Congress has temporarily reauthorized a vital but recently expired cybersecurity law as part of a bill to reopen the federal government and end the longest shutdown in U.S. history.
The spending legislation, which passed the House and received President Donald Trump’s signature on Wednesday after passing the Senate on Monday, will revive the 2015 Cybersecurity Information Sharing Act through Jan. 30, 2026, giving Congress roughly two months to agree on a longer-term plan for the law.
CISA 2015, as the program is known, gave companies liability protections for sharing indicators of cyber threats with federal agencies and one another. The law’s expiration on Sept. 30 has alarmed federal officials, industry executives and cyber experts who say the government may now be receiving less information about cyberattacks from businesses afraid of the legal risks.
Rapid and comprehensive information sharing between the public and private sectors is essential for combating cyber threats, and experts say that without CISA 2015, the U.S. is less prepared to detect and block increasingly sophisticated and aggressive attacks.
“Further delays in renewing this program will only serve to entrench information-sharing silos between government and industry and needlessly set back United States’ overall cybersecurity posture,” said Henry Young, senior director of policy at the software industry trade group BSA.
Whether a two-month extension of CISA 2015 will affect companies’ decisions about whether to share information is unclear. Businesses that had stopped sharing may not be willing to resume doing so with the new expiration date already looming.
Long-term reauthorization in limbo
Efforts are underway in both chambers of Congress to reauthorize CISA 2015 on a more permanent basis. The House Homeland Security Committee passed a bill in September to tweak the program and extend it for 10 years, and a bipartisan pair of senators introduced a clean 10-year extension in October.
But Sen. Rand Paul, R-Ky., the chairman of the committee with jurisdiction over CISA 2015, remains a significant obstacle to reauthorization. Paul has said that his committee won’t consider any CISA 2015 extension that does not address unrelated concerns about the Cybersecurity and Infrastructure Security Agency (CISA)’s previous efforts to combat online misinformation.
“The Senator has made it clear that a longer-term reauthorization will need robust free speech protections included,” a Paul spokesperson told Cybersecurity Dive.
House Homeland Security Committee Chair Andrew Garbarino, R-N.Y., said he was committed to finding “a longer-term solution to preserve CISA 2015” that also kept the program “relevant to the threat landscape, which continues to evolve rapidly.”
“Understanding the difference of opinions in both the House and the Senate regarding an extension,” Garbarino told Cybersecurity Dive in a statement, “I look forward to continuing to work alongside the administration and my Senate colleagues to find the best path forward.”
The funding bill also reauthorizes the State and Local Cybersecurity Grant Program, though it does not include funds for new grants.
Meredith Ward, the deputy executive director of the National Association of State Chief Information Officers, said the renewal of the two cybersecurity programs “demonstrates that Congress is indeed taking this issue seriously,” but noted that lawmakers had approved “only a temporary solution to a significant and pressing problem.”
“Congress should act swiftly to provide certainty and stability for state governments by passing a long-term extension of both programs, combined with adequate levels of funding, that will allow stakeholders to strengthen their cyber defenses and meet the challenges of the future,” she said.