Vital cyber data-sharing law appears likely to expire amid looming government shutdown

It’s becoming increasingly more likely that a longstanding bedrock cybersecurity law will expire in tandem with a government shutdown anticipated next week, potentially slowing exchanges of timely cyber threat information between the private sector and government agencies.

The 2015 Cybersecurity Information Sharing Act lets private sector providers transmit cyber threat intelligence with government partners with key legal protections in place. As of now, companies are essentially shielded from lawsuits and regulatory penalties when circulating threat data. But the law is set to lapse Sept. 30 unless renewed by Congress. 

For months, industry leaders and senior administration officials have pressed for renewal. Congress remains at an impasse.

Last week, House appropriators unveiled a temporary funding plan that would keep the law alive through Nov. 21 and fund the government until the same date. That would have given Congress simultaneous time to work out broader federal funding snags and reconcile any debate about changes needed for the cyber law that was first enacted 10 years ago. But that continuing resolution failed to pass in the Senate.

Around the same time, Senate Homeland Security Chairman Rand Paul. R-Ky., circulated his own version of the bill that would have provided a shorter extension and scaled back key liability protections, a product of his longstanding suspicion about the Cybersecurity and Infrastructure Security Agency and its purported infringement on Americans’ free speech.

A markup of Paul’s bill was canceled last week, as he didn’t have the votes necessary from many of his peers on the Senate Homeland panel, including fellow Republicans, according to two industry sources familiar with the matter.

CISA, the nation’s core cyberdefense agency housed in the Department of Homeland Security, was also uncertain about Paul’s version of the extension bill, one of the industry sources said, although an agency official has said publicly that they will accept any extension Congress chooses to grant them. The big “poison pill” for many involved in the deliberations was that Paul’s bill stripped a measure from the original law that prevented discovery of sensitive data via Freedom of Information Act requests, the person added.

Both industry sources noted that Paul’s office has also not engaged thoroughly with the private sector on the matter. 

“There’s no doubt that there’s been a willingness to engage the chairman and his staff, and there’s been a lack of communication on their end,” one of them told Nextgov/FCW.

Paul’s office denied the claims. “We have engaged, they just don’t like that we find their arguments unconvincing,” a spokesperson said.

As of Thursday, Senate Republicans and Democrats on the Homeland Security panel haven’t been able to come to a consensus on how to proceed with a renewal for the information-sharing law, a congressional aide told Nextgov/FCW. Paul’s office said that point is accurate, “but is not our fault.”

“There is a clear path to extension in the [continuing resolution], but Democrats prefer to shut down the government,” Paul’s spokesperson said. Though Republicans have a majority in both chambers of Congress, 60 votes are needed to pass the bill in the Senate, meaning that some Democrats would have to sign onto a Republican-led funding package.

Legal fallout

Law firms are bracing for potential expiration of the law, which would take effect this coming Wednesday when the government’s fiscal calendar resets. Since early September, multiple law firms have told clients to prepare for the possibility that the threat-sharing measure will expire, one of the industry sources told Nextgov/FCW.

Michael McLaughlin, an attorney who helps lead the cybersecurity and data privacy practice at Buchanan Ingersoll & Rooney PC, has been chatting with clients regularly about the potential lapse.

“My advice to [clients] is we need to take a look at what type of information that you’re sharing right now with the federal government,” said McLaughlin, who served as a senior counterintelligence advisor in U.S. Cyber Command in 2022. Depending on how his clients have shared data, some will “need to cease as of September 30, if the law lapses.”

Legal exemptions were made a core feature of the 2015 law because cyber threat information often contains sensitive personal data about victims and companies. To help agencies like the FBI track nation-state cyber intruders and criminal hackers, those datasets often need to be shared with government cybersecurity and intelligence analysts.

Lawsuits wouldn’t necessarily flood in as soon as expiration day comes. But “the primary risk is that we have got a highly litigious society and some highly aggressive plaintiffs attorneys that are looking for every opportunity to make a buck,” McLaughlin added. “And this is something they could potentially jump on and identify areas where there are either breaches of other laws … as well as certain federal regulations.”

Several cyber industry representatives that Nextgov/FCW has spoken to in recent weeks don’t expect all information sharing to halt if the law expires, though they agree its tenure has created an optimal legal environment for transmitting data. 

That said, it’s difficult to measure the effectiveness of current cyber threat-sharing mechanisms in comparison to their absence, one of the industry sources said.

Cybersecurity and technology companies largely support an extension, especially with the advent of advanced artificial intelligence systems and their cybersecurity uses.

“A decade on, as the volume and sophistication of threats continue to rise, it is important to reauthorize the statute and update it for new challenges across critical infrastructure, operational technology and AI enabled attacks — challenges that only defenders operating at the speed of artificial intelligence can address,” said Marcus Fowler, who heads the U.S. federal unit of cybersecurity firm Darktrace.

“One of the biggest concerns that I have is, if CISA 2015 expires, those protections and those safe harbors that currently exist are going to have a chilling effect on AI development in cybersecurity,” McLaughlin said.

Many are frustrated that Congress took too long to get the extension measure finalized. 

“I think once the government reopens, this [extension] will be part of it. I just don’t know what [the Senate’s] plan is to get this done,” the congressional aide said. “We knew that this bill was going to expire at the end of the fiscal year. We’ve known the year for a long time, for ten years.”

“Congress stands at a crossroads,” Kate Kuehn, area vice president of global cyber advocacy at World Wide Technology, wrote in a LinkedIn blog post earlier this month. “Renewing CISA 2015 is not just a legislative necessity — it is a fundamental investment in our nation’s security, prosperity and resilience. Congress must act decisively — but true security depends on shared responsibility between government, business and local communities.”