee on Homeland Security & Governmental Affairs. (2025, October). “Peters & Rounds Introduce Bipartisan Bill to Restore Critical Cybersecurity Protections.” https://www.hsgac.senate.gov/media/dems/peters-rounds-introduce-bipartisan-bill-to-restore-critical-cybersecurity-protections/
[3] Congressional Research Service. (2025). “The Cybersecurity Information Sharing Act of 2015: Expiring Provisions.” Congress.gov. https://www.congress.gov/crs-product/IF12959
[4] Morrison Foerster. (2025, October). “CISA 2015 Sunsets: Cyber Threat Sharing Without a Net?” Data Protection Report. https://www.dataprotectionreport.com/2025/10/cisa-2015-sunsets-cyber-threat-sharing-without-a-net/
[5] World Economic Forum. (2025, October). “Cybersecurity Information Sharing Act Expires, and Other Cybersecurity News.” https://www.weforum.org/stories/2025/10/key-us-cyber-law-expire-cybersecurity-news/
[6] American Public Power Association. (2025). “Groups Urge Congress to Extend Expiration Date for Cybersecurity Information Sharing Act.” https://www.publicpower.org/periodical/article/groups-urge-congress-extend-expiration-date-cybersecurity-information-sharing-act
[7] Infosecurity Magazine. (2025, October). “Expired US Cyber Law Puts Data Sharing and Threat Response at Risk.” https://www.infosecurity-magazine.com/news/expired-cisa-2015-us-intelligence
[8] Cybersecurity Dive. (2025, October). “Landmark US Cyber-Information-Sharing Program Expires, Bringing Uncertainty.” https://www.cybersecuritydive.com/news/cisa-information-sharing-program-expires-congress/761537/
[9] Axios. (2025, October). “Cyber Threat Information-Sharing Slows as Lawyers Get Involved.” https://www.axios.com/2025/10/14/cyber-information-sharing-congress-law
[10] Based on industry expert warnings cited in multiple sources regarding potential decline in information sharing without legal protections.
[11] Nextgov/FCW. (2025, October). “Senator Makes New Attempt to Extend Cyber Info-Sharing Law by 10 Years.” https://www.nextgov.com/cybersecurity/2025/10/senator-makes-new-attempt-extend-cyber-info-sharing-law-10-years/408713/
[12] Information Technology and Innovation Foundation. (2025, August). “Closing the Gaps in the Strengthening Cyber Resilience Act.” https://itif.org/publications/2025/08/11/closing-the-gaps-in-the-strengthening-cyber-resilience-act/
[13] U.S. Congress. (2025). “H.R.2659 – Strengthening Cyber Resilience Against State-Sponsored Threats Act.” Congress.gov. https://www.congress.gov/bill/119th-congress/house-bill/2659/text
[14] House Committee on Homeland Security. (2025, February). “Industry, Academic Leaders Unite Behind ‘Cyber PIVOTT Act.’” https://homeland.house.gov/2025/02/07/industry-academic-leaders-unite-behind-cyber-pivott-act/
[15] The White House. (2025, January). “FACT SHEET: New Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” https://bidenwhitehouse.archives.gov/briefing-room/statements-releases/2025/01/15/fact-sheet-new-executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/
[16] CyberScoop. (2025, October). “Expired Protections, Exposed Networks: The Stakes of CISA’s Sunset.” https://cyberscoop.com/cybersecurity-information-sharing-act-expiration-date/
Leave a comment