The United States faces a cybersecurity crisis: not from foreign actors, but from internal political deadlock that has dismantled one of its most effective defense tools. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) became a bargaining chip in government shutdown negotiations. Not reauthorizing this piece of legislation leaves businesses and government agencies increasingly vulnerable to cyber threats.
CISA 2015 was celebrated as the “single most successful piece of cybersecurity legislation” for good reason. It established a legal framework that allowed private companies, which oversee 85 percent of America’s critical infrastructure, to share cyber threat intelligence with the government and each other without legal risks. This bipartisan achievement took years to build but was undone overnight by political gamesmanship. The foundation of trust has eroded, and quickly restoring the law is the best way to rebuild that foundation before it’s too late.
The law’s expiration has led to an estimated 80 percent decrease in threat intelligence sharing. This breakdown in information sharing has left our nation’s collective cyber defense system vulnerable at the worst possible time.
Without CISA 2015, companies working to safeguard America’s digital infrastructure face a dilemma: share vital threat information and risk serious legal repercussions or remain silent and leave the nation exposed.
Liability Shield Disappeared: The primary concern for corporations is losing their liability shield, which has led to a halt in threat sharing. Without CISA 2015 and its liability protection, companies that monitor their networks for threats and share suspicious activity could face legal pushback. For example, a bank detecting unusual network activity that might indicate a larger attack on the financial sector, without liability protection, sharing this information could result in legal actions alleging privacy violations or negligent disclosure of customer data.
Antitrust Concerns Restrict Collaboration: In cybersecurity, competitors must collaborate against common threats. However, without CISA 2015’s clear antitrust exemption, companies sharing cyber defense information risk violating federal antitrust laws. For instance, when JPMorgan Chase seeks to alert Bank of America about a sophisticated attack pattern, laws intended to prevent price-fixing could be seen as hindering this essential security cooperation. The result? Attackers can target each company individually, knowing they cannot legally coordinate their defenses.
FOIA Exposure Risks and Competitive Edge: The Freedom of Information Act (FOIA) is crucial for promoting government transparency; however, it can create issues when sharing cybersecurity threats. Without the CISA 2015 FOIA exemption, proprietary threat intelligence shared with the government might be publicly disclosed. Companies worry that their security vulnerabilities, network designs, or defensive strategies could be exposed through FOIA requests—ironically increasing their risk of attack they aim to prevent. This concern is especially urgent for companies in competitive industries where security practices provide a market advantage.
Regulatory weaponization fosters distrust: Companies fear that cybersecurity information shared in good faith could be turned against them in unrelated regulatory actions. Without the law’s ban on regulatory use, a company reporting a breach to help others defend against similar attacks might find that information used against them in an United States Securities and Exchange Commission investigation, an Federal Trade Commission action, or a US Environmental Protection Agency enforcement proceeding. This fear has created a toxic environment where companies view information sharing not as a patriotic duty but as a corporate risk.
While corporations grapple with legal risks, CISA, the agency, and our nation’s cyber defense coordinator operate in an information vacuum. This creates a strategic cost to national security. The agency, tasked with protecting critical infrastructure from cyber-attacks, is now cut off from the essential information it needs to fulfill its mission. Real-time threat indicators from private sector victims no longer reach government defenders, creating dangerous blind spots that sophisticated adversaries are likely exploiting.
This marks a strategic win for our opponents due to our own political chaos. Foreign intelligence agencies must be amazed at how effectively we’ve dismantled our own cyber early warning system, something they could have never achieved alone.
Congress should immediately reauthorize CISA 2015. Every delay widens our vulnerability window and makes eventual recovery more difficult. Even after reauthorization, rebuilding the trust and technical infrastructure for threat sharing will take months or years.
The confusion between CISA the law and CISA the agency’s controversial content moderation activities must end. These are entirely separate issues. CISA 2015 concentrates solely on technical threat data—such as malware signatures, suspicious IP addresses, and attack patterns—not on social media content or political speech. Using critical cybersecurity infrastructure as leverage over unrelated agency actions is a dangerous tactic that makes every American more vulnerable to cyberattacks.
The cost of continued inaction leads to real vulnerabilities that threaten our economic prosperity and national security. Congress must immediately restore the legal protections of CISA 2015 before a catastrophic cyberattack reminds us why we built these defenses in the first place.
The post Restoring America’s Cyber Shield: Why CISA 2015 Must Be Reenacted Now appeared first on American Enterprise Institute – AEI.
