Cyberthreat Sharing Law Expires as Shutdown Stalls Congress, Raising Security Fears
As Washington grapples with yet another government shutdown, one of America’s most important cyber defenses has quietly lapsed. The Cybersecurity and Information Sharing Act (CISA) of 2015, a landmark law that for a decade allowed private companies to share threat data with the federal government under legal protections, expired Wednesday when lawmakers failed to renew it.
The timing could not be worse. Cyberattacks targeting U.S. companies, government agencies, and even political campaigns are intensifying. Yet, without CISA, experts warn that businesses may be far less willing to share critical threat intelligence with federal agencies—leaving the country more vulnerable.
What the Law Did
Passed in 2015 with bipartisan support, CISA offered legal safe harbors for companies that shared cyberthreat information. Firms were protected from:
-
Liability lawsuits for monitoring their systems or providing data to the government.
-
Antitrust claims for collaborating with other businesses on cybersecurity.
-
Freedom of Information Act (FOIA) exposure, shielding sensitive data from public release.
For many organizations, those protections made the difference between choosing to share or staying silent. “This law has protected our economy, it has protected our infrastructure, and it has protected our government for more than a decade,” said Sen. Gary Peters (D-Mich.), who led efforts to extend it.
Political Deadlock
Peters and Sen. Mike Rounds (R-S.D.) introduced a bipartisan bill in April to extend CISA for another 10 years. But disagreements—particularly from Senate Homeland Security Chair Rand Paul (R-Ky.), who sought changes—stalled progress.
When Congress moved to pass a stopgap bill to avoid a government shutdown, a short-term extension of CISA was included. That measure cleared the House but failed in the Senate amid partisan fights over government funding.
“This is essentially one of our most effective defenses against cyberattacks,” Peters warned, pointing the finger at Paul as the obstacle. But with both Democratic and Republican proposals to reopen the government failing this week, CISA lapsed along with other programs.
What Happens Without It
Companies can still voluntarily share data with federal agencies, but without legal protections, they face new risks. David Kennedy, founder of security firm TrustedSec, fears the lapse will have a chilling effect:
“The major concern here is that companies will share much less data because those liability shields are gone. It could fracture relationships that have been built over the past 10 years.”
Decisions that once sat with security teams may now shift to lawyers. Amy Shuart of Business Roundtable noted that without liability and antitrust exemptions, “general counsel is going to have to weigh every disclosure,” slowing down the flow of information.
Attorney Andrew Grosso, who advises on cybersecurity policy, added that in America’s “very litigious society,” companies may avoid sharing altogether. “If someone claims they were harmed by a disclosure, a company could be sued or see its reputation damaged,” he explained.
The real-world consequence, experts say, is that smaller businesses and organizations with weaker defenses may be left blind to emerging threats if larger firms stop sharing intelligence.
Rising Threats
The lapse comes as cyber threats escalate. Chinese-linked hackers known as Salt Typhoon infiltrated nine U.S. telecom companies in 2024 and even tapped campaign-related communications involving Donald Trump and Kamala Harris, officials say. The same group also breached a state National Guard network. Meanwhile, Iranian hackers tied to the Revolutionary Guard were indicted for intrusions targeting the Trump campaign.
“With a cyberattack, time matters,” Shuart stressed. “It’s critical to have that information flowing as quickly as possible.”
What Comes Next
Senate leaders John Thune (R-S.D.) and Chuck Schumer (D-N.Y.) have scheduled additional votes on competing shutdown measures. But with Yom Kippur recess approaching and little sign of compromise, the deadlock may drag on—keeping CISA offline.
For now, the responsibility for information sharing rests in a legal gray zone, with businesses weighing the risks of transparency against the potential fallout of silence. As Kennedy put it:
“The best defense is knowing what your adversaries are doing. Without that open pipeline, we’re fighting blind.”