The Cybersecurity Information Sharing Act (CISA) of 2015 is arguably the most successful cybersecurity legislation ever enacted. It uses market incentives (liability protection) to incentivize critical information sharing between industry and the government. It is currently scheduled to expire in three months. Disabling our most fundamental cybersecurity mechanism would take place at a time of unprecedented and expanding cyber threats. Not only should the Act be reauthorized, but it also needs to be modernized. Anyone remotely familiar with cybersecurity realizes that the threat picture has only grown in both form and impact over the last ten years.
For example, as the CrowdStrike incident of 2024 demonstrates, we now have a risk of systemic cyber events that have nothing to do with cyberattacks. The system’s increasing complexity has generated multiple single points of failure based on extensive market penetration of essential products. These single points of failure are massive threat indicators not covered by the 2015 Act. The same incentive structure as the 2015 Act that applies to traditional threat indicators must be expanded to keep pace with the 2025 version of cyber threats.
Earlier this year, the Congressional Research Service noted that failure to reauthorize the Act would result in losing essential legal shields for cybersecurity information sharing. Not only would it throw our most basic cybersecurity programs into disarray, but it could also signal to our adversaries that we are stepping back on our cyber defenses and encourage increased aggression against the US government, our allies, and critical infrastructure. The raw statistics illustrate how necessary and effective CISA 2015 has been. In 2017, DHS shared information on 673 specific threats. By last year, that number grew to 5.4 million. This critical information is not only shared between the industry and the federal government. DHS currently uses this process to share information with over 100 international cyber defense organizations. As we have seen increasingly this year — even in the past few days — sharing cyber defense information is an essential tool that is not just confined to technical data but has real-world and physical implications for national and international security.
The IT Sector Coordinating Council will hold an open briefing for Members of Congress and staff this Wednesday at noon in Cannon 401 to help illuminate the need to reauthorize the 2015 Act. However, this issue is not limited to the IT sector. The liability protections that enable secure information sharing among trusted government providers benefit all critical infrastructure sectors, strengthening the resilience of the entire cybersecurity supply chain.
There is no substantive reason not to reauthorize and modernize the 2015 Act, but Congress is running out of time—in a real sense, we all are.
