US Data at Risk as Key Cyber Law Expires

A vital piece of cybersecurity legislation that provided legal immunity to companies sharing cyber threat intelligence has officially lapsed after Congress failed to authorize its extension amid a broader government funding impasse. The 2015 Cybersecurity Information Sharing Act, commonly referred to as CISA 2015, safeguarded organizations from lawsuits when they voluntarily participated in the Automated Indicator Sharing Program, a system designed to circulate threat data among public and private entities. Although the law was set to sunset on September 30 without congressional action, political gridlock prevented its renewal despite widespread bipartisan backing and urgent appeals from industry experts.

The expiration of CISA 2015 leaves businesses legally exposed and undermines a foundational element of the nation’s collective cyber defense strategy. With a government shutdown now underway due to the stalled funding bill, the future of the statute remains unclear, raising alarms across the security community.

Many cybersecurity specialists view the law’s lapse as a serious national security risk. Saša Zdjelar, Chief Trust Officer at ReversingLabs, described the situation as “a textbook case of political dysfunction creating real vulnerabilities.” His firm depended on CISA 2015 to maintain extensive threat intelligence repositories. “At ReversingLabs, we’ve seen firsthand how the law enables the kind of robust threat intelligence sharing that keeps defenses current,” Zdjelar noted. “Take away those protections, and the collective defense that has kept us strong for a decade begins to crumble, handing adversaries an advantage they don’t deserve.”

Zdjelar anticipates that the expiration will jeopardize threat intelligence collaboration and amplify risks related to software supply chain vulnerabilities. He also cautioned that legal ambiguity could stifle innovation in artificial intelligence security. “Legal uncertainty will force companies to become conservative about sharing threat data needed to train AI-powered security tools,” he explained, “hampering development of defenses against AI-enabled attacks.”

Andy Lunsford, CEO of incident response company BreachRx, labeled the failure to renew the law “a crisis in the making.” He warned that clients already grappling with talent shortages, steeper regulatory penalties, and rising detection costs may halt threat sharing entirely without legal safeguards. Such a retreat would generate dangerous blind spots in cyber defenses. “The latest IBM numbers show the US is ground zero for data breaches; they are more expensive here than anywhere else in the world by a wide margin,” Lunsford stated, referencing the 2025 IBM Cost of a Data Breach Report. “Without CISA 2015, I expect those numbers to double in scale and cost within a year.”

Lunsford added that even if legislators eventually renew the statute retroactively, cautious legal advisors will likely recommend suspending information exchanges until official reinstatement occurs.

Shane Tierney, a senior compliance manager at Drata, confirmed to Infosecurity that Congress still has the option to revive CISA 2015 via an extension bill. “A short-term renewal would temporarily reinstate the liability protections and privacy provisions, allowing information-sharing to continue while lawmakers debate reforms,” Tierney said. However, he emphasized that if no extension is passed, an entirely new bill would be necessary, a process that would take considerably longer and introduce prolonged uncertainty for both industry and government stakeholders.

(Source: Info Security)