A Key Cybersecurity Law Has Lapsed, Leaving US Networks More Exposed The stability of the United States is looking increasingly shaky, and a new critical failure has just been added to the list. A crucial cyber defense law, the Cybersecurity Information Sharing Act of 2015, known as CISA 2015, has officially expired. With the government shut down and this law now out of commission, the nation’s vital computer networks are more exposed to cyber threats for an indefinite period. CISA 2015 is designed to promote the sharing of cyber threat information between private companies and the public sector. It provides critical legal protections that encourage companies, who might otherwise hesitate due to liability concerns, to share vital data about attacks and vulnerabilities. A coalition of industry groups recently described the law as promoting cyber threat information sharing within a secure policy and legal framework. The core function of the law is to shield companies from various legal risks. These protections include immunity from antitrust liability, regulatory enforcement actions, private lawsuits, and public records requests. Without these safeguards in place, the process of sharing threat intelligence becomes far more complex and legally fraught. Experts warn that information sharing will slow down significantly as more lawyers get involved in negotiating new agreements. This delay creates a window of opportunity for adversaries like Russia and China to conduct cyberattacks with a lower risk of detection. Before the government shutdown, there was broad support for renewing the law from the private sector, the Trump administration, and bipartisan members of Congress. However, the path to reauthorization was blocked by Senator Rand Paul, the chairman of the Senate Homeland Security Committee. Senator Paul objected to reauthorizing the law without attaching controversial changes, notably language that would have limited the government’s ability to combat misinformation and disinformation online. After facing a backlash from his peers, he canceled his planned revision of the bill. His committee subsequently failed to approve any version before the law’s expiration date. In the House of Representatives, Republicans included a short-term renewal of CISA 2015 in their proposed government funding bill. But Democrats, whose support was necessary for passage, refused to support this Continuing Resolution for unrelated reasons. They are demanding an extension of Affordable Care Act premium tax credits, which are set to expire at the end of the year. Without an extension, health insurance premiums are expected to rise dramatically for many Americans. The expiration of this key cybersecurity law has raised alarms within the industry. A coalition of business groups warned Congress that letting CISA 2015 lapse would lead to a more complex and dangerous security environment. They explained that sharing information about cyber threats and incidents makes it harder for attackers because it allows defenders to learn what to watch for and prioritize their responses. As a result of this shared knowledge, attackers are forced to invest more in developing new tools or to seek out different, less-informed victims. With this collaborative mechanism now weakened, the United States has entered a more perilous phase in cyberspace.
