Matthew Eggers, Vice President, Cybersecurity Policy, U.S. Chamber of Commerce
Information Technology

Historic Cybersecurity Law Is Up for Renewal 

cxomagazine
By Matthew Eggers, Vice President, Cybersecurity Policy, U.S. Chamber of Commerce 

While Popular, CISA 2015 Needs Its Advocates 

Before it expires on September 30, 2025, the U.S. Congress must reauthorize the Cybersecurity Information Sharing Act of 2015 (CISA 2015). A key cornerstone of American cybersecurity efforts is CISA 2015, which improves companies’ capacity to address cybersecurity threats at scale and react quickly to modern cyberthreats.

If CISA 2015 lapses, the U.S. will face a more complex and hazardous security environment. Various foreign cybercriminals use techniques like phishing and ransomware to threaten our key critical infrastructure, advanced commercial capabilities, and economic well-being. Malicious hackers target local branches, offices, and warehouses in addition to major national corporations. Their attacks impact people, businesses, and their surrounding communities.

While reauthorizing CISA 2015 is a top policy priority for many in industry and  government,1 it needs its advocates. The congressional to-do list, including approving budget related legislation, advancing pro-growth tax policy, and passing the annual defense bill, is  extensive. Deadlines are rapidly approaching. 

The good news is that CISA 2015 has had the support of both Democrats and  Republicans. When taking up the bill a decade ago, the Senate Intelligence Committee stated it  was convinced that the legislation was needed to enable bilateral information sharing between  industry and government to better address our nation’s shared cybersecurity challenges. 

Meanwhile, on the other side of the Capitol, House Homeland Security Committee leadership emphasized that information about a cyberattack experienced by one business can  help others fortify their defenses. But when the sharing does not occur, it leaves all of us more  vulnerable, said the chairman of the Cybersecurity, Infrastructure Protection, and Security  Technologies Subcommittee, because the same criminals can use the same tactics to target other  entities. 

Advocates for CISA 2015 cannot take its reauthorization for granted. It’s easy to overlook how challenging it is to enact legislation that has widespread support. In November 2011, I first read a draft bill that would eventually become CISA 2015. However, it took four years of negotiations among Congress, the Obama administration, and various private-sector stakeholders to get it passed into law.

You are to be extremely vigilant & watchful to guard against surprizes, & to use every means in  your power to obtain a knowledge of the Enemys Numbers—Situation—and designs. … Every  piece of Intelligence you may think of Importance for me to know, communicate it without  wasting time.
———George Washington to Brig. Gen. William Maxwell, December 1776 

‘Our Adversaries Want CISA to Expire’ 

At the U.S. Chamber, I lead a working group made up of approximately 250 companies  and business associations that represent nearly every sector of the U.S. economy. A number of individuals have told me that, due to the importance of CISA 2015 to U.S. economic and national  security, our adversaries want it to expire. 

Readers of this magazine don’t need to know the specific provisions of CISA 2015 to  understand that swapping data on cyber threats and incidents complicates attackers’ operations as  defenders learn what to monitor and prioritize. CISA 2015 enables private entities to enhance the  protection of their data, devices, and computer systems while promoting the sharing of cyber  threat information with business and government partners within a secure policy and legal  framework. In order to encourage prompt information sharing between public and private  institutions, it also offers safeguards for enterprises in relation to regulatory matters, public  disclosure, and antitrust matters. Under CISA 2015, both government and industry have a proven  track record of protecting civil rights and privacy. 

CISA 2015 Increases Collaboration and Imposes Costs on Criminals 

An economist may say that CISA 2015 aims to reduce businesses’ opportunity costs and  impose them on malicious actors (e.g., criminal organizations and foreign nation-states). Indeed,  since the implementation of CISA 2015, collaborations in cybersecurity have improved  significantly in several ways, including encouraging the development and expansion of  information sharing and analysis centers (ISACs) across multiple sectors. These centers act as  focal points for exchanging cybersecurity information within particular industries, which  improves the ability to detect and respond to threats specific to those sectors. 

For example, CISA 2015 enabled the Health-ISAC to deliver substantial value to the  healthcare and public health (HPH) sector by fostering a trusted environment for sharing timely,  relevant, and actionable threat intelligence and best practices. A prime example of this value in  action occurred during the 2017 NotPetya cyberattack. The malware spread rapidly, impacting  thousands of organizations around the globe and in every critical infrastructure sector. In the  HPH sector, NotPetya caused major disruptions to hospital systems, pharmaceutical  manufacturing, and healthcare supply chain vendors. Within hours, the Health-ISAC facilitated  crucial real-time information sharing among its members.

The collaboration led to a swift understanding of the attack, the mechanisms of the  malware’s propagation, and the development of mitigation strategies, including a “vaccine,” to  prevent the malware from spreading. The Health-ISAC became a force multiplier in defending  against widespread cyber threats as this information was rapidly disseminated across the health  sector, enabling even small and rural hospitals to halt the attack and prevent significant  disruption to healthcare in local communities. This type of information-sharing partnership is  just one example of the various partnerships that occur across critical infrastructure and  government on a minute-by-minute basis. 

U.S. Cybersecurity Relies on Trust 

Cyber incidents underscore the need to renew CISA 2015 to help businesses enhance  their understanding of cybersecurity threats and strengthen their protection and response  capabilities in collaboration with government entities. Further, if the law lapses this fall, many  are most concerned about the weakening of trust among people and institutions. 

Interpersonal trust cannot be mandated by policy. It is a mindset that takes years to cultivate, which should prompt lawmakers to take action. If CISA 2015 isn’t extended, the ability to create and maintain trust would be weakened, leading to unintended consequences for the security and resilience in communities across America.

CISA 2015 not only sets the tone for sharing and receiving threat indicators and defensive measures, but it also fosters trust among businesses and government allies. Policymakers should not take such trust and public-spiritedness for granted. These attitudes are not codified anywhere but are foundational to U.S. economic and national well-being. Even a partial lapse of CISA 2015 could impact our cyber defenses. Congress must act.

References: 
1In April 2025, U.S. Sens. Gary Peters (D-MI), the ranking member of the Senate Homeland Security and  Governmental Affairs Committee, and Mike Rounds (R-SD) introduced a bipartisan bill to extend CISA 2015 for 10  years. In addition, U.S. Department of Homeland Security Secretary Kristi Noem called for reauthorizing the law. 
On May 13, 2025, 52 associations, led by the U.S. Chamber of Commerce, sent a letter to the full U.S. Congress  urging lawmakers to reauthorize CISA 2015.