The Cybersecurity Information Sharing Act (CISA) expired on Wednesday, marking a significant shift in the cybersecurity landscape as the federal government shutdown removed the legal safeguards that had been in place since 2015. This expiration has left private sector companies in charge of U.S. critical infrastructure without the necessary protections to share cyber threat intelligence with federal agencies. Without these protections, these companies now face potential legal risks if they attempt to share information about cyber threats, which could leave them vulnerable to attacks and cybercriminal activity. Senator Gary Peters, who has been vocal about the issue, criticized the lapse in the law as an ‘open invitation’ to cybercriminals and hostile actors to target the U.S. economy and its critical infrastructure. His comments underscore the growing concern among lawmakers about the implications of the CISA’s expiration.
The CISA had been instrumental in enabling the sharing of intelligence that helped uncover significant cyber operations. For instance, it allowed for the exposure of the Chinese campaigns known as Volt Typhoon in 2023 and Salt Typhoon last year. These operations demonstrated the extent to which cyber threats can target U.S. infrastructure and the importance of information sharing in countering such threats. Despite the law’s expiration, several cybersecurity firms have vowed to continue the sharing of threat data. Halcyon and CrowdStrike have confirmed their commitment to maintaining information sharing, while Palo Alto Networks has expressed its continued support for public-private partnerships, though it has not yet specified whether it will continue to share threat data. This uncertainty underscores the challenges faced by the private sector in the absence of legal protections.
The failure of multiple bipartisan reauthorization efforts before the shutdown highlights the political complexities surrounding the issue. The House Homeland Security Committee had previously approved a 10-year extension of the law just weeks before the shutdown, indicating that legislative action had been in the works. However, this effort was not sufficient to prevent the expiration of the law, and it has now left a gap in the cybersecurity framework. The situation raises critical questions about the need for renewed legislative action to address the ongoing challenges posed by cyber threats. The expiration of CISA has also sparked a broader debate about the role of government in cybersecurity and the balance between national security and private sector interests. As the U.S. grapples with these challenges, the absence of legal safeguards has prompted calls for swift legislative measures to prevent further vulnerabilities in the nation’s critical infrastructure.