Shutdown Turns Focus to Cyber Information-Sharing Law

Experts are weighing what the expiration of the Cybersecurity Information Sharing Act of 2015 means for critical cybersecurity efforts across government agencies amid the government shutdown.

The law expired Wednesday amid the government shutdown after Congress failed to reauthorize it and pass a budget before the deadline.

Cyber leaders across government and industry had long stressed the importance of reauthorization for national cyber defense.

“The idea was to incentivize and facilitate information sharing between the public and private sectors — government and industry — but also to incentivize private to private information sharing,” Information Technology Industry Council’s Senior Vice President of Policy for Trust, Data and Technology and General Counsel GovCIO Media & Research. “[Letting CISA 15 lapse] would undermine this whole decade of progress of building these trusted information-sharing relationships.”

Sen. Gary Peters, ranking member of the Homeland Security and Governmental Affairs Committee, spoke on the Senate floor Tuesday, warning about the potential for cyber attacks without the law.

“If we don’t extend these critical authorities, we will lose one of our most effective defenses against cyberattacks, as our adversaries’ attacks continue to grow more aggressive and more sophisticated,” Peters said.

Mike Hamilton, former CISO of the city of Seattle, said that furloughed staff and the expiration of the law mean that vulnerabilities are more likely to be exploited by foreign adversaries.

“China starts scanning the internet for vulnerable exposures five minutes after a patch is announced. It’s a race every time now,” Hamilton told GovCIO Media & Research. “The scanner and the automated exploit is going to and they’re going to get popped, and because there’s no eyes on they’re not going to know that.”

How CISA Advanced Information Sharing

The law required the Department of Homeland Security (DHS) to establish a way for federal and non-federal entities to share and receive cyber threat information. After the law was enacted, the subsequent CISA Act of 2018 established the Cybersecurity and Infrastructure Security Agency (CISA) to lead cybersecurity and critical infrastructure security programs, operations and associated policy.

The cybersecurity agency then created the Joint Cyber Defense Collaborative (JCDC) to promote threat information sharing and reduce cyber risk by unifying public and private defense.

A DHS Office of Inspector General report last month found that CISA, the agency, met the requirements of the 2015 law by maintaining guidance for threat information sharing.

However, the report noted that CISA has not finalized plans for the continued use of Automated Indicator Sharing (AIS). DHS OIG’s report noted that without finalized plans for future AIS use, CISA may not have an automated process for sharing cyber threat information among its partners, including federal agencies and critical infrastructure.

“Without finalizing this plan, [the Cybersecurity and Infrastructure Security Agency] could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the nation’s critical infrastructure from cyber threats,” the report said.

According to the report, the agency said “there are no immediate or long-term plans” to discontinue AIS efforts after CISA 15 sunsets. The agency added it would continue to modernize and evolve AIS for the federal government and its partners based on available appropriations.

Miller said in a May testimonial to Congress that the lapse of CISA 15 will cause all levels of government — from state, local, tribal and territorial governments to DHS, law enforcement and the intelligence community — to lose access to real-time visibility and advanced warnings through efforts like AIS and the JCDC.

“The work of the JCDC builds upon and evolves CISA 15,” he said in his testimony. “A public-private collaborative approach is essential to countering advanced persistent threat actors which are backed by nation-state resources, access to talent and technical capabilities. … The JCDC facilitates real-time sharing of threat alerts and coordinated operational collaboration and response planning among public and private partners.”

White House Calls for Increased Threat Intel Sharing

President Donald Trump and White House cyber officials have supported CISA 15 reauthorization efforts. National Cyber Director Sean Cairncross said he is working with Capitol Hill to keep the advantages and liability protections of CISA 15.

“We’ve made great progress in identifying, responding to and remedying threats, but we still lack strategic coherence and direction … it’s time to do something about it,” said Cairncross at the 2025 Billington Cybersecurity Summit last month.

He added that industry and government must uphold standards — like security and privacy by design — to streamline cyber regulations and reduce “compliance burden.”

Acting Federal CISO Michael Duffy echoed Cairncross’s call for increased collaboration around cyber threat information sharing. Duffy said the past 10 years of “sensible cyber policy” has accelerated the federal government’s cybersecurity posture and efforts need to focus on the next decade.

Pending Legislation on Information Sharing

Bills such as the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act) introduced last month by House Homeland Security Committee Chairman Andrew Garbarino would enhance and extend CISA 15 until 2035. The bill’s updates account for emerging technologies like AI and preserves privacy protections, a committee aide told GovCIO Media & Research.

“Failing to ensure the relevance and efficacy of one of the federal government’s most foundational cybersecurity tools for the next decade would threaten not only our networks but also the security of the homeland,” Rep. Garbarino said in a press release.

The bill incorporates feedback from industry and federal leaders on the challenges within CISA 15 — like small- to medium-sized businesses’ ability to use cyber threat indicators and defensive measures effectively — and outlines solutions in the WIMWIG Act.

“Stakeholders from across industry sectors have endorsed this legislation because it preserves the essential privacy and liability protections in [CISA 15], clarifies the law’s language to better address the evolving threat landscape and ensures private-sector insight is properly captured,” said Garbarino.