A federal shutdown has spurred the lapse of a key cog in the country’s cyberdefense, halting legal protections that help private companies provide the government with critical threat data through an automated system. Security leaders are warning that the gap may slow the ability to detect hostile activity on US networks and disincentivize businesses from reporting cyber incidents at a time when the speed of those efforts is critical.
The law in question is the Cybersecurity Information Sharing Act of 2015, which established liability and disclosure protections for companies that shared indicators of compromise and tactics, techniques and procedures with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Now that the statute has lapsed during the shutdown, general counsels in critical industries might tell their security teams to refrain from sharing data they had been giving regularly.
The stakes could not be higher: fewer timely alerts to defenders, fewer high-fidelity indicators coursing through federal pipelines and more opportunity for nation-state and criminal attackers to operate in secret.
The expiration has alarmingly bad timing, an array of policymakers and industry groups told outlets including Politico, framing the lapse as a setback in a well-armed defense of critical infrastructure.
What Expired and Why the Lapse Is Significant for Defense
CISA 2015 offered companies a safe place to pass along cyber threat data without worrying it would be held against them in court, revealed under public records laws, or interpreted as anticompetitive. Organizations also made automatic sharing—using structured formats like STIX/TAXII to push indicators at machine speed between participants through the Automated Indicator Sharing program and related exchanges—a standard part of their repertoires.
Without those protections, sharing becomes a matter of legal risk analysis. The president of the Cyber Threat Alliance, Michael Daniel, said he predicts some companies will stand down or limit what they give government based on the individual company’s risk tolerance and legal counsel.
The law was not without flaws — federal watchdogs, including the DHS Office of Inspector General and the Government Accountability Office, have called for better indicator quality and timeliness over the years. But in fast-moving campaigns, even imperfect signals can be the difference between an isolated incident and a sectorwide contagion.
Immediate Fallout For Government And Industry
The timing is especially fraught. Reporting by The Washington Post has described heavy furloughs at CISA during the shutdown, leaving a skeleton staff to deal with a constant drumbeat of intrusions. Dropping the legal shields of the statute at the same time only exacerbates operational blind spots.
Sector Information Sharing and Analysis Centers, or ISACs, as well as independent Information Sharing and Analysis Organizations (ISAOs), will keep on trading data among their members, but many are expected to be more gun-shy about sending sensitive information along to federal counterparts. The Joint Cyber Defense Collaborative, a CISA-public-private initiative developed to coordinate defense against campaigns, is reliant on the kind of rapid, reciprocal sharing that the statute provided statutory backing for.
Electric utility and pipeline operators, large financial services companies and telecommunications carriers use early-warning indicators and pattern-matching tools from federal sensors and classified intelligence. Without safe harbor, companies are concerned that concessions could trigger lawsuits, regulatory investigation or public humiliation — forces that have traditionally discouraged victims from reporting their experiences.
Critical Infrastructure Caught In The Middle
Recent campaigns underscore the stakes. Public advisories from federal agencies and an investigation by major vendors have identified ongoing intrusions by Chinese state-sponsored actors into US telecommunications systems, operations that were tracked in part through cross-sector sharing. Each new signal — beaconing patterns, command-and-control infrastructure, anomalous authentication — helps defenders start to piece together the dots across carriers and suppliers.
Ransomware continues to be a separate threat to operational technology. The crisis involving the Colonial Pipeline demonstrated how swiftly a disruption can spread from information technology to a real-world fuel distribution network. After-action reviews in government and industry have identified rapid, structured intelligence sharing as a crucial factor in containing follow-on risk. Undermining the legal scaffolding for that exchange increases the mean time to detection and response when hours matter.
Legal and Policy Path to Restoring Data-Sharing Protections
There is bipartisan support for reinstating the protections. Support in the Senate includes leadership figures like Gary Peters and Mike Rounds, who argue that adversaries increasingly have developed equal sophistication as domestic defenses but without self-imposed blind spots. The US Chamber of Commerce has called for renewal, arguing that the 2015 framework includes privacy and antitrust and regulatory use safeguards.
Progress has been hindered by squabbles over privacy and oversight provisions, with committee actions postponed and markups abandoned. Administrative guidance from agencies or enforcement discretion from the Department of Justice can provide businesses with some confidence that their cooperation will be rewarded, but none of these is the same as statutory immunity — which is why so many corporate attorneys are likely to remain skittish until Congress acts.
What Organizations Can Do Now to Reduce Legal Risk While Sharing
Security leaders must maintain sharing via sector ISACs and trusted peers with the lowest legal exposure possible: strip personally identifiable information where feasible, work toward standard formats for indicators and document data-handling practices in keeping with privacy policies.
Counsel also must re-examine information-sharing arrangements in place and confirm that reporting obligations following incidents under sector rules continue to be fulfilled — for example, transportation security directives for pipelines.
Companies can also place a higher priority on bilateral exchanges with suppliers and customers, get involved in JCDC planning forums as appropriate, and deploy telemetry that enhances detection even when external feeds are limited. Most importantly, keep the executive suite advised that ‘the Fed’ has dropped its signal and there could be longer dwell times coming so resourcing decisions will align with increased risk.
The expiration of CISA 2015’s protections is a policy decision with operational impacts. Until Congress reinstates a legal basis for constitutional real-time public-private cyber intelligence, the United States is fending off threats with less clarity than adversaries believe — and less than critical infrastructure needs.
