CISA 2015 Expires in 2025 — What it Means for U.S. Cybersecurity
The Cybersecurity Information Sharing Act of 2015 (CISA 2015) has lapsed. This law provided legal protections to companies that share cyber threat indicators with federal agencies, shielding them from antitrust liability, regulatory enforcement, private lawsuits and FOIA disclosures. With the law expired, private–public information sharing could slow or become more legally complex — a win for attackers who rely on speed and secrecy.
Why it matters
Defenders rely on shared indicators and incident reports to detect and prioritize threats. Industry groups warned Congress that without CISA 2015, the security landscape becomes “more complex and dangerous.” Slower sharing means defenders have less context and time to respond to sophisticated actors, including nation-states and criminal gangs.
Political roadblocks
Renewal efforts faced bipartisan support from industry and parts of government, but stalled over political disagreements. Senator Rand Paul raised objections tied to changes he wanted, including limits on agencies’ ability to counter misinformation and disinformation; the Senate Homeland Security Committee did not approve a revised bill before the deadline. Funding fights in the House and Senate — including negotiations tied to a continuing resolution and Affordable Care Act tax-credit extensions — also complicated a clean reauthorization.
Industry reaction
Coalitions representing critical infrastructure sectors, including utilities, urged lawmakers to restore or update CISA to preserve information-sharing pathways that are essential for protecting the electric grid and other systems. NERC’s statement emphasized the law’s importance for the electricity sector.
Sources & further reading
- NERC statement on CISA 2015
- Analysis: CISA 2015 Reauthorization — Are Changes on the Horizon?
- Engadget: Congress let a key cybersecurity law expire — networks more vulnerable
- Background: Cybersecurity Information Sharing Act (Wikipedia)
Question for readers: Do you trust Congress to act quickly to restore protections for information sharing — or should private industry build alternatives? Leave your thoughts below.