The Case for Reauthorizing CISA 2015

Although the Cybersecurity Information Sharing Act of 2015 (CISA 2015) was the culmination of more than five years of work, at first glance the activities that it authorizes—such as enabling a company to share information about cyber threats to the government or with other companies, authorizing a company to operate defensive measures, or requiring the federal government to share threat information in a timely manner—seem rather pedestrian. Yet over the past decade, this statute has come to underpin a broad array of cyber defense activities among federal and private entities and state and local governments—including those providing utility services like electric, natural gas, or water services. The protections built into the statute to address privacy concerns, moral hazards, law enforcement worries, and regulatory fears have proved relatively successful, and subsequent implementation guidance has further buttressed these protections. Indeed, CISA 2015 is a foundational cybersecurity statute, enabling a vast range of cyber defense activities.

However, there is a problem. The concerns about the authorities in the act were significant enough at the time that Congress included a sunset clause, meaning that CISA 2015’s provisions are not permanent. They will expire on Sept. 30, 2025—a rapidly approaching date. Given how long it takes Congress to pass even the simplest legislation, a little less than two months is cutting it dangerously close. Fortunately, cybersecurity remains one of the few areas of bipartisanship. While some proponents argue that Congress should consider broadening the types of information covered by the act to address changes in technology and the threat landscape, a simple reauthorization is the best path forward at this point. Achieving reauthorization is not only possible, but necessary.

What Does CISA 2015 Do?

One of the most common cybersecurity recommendations over the past two and half decades has been to increase “information sharing”—a term so overused that it often generates eye rolls from cyber policy experts. Nevertheless, sharing information about cyber threats continues to be a critical enabler for cybersecurity, and increasing the scope, scale, and depth of sharing remains a worthy priority. As a society, we need private-sector companies to share information—among themselves, with state, local, territorial, and tribal governments, and with the federal government—if we want effective cyber defenses.

Prior to 2015, however, many companies argued that the laws governing cyber threat intelligence sharing were unclear. These concerns came not just from cybersecurity companies, but from internet service providers, cloud service providers, telecommunications companies, financial services firms, energy companies, the health-care industry, and more—in fact, concerns arose in almost every sector. General counsels cautioned against sharing information on the grounds that it could open a company to legal liability and antitrust concerns. Not all companies were willing to take that risk. Even if not grounded in actual risk, perceptions about liability and antitrust inhibited many sharing activities.

Consequently, the Obama administration worked with Congress to craft legislation to address these concerns, culminating in the statute known as CISA 2015, which was passed as part of the Consolidated Appropriations Act of 2016. Despite a shared acronym, the statute does not directly relate to the Cybersecurity and Infrastructure Security Agency (CISA). The resulting confusion has plagued subsequent policy discussions, and it remains a problem today as some members of Congress conflate concerns with CISA the agency with concerns about CISA the statute.

In CISA 2015, Congress provided the legal authority for private entities to: monitor their networks or those of their customers, upon authorization and written consent, for cybersecurity purposes; take defensive measures to stop cyber attacks; and share cyber threat information with each other and with the government to further collective cybersecurity.

To enable robust and active cyber defense, the statute has six key elements:

Definitions. CISA 2015 includes definitions for 18 terms, including cybersecurity purpose, cybersecurity threat, cyber threat indicator, defensive measure, malicious cyber command and control, malicious reconnaissance, monitoring, security control, and security vulnerability. Definitions serve a critical purpose in this case: They carefully limit the types of information covered by the statute. Having clear definitions eliminated a major source of friction in information sharing activities, because every information sharing agreement did not have to define terms. They could just reference the statute. Reducing this friction eliminated a major barrier to sharing. Three of the most important definitions cover cyber threat indicators and defensive measures, the core information shared for cybersecurity purposes.

Protections. The statute contains several protections for information shared through a designated channel. These protections apply to private companies regardless of whether companies share cyber threat indicators or defensive measures exclusively with each other or whether they choose to share with the federal government. Such protections include key exemptions from antitrust enforcement, disclosure under the Freedom of Information Act or state sunshine laws, ex parte communication limitations, and regulatory enforcement actions. The law also specifies that companies do not waive privilege just by sharing through this channel, that they retain ownership of proprietary information, and that they have liability protection for taking actions consistent with this statute.

