Government
,
Industry Specific
,
Information Sharing
Public-Private Cyberthreat Sharing at Risk Amid Shutdown, Experts Warn

The likely Tuesday midnight expiration of a mostly uncontroversial statute shielding companies from liability when sharing cyberthreat indicators has cyber defenders pondering how forcefully corporate counsel will react.
See Also: OnDemand | National Treasure of Cybersecurity: Guarding Against BEC and Phishing Attacks
The Cybersecurity Information Sharing Act of 2015 – not to be confused with the federal cyber agency – will expire at 12:01 a.m. Wednesday, barring last-minute intervention from the U.S. Congress. Its lapse will take with it a decade-old liability shield that enabled companies to share threat indicators.
Corporate attorneys, CISOs and policy executives told Information Security Media Group the impact of losing CISA 2015 won’t be determined by technologists, but by fine print.
“The issue is – and always has been – lawyers,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology and former White House director for international cyber policy. “Hopefully, companies will accept the increased legal risk and continue sharing anonymized information for cybersecurity purposes.”
The law established liability protections and antitrust exemptions allowing companies to share cyberthreat information with the federal government and each other, through the Department of Homeland Security.
It codified federal guidance supporting corporate threat intel sharing, some of it dating to 2014. But without statutory language spelling out liability protections, some companies may decide the risk is too great.
“We live in such a litigious society today, that the single biggest inhibitor is the fear of information shared being used against the firm in a class action lawsuit,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.
He warned the law’s expiration could create “legal uncertainty and a chilling effect on voluntary sharing,” though groups like Health-ISAC are “expected to maintain the flow of critical threat intelligence sharing and collaboration across the global health sector.”
Scott Algeier, executive director of the IT-ISAC, which coordinates cyberthreat intelligence sharing across technology companies, also said his organization will continue to share information among members. But “even a short term lapse of the act can have a significant impact on what is shared, especially between industry and government,” he warned.
Other staffers across multiple ISACs said they expect information sharing to mostly continue as normal in the immediate days ahead. Should the lapse drag on, lingering questions about liability and compliance could start reshaping internal risk decisions and eventually dampen the volume and speed of exchanges, particularly among firms without longstanding relationships with the federal government.
“A short term blip could cause some temporary problems, but probably not big ones,” Michael Daniel, president and CEO of the Cyber Threat Alliance, said. “The real issue is if the lapse stretches into months and there’s no path forward for reauthorization.”
House Republicans tucked a short-term extension of CISA 2015 into a government funding bill, aiming to secure reauthorization through a continuing resolution – effectively tying the measure to the shutdown fight occurring in a parallel with the threat intel bill expiration. Tuesday is the last day of the federal fiscal year, meaning the federal government will commence shutdown operations on Wednesday without new funding. Senate Democrats say they won’t vote for a funding extension without limits on President Donald Trump’s ability to impound appropriations and a reversal of healthcare spending cuts enacted earlier this year (see: Shutdown Threat Puts Federal Cyber on Edge).
Even without a shutdown fight, the law faces difficulties in reauthorization largely due to Senate Homeland Security Chairman Rand Paul, R-Ky., who wants to enact new language that would bar the Cybersecurity and Infrastructure Security Agency from censoring online speech – an allegation Republicans have leveled against the agency since the 2020 election (see: Cyberthreat Law at Risk in Washington Spending Showdown).
Members of the House Homeland Security Committee unanimously advanced earlier this month a bill reauthorizing the law for another decade with new provisions authorizing one-time information sharing with artificial intelligence developers and critical infrastructure operators that don’t already participate in the program.