Something unsettling just happened in Washington, and it hasn’t made nearly enough noise outside security circles. The Cybersecurity Information Sharing Act (CISA) of 2015—a law that gave companies legal cover to share cyber threat intelligence—has quietly expired. It may sound like a minor procedural lapse, the kind of Beltway footnote most people scroll past, but in practice this is a tectonic shift. That safe harbor provision meant businesses, banks, airlines, hospitals, and tech firms could swap indicators of compromise and attack patterns without worrying that the act of sharing would later land them in court. Without it, the decision to disclose now carries risk, and lawyers are likely to tell CISOs to keep their cards closer to the chest.
Why does this matter? Because the essence of cyber defense is collaboration. Threat actors don’t operate in silos—they share tools, rent access, trade exploits across borders at machine speed. Defenders, on the other hand, often hesitate to share what they know. Before CISA, there was already a culture of secrecy: companies preferred silence over admitting they’d been hit. The 2015 law helped to loosen that up, making it possible to pool knowledge about new ransomware strains, phishing campaigns, and state-backed operations without being sued for negligence or mishandling data. Pull that thread out of the fabric now, and the stitching weakens.
The timing is particularly grim. The expiration coincides with severe budget and staffing cuts at the Cybersecurity and Infrastructure Security Agency—the other “CISA”—leaving it with barely a third of its workforce. At the exact moment when ransomware gangs like Qilin are rampaging through global companies, when Oracle and Cisco are scrambling to patch zero-days, the U.S. is letting its institutional capacity to share, analyze, and respond at scale fray. That is not just an American problem. If information sharing dries up in Washington, ripple effects will reach allies and partners who depend on U.S. intelligence leads.
You could argue Congress will eventually reauthorize the law, perhaps with modifications. Maybe. But every day that passes without a legal shield makes it harder for security teams to justify openness. And once organizations retreat into silence again, it will take years to rebuild trust. Cybersecurity is already a race against time; now it risks becoming a race run alone.
The bigger question hanging over this is simple but sharp: at a moment when cyber threats are scaling globally, can any country really afford to let the basic architecture of trust and cooperation collapse?
Leave a Reply