COMMENTARY: Today, there’s at minimum one bipartisan consensus on Capitol Hill: The U.S. faces a clear and present danger from ongoing cyberattacks compromising its national security and private sector economy.
The situational awareness and collective action required for effective cyber defense requires robust, real-time threat information sharing between private enterprises and the federal government.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The
Protecting America from Cyber Threats Act,
introduced Oct. 9 by Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., aims to reauthorize and expand the
Cybersecurity Information Sharing Act of 2015 (CISA 2015) for 10 more years, while retroactively protecting information shared during the law’s lapse period.
The bill modernizes legal protections for data sharing and clarifies roles to reduce confusion in the industry with the Cybersecurity and Infrastructure Security Agency (CISA).
Straight from the playbook of our adversaries
Four rogue nation-states — China, Russia, North Korea, and Iran — now routinely share cyber intelligence and best practices and even coordinate operations, mirroring their joint efforts in traditional military domains on missiles and drones. This hostile collaboration lets them conduct the most sophisticated cyberattacks, exploiting systemic weaknesses across U.S. and allied networks.
Recent campaigns such as
Salt and Volt Typhoon demonstrate the growing scale of cyber intrusions, with Chinese actors penetrating important sectors including telecommunications and critical infrastructure. Worse, U.S. telecommunications enterprises have been compromised, and their infrastructures have reportedly been used to launch supply chain attacks on their customers.
The recently released
Verizon Data Breach Investigations Report said there’s been a 100% increase in cyberattacks exploiting third-party vulnerabilities. The European Union recently stated that there's been a 200% increase in software supply chain attacks. Thirty-three percent of CEOs in the United Kingdom claim to have suffered a supply chain-enabled cyberattack.
CISOs and corporate risk officers need early warning to identify supply chain and other risks they may otherwise miss, especially with AI accelerating attack speed and scale. Without strategic information sharing, organizations risk becoming not only victims, but conduits for attackers to compromise their partners and customers. Even if an adversary has no utility for a single company’s infrastructure, they can and will sell that access through an access broker online or offer it to foreign intelligence services.
Reauthorizing the CISA 2015 law is critical for collective action in national cyber defense because it will let private organizations share threat intelligence — like malware signatures, vulnerabilities, and attacker tactics, techniques, and procedures (TTPs) — with CISA, fueling essential public-private collaboration. This partnership has prevented breaches and strengthened government responses to threats from hostile states and criminal actors.
No one company or agency can handle the scope of today’s threats alone. With most critical infrastructure being privately owned and a growing number of attacks exploiting technology supply chains, only information sharing can deliver the situational awareness necessary to wage what’s essentially a counter insurgency in America’s own cyber space.
America’s adversaries collaborate — and so must we. The
Protecting America from Cyber Threats Act represents a small, but bright shining ray of bipartisan hope that the U.S. Congress can rise above the now all too commonplace partisan sound and fury of Washington, D.C.
However, it’s just one of many efforts to reauthorize the 2015 information sharing law.
The Senate on Oct. 9 passed its version of the fiscal
2026 National Defense Authorization Action (NDAA) without
an amendment from Peters that would have reauthorized information sharing for another decade. Peters has attempted to secure the reauthorization through unanimous consent votes on the Senate floor, but each attempt has failed.
A separate
reauthorization effort is proceeding in the House of Representatives under House Homeland Security Committee Chairman Andrew Garbarino, R-N.Y., and has similarly failed to insert the legislation into the House version of the fiscal 2026 NDAA.
However, Peters and Rounds have engaged with Senate leadership, including Majority Leader John Thune, R-S.D., to prioritize discussion and passage of the act. The
new bill was placed on the Senate calendar (also on Oct. 9) in a procedural effort to pass it with 60 votes and send it to the House of Representatives.
However uncertain the timing, rare bipartisan support and broad industry backing give this measure a strong shot at passage in some form. As of today, the House is in recess until at least Oct. 20, but we are confident reauthorization will occur upon resolution of the federal government shutdown.
Thomas Kellermann, vice president, Cyber Risk, HITRUSTSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
