Many in the United States over the past several weeks have turned a worried eye to Washington D.C., with the deadline for the impending government shutdown and its cascading effects throughout society increasingly likely go into effect at the end of the day September 30.
For those in the cybersecurity field, the focus has been on CISA, a 10-year-old law that since 2015 has become a cornerstone of cyber defenses for both the private sector as well as federal and local government agencies that also appears likely to expire at the end of the day.
If that happens and the Cybersecurity Information Sharing Act isn’t renewed, the repercussions for cybersecurity in the country will be significant at a time when threats from nation-state agents and financially motivated groups are rapidly escalating.
“CISA’s importance for U.S. national security cannot be overstated,” Crystal Morin, cybersecurity strategist at Sysdi, told Security Boulevard. “Without legal protections, many legal departments would advise security teams to pull back from sharing threat intelligence, resulting in slower, more cautious processes. That shift would reduce the flow of high-fidelity, real-time insights, which is exactly the kind of intelligence that organizations rely on to stop adversarial campaigns before they escalate.
“The end of CISA would be a gift to attackers, giving them more freedom to operate while leaving potential targets in the dark.”
A Cornerstone of U.S. Cybersecurity
The CISA Act has been fundamental to expanding the amount of cyberthreat information shared among private companies and the federal government, creating a community approach to protecting against increasingly sophisticated threat groups that not only continue to multiple but also now are AI tools in their operations.
As it was before the creation of the CISA Act, companies will still be allowed to share crucial threat information – such as techniques and procedures (TTPs), indicators of compromise (IOCs), and malicious tactics – should it expire, but the crucial legal protections in the law will no longer be available. That could hinder the amount of information and weaken overall protections in the United States.
Those protections addressed many of the concerns that companies had about sharing threat information, according to Annie Fixler, senior fellow at the Foundation for Defense of Democracies (FDD) and director of its Center on Cyber and Technology Innovation (CCTI).
Legal Worries Led to CISA
Fixler wrote that prior to 2025, corporate lawyers worried that companies could be prosecuted under the Sherman Antitrust Act, which doesn’t explicitly allow for cybersecurity information, Fixler wrote. There were concerns that inadvertently sharing of protected personal information of a third party could violate data privacy laws or that malicious actors could get proprietary information or trade secrets through Freedom of Information.
The CISA Act changed that.
“Private entities are provided with explicit authorization to share cyber threat information, monitor information systems, and operate defensive measures for cybersecurity purposes, and various legal protections are provided for such activities including liability protection for sharing or monitoring,” lawyers with the law firm A&O Shearman wrote this week.
Menlo Security CISO Devin Ertel told Security Boulevard that “by putting the right legal safeguards in place, it gave companies the confidence to share data with each other and with the government without fear of liability. That trust has been the foundation of a stronger, more collaborative cybersecurity community, one that can spot and respond to threats faster and more effectively. … Without that cooperation, defenders will find themselves more isolated at a time when attacks are only growing in scale and sophistication.”
Expiration Gives Threat Groups ‘the Advantage’
Working together has meant stronger security for everyone, Ertel said, adding that “pulling back now would only give our adversaries the advantage.”
Randolph Barr, Cequence Security’s CISO, told Security Boulevard that “considering the short time remaining before the law’s expiration, a clean 10-year extension makes the most sense to preserve continuity and avoid gaps in our defenses. Ideally, extending through 2035 with updates to address AI-driven threats and other modern challenges would provide even greater long-term stability. But at this moment, ensuring uninterrupted legal protections must be the priority, even if modernization comes in a later update.”
Senator Putting on the Brakes
That said, with only hours to spare, renewal seems unlikely, and its expiration would be due in large part to the party division and distrust that continues to permeate Congressional politics. Tech companies, many in Congress, and the White House have all urged for the renewal of CISA.
U.S. Senator Rand Paul (R-KY) has continued to block the reauthorization of the bill until new language is added, according to news organization Axios. That includes removing liability protections for companies if it’s determined that a security incident violated their own user agreements and privacy policies.
The senator also wants any reauthorization to ban the U.S. Cybersecurity and Infrastructure Security Agency (CISA) from combating disinformation, something FDD’s Fixler called “an unrelated but pet issue for the chairman.”
Paul, who chairs the Senate Homeland Security Committee, reiterated his stance with political news site Punchbowl News on September 30, saying he will continue to block renewal and calling the bipartisan effort to pass the reauthorization before the midnight deadline a “bunch of fake outrage.”
The Risks are Real
However, both the outrage and concern in the cybersecurity community is real.
“One thing is for certain: there is bipartisan support for the value of a strong cyber defense,” Sysdig’s Morin said. “But any delay or uncertainty risks undermining the trust and momentum that CISA has built. At a time when attackers are increasingly leveraging AI and targeting global supply chains, it’s more important than ever that the U.S. has a robust information-sharing ecosystem.
“Ultimately, CISA’s reauthorization isn’t just another cyber policy, it’s the backbone of America’s cyber defense system. Without an extension or updated legislation, the strong cyber defense ecosystem it has built will collapse.”
