Ten years ago, Congress passed the Cybersecurity Information Sharing Act (CISA), an important piece of legislation that became crucial to how organizations in the private and public sectors work together to collectively defend themselves and the country against the increasing number and sophistication of cyberthreats.
That’s why over the past several months, cybersecurity pros across the country and a bipartisan chorus in Washington D.C., spoke of the
need to reauthorize CISA before it expired at the end of the day September 30, an effort that failed to convince
Senator Rand Paul (R-KY) to remove his block on the law’s renewal.
The sunsetting of CISA – which came amid the partial government shutdown created by Congress’s inability to work cohesively and the loss of funding for the State and Local Cybersecurity Grant Program (SLCGP), another important federal cybersecurity initiative, generated strong responses from the security community.
Cyberthreat Info Exchange
At its foundation, CISA allowed organizations and government agencies to easily exchange cyberthreat information. They could share the information – such as indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) – before the law was enacted in 2015.
However, there were concerns about liability and privacy tied to sharing cyberthreat information. Authorization and legal protections in CISA-protected companies removed those concerns, allowing for more sharing of such information, which has been significant in enabling companies and agencies to protect themselves against increasingly sophisticated cyberthreats.
The 2015 measure also included a clause that it would need to be reauthorized in 10 years, in 2025.
“The Cybersecurity Information Sharing Act was never just policy,” said
Adam Khan, vice president of global security operations at
Barracuda Networks. “It was the foundation of trust that enabled private companies to share threat intelligence without fear of liability or antitrust repercussions.”
Cybersecurity Weakened
Rolling back the CISA protections “risks dismantling one of our most effective collective defense mechanisms: rapid, open intelligence sharing,” Khan said. “Without that legal framework, organizations will hesitate, signals will fragment, and adversaries will exploit the gaps, which will likely result in slower threat detection, less coordinated response, and increased exposure across the critical infrastructure our economy and society rely on.”
The expiration of CISA “poses a risk to the integrity and responsiveness of our national cyber defense,” said
Louis Eichenbaum, federal CTO of cybersecurity firm
ColorTokens. “CISA has been instrumental in enabling timely, liability-free sharing of threat intelligence between the federal government and private sector, especially critical in an era where AI-driven threats challenge not just data confidentiality but data integrity.”
The private sector and federal government risk losing visibility into emerging threats, Eichenbaum said. Interagency coordination is weakened, which is particularly dangerous given the string of recent high-profile breaches.
“Letting CISA lapse would undermine years of progress and leave dangerous gaps in our ability to respond to breaches and vulnerabilities swiftly and effectively,” he said.
Stubborn Resistance
The possible sunsetting of CISA started coming into sharper focus in recent months, with Senator Paul saying he would block its reauthorization unless new language was included that not only removed the liability protections for companies that suffered a cyberattack as a result of violations of their user agreements and privacy policies.
Paul, chair of the Senate Homeland Security Committee, also wanted the reauthorized legislation to ban the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from combating disinformation.
Annie Fixler, senior fellow at the
Foundation for Defense of Democracies (FDD) and director of its Center on Cyber and Technology Innovation (CCTI),
criticized Paul’s stance, calling the fixation on CISA – the agency – and disinformation “an unrelated but pet issue for the chairman.”
Still, just before time expired on the legislation, the senator continued to refuse to lift the block, calling vocal opposition to his stance a “bunch of fake outrage,” according to political news site Punchbowl News.
'Negative Consequences'
Still,
Matthieu Chan Tsin, senior vice president for resiliency services for
Cowbell, a
cyber insurance provider for SMB, said CISA fostered crucial information sharing, let U.S. agencies learn about cyber incidents that harm private-sector entities, and gave companies access to government resources and information that otherwise would cost too much for many private companies to afford.
“Without CISA, there would be a multitude of negative consequences for SMBs in particular, especially because they rely on cybersecurity vendors who depend on government threat intelligence sharing to keep their detection systems up-to-date,” Tsin said. “Given that cybersecurity is relatively new, compared to most other types of risks, dismantling these collaborative frameworks would be counterproductive when cooperation is more critical than ever.”