Federal duty to share. The statute requires federal agencies to share cyber threat indicators and defensive measures with each other and the private sector in a timely manner, including classified information to those with appropriate clearances. In effect, CISA 2015 creates a duty to share for the federal government. It makes the government’s default position one of sharing information, instead of arguments about intelligence gain and loss. Agencies have created multiple programs that help the federal government meet this requirement, including CISA alerts, FBI alerts, and other efforts.

Private to private sharing. The act authorizes private-sector entities to take several cybersecurity actions: monitoring networks for malicious behavior, taking defensive cyber actions on information technology networks, and sharing and receiving cyber threat indicators and defensive measures with other private-sector entities. This authority requires an organization to protect shared information against unauthorized disclosure and to remove personally identifiable information from that information. This sharing is exempt from antitrust laws. This section also covers sharing cyber threat indicators and defensive measures with state, local, territorial, and tribal governments.

Private to federal sharing. CISA 2015 specifically enables private-sector entities to share cyber threat indicators and defensive measures with the federal government through the Department of Homeland Security. Information shared through this channel receives certain protections (described below). The statute requires the department to rapidly share any information it receives through this channel with other relevant federal agencies without delay. The Department of Homeland Security also developed a set of guidelines to protect privacy and civil liberties in response to the statute.

Use limitations. Finally, the legislation strictly limits what federal agencies can do with the information received under CISA 2015. The federal government can use the information only for cybersecurity purposes (defined as protecting information systems or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability); responding to a threat of death, bodily harm, serious economic damage, or terrorist use of a weapon of mass destruction; responding to a serious threat to a minor; and certain specified crimes.

Concerns About the Statute

Despite broad consensus that increased information sharing was needed, not everyone agreed with the proposed CISA 2015 language. Opposition to CISA 2015 came from two sources: privacy groups outside the government and law enforcement agencies within the government. Unsurprisingly, the concerns of these two groups were almost diametrically opposed.

Privacy advocates were concerned about the content of the shared information, how the government might use the information once it was shared, and whether authorizing the sharing envisioned in the statute would lead to additional information collection by the government. Privacy groups did not want companies to share personal information about customers or clients with the government, nor did they want the government to be able to use the information in broad ways, particularly for law enforcement activities. They also argued that CISA 2015 was a slippery slope, representing a first step toward increased government information collection.

Congress took several steps during the drafting process to address these concerns. For one, the type of information that could be shared under the statute was constrained sharply. The enacted law limited coverage to technical data like malware files and bad domain names to identify malicious activity (cyber threat indicators) and actions to thwart malicious activity (defensive measures). It also put in place strict use limitations. The government could use the information only for cybersecurity purposes or to investigate a very narrow set of crimes.

Further, following the passage of CISA 2015, the Department of Homeland Security and the Department of Justice developed the implementation guidance required in the statute, providing even more detail on the types of information that could be shared under the statute. Privacy advocates praised the guidance for addressing some of their concerns. Subsequent updates in 2018 and 2022 garnered even fewer comments. The different versions of the guidance have also clarified definitions for defensive measures and cybersecurity purposes.

One factor complicating this situation is the Supreme Court’s 2024 Loper Bright Enterprises v. Raimondo decision. This decision overturned a long-standing precedent regarding federal agencies’ ability to issue regulations. The previous precedent, referred to as Chevron deference from the name of a previous Supreme Court case, held that courts should generally defer to agency interpretations of congressionally provided authority to issue regulations. The Loper Bright decision reversed this approach, stating that Congress must be specific in its guidance to agencies when providing regulatory authority and that any interpretations had to be very narrow. Further, the decision indicated that courts should play a bigger role in interpreting regulatory authorizations. Thus, the existing joint Justice and Homeland Security guidance could be open to challenge under the Loper Bright doctrine, which could put some of its privacy protections at risk. Since the guidance stems directly from congressional direction, it has a reasonable likelihood of withstanding scrutiny, but the Loper Bright decision injects some uncertainty.

Some law enforcement agencies privately objected to CISA 2015 because the protections apply only to sharing that goes through the Department of Homeland Security (and what ultimately became the Cybersecurity and Infrastructure Security Agency). The FBI in particular wanted the law to authorize sharing with the Bureau directly, arguing internally within the administration and to congressional staff that providing liability protection only for sharing with the Department of Homeland Security could compromise its ability to get information from victims or potential victims. However, this debate occurred in the wake of Edward Snowden’s disclosures about the extent of U.S. government surveillance programs. These politically controversial and highly damaging leaks made it impossible for Congress to authorize direct sharing with the FBI or any law enforcement or intelligence agency.

