The latest Senate deal to end the government shutdown included a continuing resolution bill to extend the Cybersecurity Information Sharing Act of 2015 through Jan. 30, 2026.Except for Sen. Rand Paul, R-Ky., who has raised free speech concerns, CISA 2015 has broad bi-partisan and security industry support — and even has the strong support of President Donald Trump.Security industry experts have long championed CISA 2015 as an important vehicle that encourages competitors to share information, plus it protects companies from liability.“The fact is that if people cannot share information without liability, they will not share information,” said Ira Winkler, vice president and Field CISO at CYE. “If it becomes a matter of everything you say can and will be used against you, organizations will not share information and this only supports the success of the bad actors. Patterns and countermeasures will be missed, and organizations will suffer.”Aaron Beardslee, manager of threat research at Securonix, explained that CISA 2015 created the framework for programs like the Joint Cyber Defense Collaborative and the Automated Indicator Sharing system, which by 2018 had facilitated the sharing of more than 5.4 million unclassified threat indicators among more than 219 non-federal participants.“Liability protections are crucial because they address multiple legal risks that would otherwise prevent companies from sharing critical threat intelligence,” said Beardslee. “Without CISA 2015's protections, companies face potential civil lawsuits for monitoring activities, antitrust violations for sharing information with competitors, FOIA disclosures that could expose sensitive security details to adversaries, and regulatory enforcement actions based on shared information.”Beardslee pointed out that CISA 2015 successes include the FBI providing guidance that prevented countless compromises and recovered losses, the Department of Justice securing indictments that disrupted cybercriminal organizations, and the Treasury Department's Office of Foreign Assets Control (OFAC) sanctioning foreign threat actors. CISA 2015 also allowed for the growth of private-sector collaboration through organizations like the Cyber Threat Alliance and facilitated information sharing between previously competing sectors like financial services and retail.“Before CISA 2015, such sharing risked antitrust violations, but the law created a legal ‘safe harbor’ that allowed industries to rapidly share defensive measures and react faster to emerging threats,” said Beardslee. “The peace of mind for organizations to share critical data rather than keeping it to themselves for fear of facing unknown or accidental legal repercussions is absolutely necessary to protect not only themselves, but the country as a whole.”Crystal Morin, senior cybersecurity strategist at Sysdig, added that at a time when attackers are increasingly leveraging AI and targeting global supply chains, it’s more important than ever that the U.S. has a robust information-sharing ecosystem. Morin said the reauthorization of CISA 2015 isn’t just another cyber policy: it’s the backbone of America’s cyber defense system.“Without updated legislation, the strong cyber defense ecosystem it has built will collapse,” said Morin. “Without CISA 2015, we can expect a substantial chilling effect on information sharing between the private and public sectors. Legal departments would likely counsel their security teams to scale back or halt sharing altogether, given the loss of liability protections and FOIA shields.”Morin maintained that this would result in a noticeable reduction in newly-reported indicators of compromise (IoCs). Instead of real-time information sharing, Morin said a lapse would likely cause more cautious, delayed, and limited exchanges, weakening the momentum that CISA built over the last eight years.Matt Warner, chief executive officer of Blumira, said CISA 2015 offers the legal framework that enables automated threat sharing between competitors and organizations who would never otherwise collaborate. Without liability protections, organizations face potential shareholder lawsuits for disclosing breaches, antitrust concerns for coordinating with competitors, and FOIA exposure that could reveal security postures to adversaries.“A highly-regulated organization cannot take on more risk unless they have a significant war chest to do so, and the increased liability increases risk,” said Warner. “Without these legal protections, many organizations will go without and live by ‘crossed fingers’ rather than a strong sharing plan.”
Governance, Risk and Compliance, Government Regulations, Threat Intelligence
Shutdown deal includes extension for CISA 2015 information-sharing law

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



