[thb_gap height=”50″]
The Cybersecurity Information Sharing Act, which has been a foundation of U.S. cyber defense since 2015, has expired after Congress failed to renew it during the government shutdown. The law protected private companies when they shared threat intelligence with the federal government. Its expiration leaves Washington with fewer tools to detect attacks from increasingly aggressive adversaries.
The loss of the Cybersecurity Information Sharing Act affects more than federal agencies. Everyday people depend on critical infrastructure such as energy grids, transportation networks, and hospitals. Without timely sharing of cyber intelligence, those systems are more at risk of disruption. For major corporations, the risks involve data theft, ransomware, and large-scale breaches that could damage entire supply chains. For the government, the lapse is a setback at a time when hackers from China, Russia, North Korea, and Iran are probing for weaknesses.
Some companies have pledged to continue sharing information even without legal protections. CrowdStrike confirmed it would still deliver operationalized threat intelligence. Halcyon also promised to keep working with federal partners for now. Others, including Palo Alto Networks, have voiced concern about liability without the protections that the law provided.
The law was crucial in uncovering cyber campaigns like Volt Typhoon and Salt Typhoon, both linked to Chinese operators. Those operations targeted U.S. telecom and infrastructure networks and went undetected for years. Experts say that without open sharing between the private sector and government, detecting and disrupting similar campaigns will become much harder.
Lawmakers are divided on how to revive the law. The House proposed a 10 year extension with minor updates. The Senate has competing versions, including one that would scale back liability protections and only extend the law for two years. The lack of consensus has delayed action while the risks to the nation continue to grow.
Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, warned that the gap creates a window of vulnerability. “Every hour we delay is an open invitation to cybercriminals and hostile actors,” he said.
For families, the expiration of the Cybersecurity Information Sharing Act means essential services are at greater risk of disruption. For billionaires and global companies, the stakes are even higher, with potential losses in intellectual property and financial stability. For the government, the lapse leaves defenders short of critical data at the very moment it is most needed.