A key law that helps the federal government guard against cyber threats to U.S. critical systems expired as the government shut down on Wednesday, partially blinding Washington to attacks from adversaries that are only growing more sophisticated and persistent.
The Cybersecurity Information Sharing Act has been a pillar of the nation’s cyber defenses since it was signed into law in 2015, providing legal protections for organizations to share cyber intelligence with the federal government and each other.
Without it, the private sector — which controls the vast majority of U.S. critical networks like electrical grids, transportation systems and communication services — is less likely to swap vital information, for fear of being exposed to legal risks.
“We are without this critical line of defense,” Sen. Gary Peters (D-Mich.), ranking member of the Senate Homeland Security Committee, said on the Senate floor Wednesday while trying — and failing — to force a vote on the law’s reauthorization. “Every hour we delay is an open invitation to cybercriminals and hostile actors to attack our economy and our critical infrastructure.”
While the law, commonly referred to as CISA 2015, had overwhelming support from the private sector, members of Congress and within the Trump administration, lawmakers could not agree on the terms of its reauthorization. Several bipartisan efforts to prevent CISA 2015 from lapsing were introduced in both the House and Senate in the weeks leading up to the shutdown, but Congressional Republicans and Democrats failed to resolve their differences in time.
Sen. Mike Rounds (R-S.D.), chair of the Senate Armed Services Committee’s cyber subcommittee, said Wednesday that the law’s expiration “will dry up the sharing of information at a time in which we don’t need our adversaries to have another opportunity to mess with our cyber systems.”
Data shared under CISA 2015 provides an essential tool for the federal government to understand how hackers are plotting attacks against the nation’s networks, which have been relentlessly targeted by Chinese, Russian, North Korean and Iranian operatives in recent years.
One such Chinese campaign, known as Volt Typhoon, was exposed in 2023 thanks in part to information from critical infrastructure and private sector cybersecurity groups. Without this open collaboration, understanding how Chinese hackers were able to burrow inside U.S. networks for years without detection — and better protecting networks from future attacks — would likely be far more challenging.
Another Chinese effort dubbed Salt Typhoon — first disclosed last year — would have been nearly impossible to track without industry data, as it involved hackers comprising wide swaths of privately-owned U.S. telecommunications infrastructure.
“It’s really providing those indicators that can give the government and industry the wherewithal to see broader patterns if something is more strategically afoot,” said Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
As lawmakers continue to squabble over a deal to fund the government and possibly revive CISA 2015, cybersecurity firms are unsure whether to share threat intelligence with the federal government — slowing down the spread of vital information for cyber defenders.
John Miller, senior vice president and general counsel at the Information Technology Industry Council, which represents some of the world’s largest IT and cybersecurity companies, warned that without CISA 2015’s protections, key data might not get passed along. These protections include exemptions for private companies from federal antitrust laws and disclosure laws such as the Freedom of Information Act.
“Even if the immediate impacts are limited to companies and their lawyers … those seemingly minor impacts will provide additional holes in U.S. cyber defenses that adversaries will be more than happy to exploit,” Miller said.
Despite the potential risks, some leading private cybersecurity organizations have pledged to continue sharing threat information — for now. Cynthia Kaiser, senior vice president at cybersecurity group Halcyon and former deputy director of the FBI’s Cyber Division, said Wednesday that Halcyon “intends to continue information sharing for now as though the protections of CISA 2015 are still in place,” stressing that she hopes other industry partners will do the same.
Drew Bagley, vice president and counsel at cybersecurity group CrowdStrike, confirmed Wednesday that the company “will continue to deliver operationalized threat intelligence at scale and speed.”
But elsewhere, uncertainty grows. Daniel Kroese, vice president of Public Policy and Government Affairs at cybersecurity company Palo Alto Networks, said his organization “remains committed to public-private partnership activity,” but did not specify whether they would keep sharing threat data with others.
Thomas Gann, chief public policy officer at cybersecurity company Trellix, declined to comment on whether the firm would continue sharing intel with the government, but said the company was “concerned” about the impact of CISA 2015 expiring.
Spokespersons for other leading cybersecurity companies, including Google and Microsoft, declined to comment. A spokesperson for cybersecurity group Recorded Future did not respond to a request for comment.
There is some hope that Republicans and Democrats will reach a compromise on federal funding soon and move swiftly to extend CISA 2015. But they still need to iron out exactly what that extension should look like.
The House Homeland Security Committee unanimously approved a draft bill authored by committee Chair Andrew Garbarino (R-N.Y.) last month that would have made minor changes to the text around artificial intelligence and extended the law for a decade — a version that was included in the House-passed continuing resolution to keep government funds flowing in the short-term. There was also support in the Senate for a separate bill that would have extended the original law by a decade and made no other changes.
Meanwhile, Sen. Rand Paul (R-Ky.), chair of the Senate Homeland Security Committee, drafted his own version of a CISA 2015 reauthorization, which would strip out some of the core liability protections the private sector relies on for threat sharing, and only extend the law for two years. Paul canceled a planned markup of the bill after it was met with backlash from fellow panel members, and his committee did not approve any version of a reauthorization before it lapsed.
Ahead of the shutdown, Paul blamed Democrats for CISA 2015 expiring, arguing that officials should have voted for the House-passed continuing resolution if they wanted to keep the law online. Peters and other Democrats hit back.
“These actions risk making our nation less safe,” Peters told Paul during a committee hearing Tuesday morning. “This committee should not simply walk away from its responsibilities to actually be a leader in critical homeland security matters.”
A spokesperson for the Cybersecurity and Infrastructure Security Agency, the nation’s top cyber defense agency, told POLITICO in a statement that the law’s lapse is “a serious blow” to federal cyber defenders, adding that the agency “deserve[s] both the tools and the support to meet growing threats.”
Concerns are also growing that adversaries like Russia and China are waiting to strike, as the federal government’s ability to respond to threats has been weakened.
“It is a window of vulnerability, and it has the potential to make a bad situation worse,” Cilluffo said.
