A prolonged lapse of the Cybersecurity Information Sharing Act of 2015 could create challenges in the current info-sharing ecosystem, according to the Cybersecurity Coalition’s Ari Schwartz, who says the law has evolved over 10 years to address other large issues impacting the stakeholder community while providing certainty through its protections.
“Prior to 2015, private sector sharing groups, ISOs and ISACs and others would often spend months, in extreme cases even years, debating antitrust agreements and privacy rules for information that would be shared. After 2015, these agreements were mostly done in days,” Schwartz said in opening remarks at the Oct. 8 CyberNext DC conference.
CISA 2015 lapsed on Sept. 30, leaving industry to operate without liability and antitrust protections provided by the law for the past 10 years. CISA 2015 also excludes sharing info on cyber threat indicators and defensive measures from Freedom of Information Act requests.
The conference was hosted by the Cybersecurity Coalition and the Cyber Threat Alliance. Schwartz is executive director of the Cybersecurity Coalition.
Schwartz said, “Prior to 2015, the government would try to get companies to share information about incidents, only to be told that the legal reviews it needed were taking so long that the information is often not relevant by the time it arrives.”
“Today, those lawyers are slowly being reinserted into these conversations and processes,” Schwartz said.
Stakeholders in the info-sharing space are confident that a short lapse won’t do damage in the long term, but they worry about potential consequences if the lapse extends into 2026.
Republicans have included a short-term reauthorization of CISA 2015 in a continuing resolution to keep the federal government open while lawmakers come to an agreement on the fiscal 2026 budget. However, it remains unclear whether the CR, which is languishing in the Senate, will eventually have the necessary support to send the bill to the president’s desk.
Sens. Gary Peters (D-MI) and Mike Rounds (R-SD) introduced a bipartisan bill in April to extend CISA 2015 for 10 years. Peters has tried to bring the bill to the floor for passage under unanimous consent over the past few weeks, but has been blocked each time by Senate Homeland Security Chairman Rand Paul (R-KY).
Peters introduced on Oct. 7 a new CISA 2015 reauthorization bill with Rounds that is expected to be unveiled today.
Schwartz reflected on the current info-sharing environment with the lapse of CISA 2015.
“Less information is already being shared now. It is not a total end of information flows and will never be a total end of sharing. The longer we do not have the Cybersecurity Information Sharing Act in place, the less information sharing we will see because of legal reviews,” Schwartz said.
He added, “This is unlikely to be harmful in October 2025 but as we get into 2026, it will be more and more evident to security professionals that it is harmful.
Schwartz said, “Beyond the lack of information in the right place, beyond the lack of information in the right place at the right time to prevent an incident, there is another reason to support the reauthorization of the Cybersecurity Information Sharing Act for the five to 10 years.”
“Prior to 2015, the main topic for us in cybersecurity policy was information sharing. For the 10 years since 2015, there's been relatively little or no discussion of information sharing, compared to topics like vulnerability disclosure and other major topics of the day: regulatory harmonization, new regulations on critical infrastructure sectors, etc.,” Schwartz said.
Schwartz argued, “This happened because the law was successful.”
Schwartz said, “Therefore, I ask Congress to please reauthorize the Cybersecurity Information Sharing Act so that we can move on to other topics again, and the ones that really will even make a difference for the future.”
CyberNext DC featured several panels and keynotes from Megan Stifel of the Institute for Security and Technology and Tenable co-chief executive officer Steve Vintz. Cyber Threat Alliance CEO and president Michael Daniel provided closing remarks.
One of the panels focused on CISA’s Common Vulnerabilities and Exposures program and offered perspectives on the future of the initiative, which has faced funding challenges in 2025. -- Sara Friedman (sfriedman@iwpnews.com)