The shutdown of the U.S. government has created a lapse in the information-sharing activities outlined in the Cybersecurity Information Sharing Act of 2015 — best known as CISA 2015 — which expired as of midnight Wednesday.CISA 2015 created a climate for the voluntary sharing of information between private companies and the federal government. Most notably, it contains legal protections such as antitrust exemptions and immunity from prosecution in certain legal cases to encourage industry participation.The security industry has been lobbying Congress hard for several months to reauthorize CISA 2015.Rep. Andrew Garbarino, D-N.Y., chairman of the House Committee on Homeland Security, has been a big supporter of CISA 2015, and by a wide margin on Sept. 2, the House committee approved a reauthorization, which would extend CISA 2015 for another 10 years.However, industry pros are now concerned that too much of a lapse in the day-in, day-out activities defined in CISA 2015 could open up the nation to a wave of cyberattacks.“The expiration of CISA’s authorities raises serious concerns about our ability to maintain a unified and effective cybersecurity posture,” said Gary Barlet, public sector CTO at Illumio. “CISA 2015 has played a crucial role in fusing disparate threat intelligence feeds and coordinating efforts across agencies and sectors. Without a clear plan to renew or responsibly reassign these capabilities, we risk fragmenting our defenses at a time when adversaries are becoming more opportunistic and sophisticated.”Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, added that the company intends to continue information sharing for now as though the protections of CISA 2015 are still in place, in good faith anticipation of some sort of renewal.“We hope other industry partners will similarly continue their sharing posture to ensure collective protection,” said Kaiser. “Our hope is that a renewal of CISA 2015 — whether or not the name of the statute stays the same — will be part of a bill to reopen the federal government.”Kaiser explained that this might mean a clean reauthorization to start, to give Congress time to make positive edits. It could also mean a version that includes common-sense edits, possibly ranging from clarifying the law's liability and privilege protections, to protecting the civil liberties of people whose data may be shared under the law — to clarifying which federal agencies are accountable for receiving and actioning the information reported to the U.S. government under the law.“A clean reauthorization of CISA 2015 ... is the only way to ensure continuity in public-private threat sharing, protect our nation’s infrastructure, and support the secure development and deployment of AI models that benefit society,” said Ilona Cohen, chief legal and policy officer at HackerOne, who wrote an SC Media Perspectives column on CISA 2015 in mid-September, as the threat of a shutdown loomed.Noelle Murata, senior security engineer at Xcape, Inc., warned that CISA 2015 has been essential for sharing information between the public and private sectors, and its absence leaves organizations vulnerable.“The act facilitated the real-time sharing of threat intelligence between the government and private entities, a vital tool against nation-state attacks and ransomware,” Murata said.Equally concerning, said Murata, is the potential pause in the State and Local Cybersecurity Grant Program (SLCGP) as a result of the shutdown. Murata explained that these grants were created to help smaller communities strengthen their defenses for critical infrastructure, such as utilities, hospitals, and local government services.“The grants often determined whether a water system could implement basic protections or remain susceptible to ransomware,” said Murata. “Additionally, this pause ushers in a state of uncertainty around the future of such programs being funded in the future.”Much of the concern around the SLCGP stems from the Trump administration’s change in direction this past March.The Cybersecurity and Infrastructure Security Agency’s (CISA’s) new model for administering the grants ended the government’s agreement with the Center for Internet Security (CIS) and MS-ISAC, the multi-state information sharing organization. CISA’s new model places more responsibility on state, local, tribal, and territorial (SLTTs) government to handle the load — and many are not equipped to do so.“With the SLCGP [in limbo], recipients face a funding shortfall that will disrupt security road maps, push small IT teams to defer upgrades, and risk lapses in monitoring and response,” said Jason Soroko, senior fellow at Sectigo. “Contracts for managed detection, endpoint licenses, and vulnerability scanning may expire without renewal, forcing agencies to scale back coverage or absorb costs with already tight budgets. Multiyear projects like network segmentation, zero trust pilots, multifactor expansion, and backup modernization could stall, creating unfinished work that increases exposure at the most fragile points of water systems hospitals schools 911 centers and local utilities.”
Governance, Risk and Compliance, Critical Infrastructure Security, Ransomware, Government Regulations
Information sharing under CISA 2015 in limbo after government shuts down

(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