Ultimately, the compromise was to include language that required the Department of Homeland Security to serve as a “passthrough.” The department could not delay or impede the transmission of information received under the statute, except under circumstances agreed to in advance by all the relevant agencies. Although the law enforcement agencies expressed dissatisfaction with this approach within the administration, ultimately they accepted the compromise as better than the alternative of no legislation at all.

CISA 2015 in Practice

Overall, the statute has proved very effective in achieving its goals while avoiding the contemplated problems. First, the statute achieved its aim of addressing concerns about information sharing. Although some general counsels still express unease about cyber threat information sharing, CISA 2015 stands as a direct response to such concerns. Thus, since its passage, the statute has dramatically reduced friction in the cybersecurity ecosystem. It has allowed sharing discussions to move past the foundational issue of what is permitted and what is not to more useful and sophisticated questions, such as what types of threat intelligence are the most valuable to recipients.

Second, the cyber threat sharing ecosystem has expanded tremendously since 2015. That same year, the Obama administration released an executive order that promoted the creation of information Sharing and analysis organizations (ISAOs). As a concept, ISAOs include industry-specific information sharing and analysis centers (ISACs), which were first established in the late 1990s or early 2000s, but also encompass a much broader set of sharing organizations, such as regionally based entities or cross-sector sharing groups. Over half of the 70+ ISAOs have emerged since 2015, including organizations like the Cyber Threat Alliance (CTA). Although driven partially by increases in cyber threats, industry participation in ISAOs has also grown, facilitated by CISA 2015.

Third, experience has shown that sharing cyber threat indicators and defensive measures does not significantly impinge on privacy. The Inspectors General of the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury and the Intelligence Community report every two years on the implementation of CISA and its privacy safeguards; the most recent report from, January 2024, does not identify any significant issues. To the best of my knowledge, no major privacy issues stemming from sharing under CISA 2015 have been identified publicly by outside groups. If anything, many cybersecurity practitioners believe the restrictions are too narrow.

Defenders generally do not need detailed personally identifiable information (PII) to provide effective cybersecurity. (One exception might be Internet Protocol (IP) addresses, but not everyone agrees that such information constitutes PII.) Moreover, companies don’t want to share that information; they want to protect their customers’ PII for business purposes. The privacy guidelines put in place because of the act have created a solid scaffolding within the government for handling information shared under CISA 2015. As a result, information sharing under CISA 2015 does not appear to have resulted in widespread privacy violations. Nor has the act resulted in additional information collection by the government. CISA 2015 has successfully protected privacy while enabling information sharing.

The Cyber Threat Alliance—which I lead—is a prime example of an organization that relies on CISA 2015 for its operations. CTA is a nonprofit membership association dedicated to enhancing our members’ capabilities, assisting with imposition of costs on malicious cyber actors, and raising the level of cybersecurity across the digital ecosystem. Cybersecurity companies join CTA and agree to provide a certain amount of technical threat intelligence every week through an automated platform; they also collaborate at the human level through communications channels like email and Slack. Approximately 35 cybersecurity providers from around the world actively participate in CTA.

CISA 2015’s definitions, liability protections, and antitrust exemption provide a crucial foundation for our activities. The definition of “cyber threat indicator” establishes parameters for what information members share through our platform. While our rules prohibit members from sharing PII and our members go to great lengths to not share such information through CTA, CISA 2015’s liability protection provides an extra layer of legal assurance. Finally, the antitrust exemption provides the ground rules on what we can discuss in CTA (cyber threats) and what we cannot (pricing or future product plans). CTA’s reliance on CISA 2015 is not unique; many other sharing organizations and initiatives could provide similar examples.

Law enforcement agency concerns also appear to have been overstated. In the intervening time, law enforcement agencies have not publicly raised concerns with the statute. Further, conversations with former and current government personnel indicate that the level of cooperation and coordination between the Department of Homeland Security and law enforcement agencies has increased significantly since 2015. For example, CISA and the FBI produced one joint advisory in 2016 but 17 in 2024, demonstrating much improved communication and coordination within the U.S. government. Anecdotal conversations with government personnel have reinforced this point of view. While coordination can likely always be improved, the baseline sits at a much higher level today.

The bottom line: The law is working the way it is supposed to.

What Happens If the Statute Isn’t Reauthorized?

Given the centrality of the statute for cyber threat information activities, a failure to reauthorize would cause significant problems across the ecosystem, essentially reverting it to the pre-2015 state, with its lack of clarity and defined rules. Prior to 2015, a general counsel could reasonably conclude that sharing activities were not expressly prohibited, and a company could engage in those activities and accept the risk. However, if this authority to share lapses, some general counsels might argue that because Congress deliberately failed to act, sharing activities that were legal before 2015 should now be considered prohibited because they no longer have any legal basis.

