Expiration of Cyber Law Could Weaken National Security

The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is set to expire on September 30, 2025. Originally passed with broad bipartisan support, the law established a legal foundation that made it easier for federal agencies and private companies to exchange cyber threat information. It offered protections from liability and antitrust violations, which helped remove key obstacles to cooperation.

Over the past decade, this framework has enabled faster detection, response, and mitigation efforts by allowing participants to share real-time threat indicators without legal risk or regulatory uncertainty.

Now, with its expiration date approaching, the stability of that system is in doubt.

Without reauthorization, the legal protections that have encouraged this level of transparency and coordination will disappear. In their absence, many organizations may become hesitant to report the kinds of technical indicators that allow others to prepare or respond.

This could slow the flow of information just as attacks are becoming more sophisticated and widespread, weakening the systems that currently allow threat data to move quickly between sectors.

Why It Matters: CISA 2015 provides the legal and procedural structure for real-time sharing of threat data between the government and private sector. Its expiration would make participation riskier and limit access to intelligence that helps prevent attacks before they spread.

• Legal Protections Enabled Open Exchange: CISA 2015 gives companies the ability to share information without fear of lawsuits or antitrust violations. These protections made it easier for organizations to report observed threats, support investigations, and help others prepare. Without these safeguards, organizations may hesitate to disclose incidents or indicators, even when doing so could prevent wider harm.

• Automated Sharing Would Be Undermined: The law supports the Automated Indicator Sharing (AIS) program, which distributes technical threat indicators such as malicious domains or malware signatures. These alerts are sent directly to participating systems in real time. If CISA 2015 expires, participation in AIS may drop, and the volume of shared intelligence may fall, making the system less reliable.

• Small Businesses Stand to Lose the Most: Many small and mid-sized companies depend on shared threat information because they cannot afford their own threat intelligence operations. These businesses already face high average losses from ransomware and have limited ability to recover from disruptions. CISA 2015 has helped level the field by giving them access to data that larger firms also use to defend their systems.

• Disruption Risks Extend to Public Safety: Sectors like healthcare and transportation rely on up-to-date threat information to prevent service interruptions. Hospitals under ransomware lockdown have had to delay emergency care. Attacks on infrastructure can slow the delivery of fuel or medical supplies. Without shared data, these systems lose visibility into threats that may already be active.

• Lawmakers Face a Policy Decision: Congress could reauthorize the act without changes, extending its protections and continuing current practices. Others argue for reform to reflect newer risks, including attacks on operational technology and artificial intelligence. There is also growing interest in whether some organizations should be required to share threat data, rather than continuing with a fully voluntary model.

Go Deeper -> Former FBI cyber leader: The cybersecurity law that’s quietly keeping America safe is about to expire – Fortune

The Cybersecurity Information Sharing Act of 2015: Expiring Provisions – Congress.gov