CISA is dead. Long live CISA?
The Cybersecurity Information Sharing Act (CISA) of 2015 expired January 30, 2026. Whether that means anything is debatable.
The 10-year old act facilitates sharing cyber threat information between the government and private sector organizations. Many security experts are unimpressed by how the act performed. Chaim Mazal, Chief AI and Security Officer at Gigamon said wasn’t a two-way street. Most of the sharing was done by private companies. There was little data shared by the government. As a result. Participation in the program cratered in the last two years.
“Allowing the law to lapse gives us the opportunity to reinvigorate the bidirectional transfer of information,” he predicted.
Prospects for Revival
There’s a chance for revival, but how is murky. Senators Gary Peters (D-Mich.) and Mike Rounds (R-S.D.) have proposed a clean 10-year extension, and the White House supports that legislation. There is also industry support from tech companies, cybersecurity organizations, and critical infrastructure sectors who rely on the liability protections for sharing threat information.
But Senate Homeland Security Committee Chairman Rand Paul (R-Ky.) opposes moving forward with such legislation for confusing reasons. Paul claims the Cybersecurity Infrastructure Security Agency infringed on free speech by working with Stanford University in identifying and labeling election and vaccine disinformation. Cyber experts counter that reauthorizing the CISA law has nothing to do with the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.
Undeterred by facts, Paul pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.
Paul’s Free Speech Protection Act that would prohibit federal employees from using their positions to censor constitutionally protected speech, with severe mandatory penalties for violations. At issue here is not censorship, which involves blocking content, to labeling it.
Supporters of the act say without CISA 2015’s protections, companies face greater legal uncertainty, potential FOIA exposure, and liability risks when sharing cyber threat information with government and other private entities. This could chill the information sharing that’s critical to collective cybersecurity defense. Critics, on the other hand, say the act is somewhat toothless because while it facilitated sharing, it did not mandate it.
Declining participation
A Department of Justice audit found that use of the automated indicator sharing (AIS), the mechanism the act set up to do the sharing, dropped from 304 participants in 2020 to just 135 in 2022. The sharing of cyber threat indicators through AIS declined by 93 percent from 2020 to 2022. That’s a dramatic collapse in the system’s primary mechanism.
The audit’s conclusion was damning: insufficient participation in AIS along with the reduction in threat indicators has impeded CISA’s ability to facilitate real-time sharing, creating information silos and gaps that make it difficult to identify and address new cyber threats.
When the act was first approved, security expert Patrick Eddington said, existing cyber info sharing arrangements were effective. “DHS’s Computer Emergency Readiness Team has been in this business for the better part of a decade. Anybody can sign up for their alerts. I get them daily. None of CISA’s proponents explain how DHS-CERT is so deficient in its mission that yet another “information portal” needs to be created within DHS to facilitate the kind of information sharing envisaged by the bill.”
Why It Still Matters
Experts, including critics like Mazal, consider it a necessary, although insufficient step towards sustainable collective cyber defense. The law doesn’t stop attacks directly. It creates the legal framework for sharing to happen at all, it is foundational for cyber defense, not a complete solution, and it removed legal barriers (liability, antitrust concerns, FOIA exposure) that previously prevented companies from sharing even basic threat data.
Now, lawyers must approve what company shares potential threat information as a matter of policy.
In this case, a weak law, is better than none at all.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.