Further, a lack of congressional action to positively reauthorize private entities to monitor their networks, deploy defensive measures, and share information “notwithstanding any other provision of law” introduces uncertainty about sharing information that could trigger certain criminal laws, such as the Computer Fraud and Abuse Act or the Stored Communications Act, or could violate antitrust laws when participating in collective cyber defense. In short, the resulting uncertainty would reduce the amount of sharing that occurs, reintroduce friction into the system, and inhibit the ability to identify, detect, track, prepare for, or respond to cyber threats. As one colleague put it succinctly, “We would go back to just talking about information sharing all the time.”

Does CISA 2015 Need an Update?

Overall, the statute has held up very well over the past decade. It has provided the necessary clarity for increased information sharing and now undergirds a substantial array of defensive activity. Therefore, Congress needs to reauthorize the statute as it exists now, albeit with two narrow changes that could fall within a “clean reauthorization.”

• Changing the name. Due to the similarity with the Department of Homeland Security agency called “CISA,” Congress should change the name of the statute to reduce confusion. Debate over the agency has threatened to spill over into the debate about the CISA 2015 statute, and eliminating the name overlap could mitigate that spillover effect. Options such as the Cyber Defense Collaboration Act (CDCA), Cyber Threat Sharing Act (CTSA), or Sharing Threat Information and Defensive Measures for Cybersecurity (STIM-C) would all differentiate the act from the agency while continuing to convey the statute’s purpose.

•  Removing the sunset. Even a clean reauthorization has to address the sunset date, either by putting in a new sunset date or by removing the sunset provision entirely. Given its success in promoting information sharing and the absence of negative effects, a sunset provision seems unnecessary. Features that may have been controversial at the time of passage are no longer problematic; instead, they have become embedded in cybersecurity practice. Further, cyber defenders will need to share cyber threat intelligence for the foreseeable future. A sunset provision serves no useful purpose, and it only introduces long-term uncertainty. It also requires industry and Congress to expend effort to renew something that has become foundational to cybersecurity activities.

Once Congress has reauthorized the statute, then it should consider making several amendments to the law that could further enhance its utility:

• Adding a definition for “indicators of behavior.” Since the statute’s passage in 2015, some people have argued that the term “indicator of compromise” does not cover the full range of threat intelligence that defenders need to share. As adversary tradecraft improves, the types of information that defenders need to share has broadened. For example, in many cases, defenders now need to share adversary behavioral patterns (the bad guy takes “x” action, runs this process, then moves this file to this location, etc.) in order to identify malicious activity.

• Further clarifying the definition of “defensive measures.” To encourage robust proactive defense across the private sector, Congress should consider clarifying how far a private entity can go in taking “defensive measures” up to but not including “hacking back,” which runs afoul of the Computer Fraud and Abuse Act.

•  Clarifying the scope of the definition of “cybersecurity purpose.” Some experts are concerned that the definition of cybersecurity purpose is not broad enough. It should be expanded to include not only the protection of information systems and the information that flows across our networks but also information used to defend against the actions of cyber criminals.

While updating the definitions to include “indicator of behavior” or clarifying “defensive measure” would be beneficial, the risks associated with opening the legislation for amendments are too great. Since the sunset deadline is approaching rapidly, Congress should proceed with a clean reauthorization. Once the foundational authority is certain, Congress, the administration, and industry could review the statute for additional updates.

***

CISA 2015 has achieved its goals of enabling increased cyber threat information and defensive measure sharing. The original concerns about the statute’s impact have not come to pass. Instead, the law has become foundational to the smooth functioning of the cybersecurity ecosystem. A failure to reauthorize the statute would inject unneeded friction at a time when cyber threats have only increased in their frequency and severity. Information sharing may not be sufficient by itself, but it is a necessary ingredient in successful cyber defense. To be clear, nation-state and criminal threat actors are sharing best practices for exploiting vulnerabilities in the U.S. We should not give them the competitive advantage by allowing this important law to lapse, leaving U.S. entities in an objectively weaker position for effective cyber defense. Congress needs to reauthorize the statute, make it permanent law, and perhaps change the name to reduce confusion. Otherwise, the U.S. will take a giant step backward in its cyber defenses—an outcome that benefits no one except cyber criminals and adversaries.