The Cybersecurity Information Sharing Act (CISA) is designed to provide encouragement and protection for and while sharing threat information.
A sunset clause built into the Cybersecurity Information Sharing Act 2015 (PDF) means it will expire at the end of September 2025 unless reauthorized by the US Congress. At the time of writing, it has not been reauthorized.
“If you find something in your software that shouldn’t be there, and there’s some indication that it is going to surveil what you’re doing or introduce some harm to a system,” explains Andrew Grosso (attorney at Andrew Grosso and Associates, and former assistant US attorney), “then you can report it.” Safely and free of liability concerns.
The government agency that receives the threat information may or may not take any action, but it will further share that data with other agencies and will share it with other companies that may similarly be threatened. “Or the company concerned may share the threat information directly with other companies,” continues Grosso. “It opens a window on risk in real time. It encourages reporting, protects the companies that do the reporting, and it tries to protect the identity of people who may be named as ‘suspects’, and the name of any known ‘victims’ of the threat.”
In short, it encourages threat information sharing and facilitates further sharing, while protecting the identities of those involved.
Given the obvious benefit to the security ecosphere that emanates from CISA, how has it got to this parlous position – and will it ever be renewed? The answer to the first is probably nothing more than ‘politics’ and timing. The need to renew CISA coincides with the separate need to renew the government’s debt ceiling – which is more important, more contentious and more pressing on Congress than renewing CISA.
At the same time, the effort involved by Congress is likely to be greater than simply rubber stamping ‘Renewed’. Rand Paul, for example, is seeking to use the Freedom of Information Act to allow reported individuals to learn more about their inclusion in the CISA process; that is, to protect their civil liberties. (This is hugely simplified, but indicative of the sort of problem that will make simply renewing CISA more complex than it could be.)
Will it be renewed? Almost certainly suggests Grosso, and probably retroactively – but it may take weeks or months and will leave information sharing in a period of limbo.
His certainty that CISA will be renewed is based on its value. If a firm detects suspicious activity on its network, it may be able to stop it – but that doesn’t necessarily prevent a repeat from the same source. The individual company may simply see a part of the problem.
“You might have the legs and the tail, but you haven’t got the whole animal,” says Grosso. “A different company may have the forearms, while another company has the torso. It’s only when you combine all these different parts that you get to see the whole animal.” And that’s what sharing threat information with the government provides.
“The federal government has the ability to pour resources into problems that need to be fixed. It can triangulate these different snippets of information received from multiple locations to track down the full threat – and it has the incentive to do so to protect government, military, national security and critical infrastructure systems, and the commercial private sector at large.”
Moiz Virani (CTO and co-founder at Momentum) also believes and expects that CISA will be renewed; but he hopes it will be improved at the same time. “There’s a moderate to high chance that it will be renewed, but I don’t think it’s guaranteed,” he says. “There’s a tailwind from the community for re-authorization, so it’s not going to die in silence.”
Its departure would leave a serious gap in threat information sharing – the legal framework that provides protection from liability. But he doesn’t think it would be a disaster if it falls. “I think of CISA as one of the tools in the CISOs’ toolkit which would no longer be present. But that gap may incentivize security practitioners who make decisions about security to be a little more alert.”
However, he does believe that the process of renewal would be an opportunity for improvement.
“CISA was not a super successful program, but it was practical and introduced a legislature that was more productive in the sharing of vulnerabilities. It is in the right direction, and has had some successes, but in the new AI world and when the attack surface is so much greater than it was ten years ago, there is now a need and opportunity to be more proactive about vulnerabilities in general.”
CISA is entering limbo. There is the likelihood of it being renewed with the possibility of improvement, but not the certainty. If it is renewed it will probably be retroactive – but that is not guaranteed. So, the big question for CISOs right now is: How should we handle threat information sharing immediately after September 30, 2025?
Related: FBI Pushes for Small Business Information Sharing
Related: How Collaboration and Information Sharing Can Neutralize Adversaries
Related: Enhancing Security Through Information Sharing
