The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a cornerstone of America’s national cyber defense, is set to expire on September 30, 2025, unless Congress acts to reauthorize it. Over the past decade, CISA 2015 has enabled critical threat intelligence sharing between the government and private sector without imposing new regulatory burdens. This mechanism has prevented numerous cyberattacks and allowed rapid response to emerging threats, particularly for businesses lacking the resources to detect sophisticated attacks independently [1].
The law includes liability and antitrust protections that encourage companies to share threat indicators with one another and with government agencies. These safeguards have been essential to building a collaborative cybersecurity environment. Without them, the flow of information—critical for preempting attacks—will grind to a halt. The potential consequences are dire, particularly for small and medium-sized businesses (SMBs), which form the backbone of the U.S. economy [1].
Industry analysis shows that SMBs account for 98% of cyber insurance claims and face average ransomware costs of $432,000 per attack. Many lack the financial resilience to survive even a few weeks of operational disruption, making them prime targets for cybercriminals. The loss of CISA 2015’s early warning system would leave these businesses increasingly exposed, with limited ability to respond to threats before they strike [1].
The healthcare sector is among the most vulnerable. Ransomware attacks on hospitals pose life-and-death risks, with experts estimating that such attacks contributed to 42 to 67 Medicare patient deaths between 2016 and 2021. In medical environments, even small delays in response can have fatal consequences. CISA 2015’s expiration would impair the ability of healthcare institutions to receive timely intelligence on new attack vectors, making them easier targets for threat actors who exploit the urgency of the sector [1].
Economically, the stakes extend beyond individual companies. SMBs account for 99% of U.S. businesses and nearly half the private-sector workforce. They contribute 43.5% of U.S. GDP, according to the U.S. Chamber of Commerce. Widespread failure among these businesses would have severe ripple effects throughout the economy. Additionally, CISA 2015 has played a role in maintaining U.S. technological leadership in cybersecurity. By enabling access to comprehensive threat data, American firms have been able to develop superior cybersecurity products and services [1].
Other nations have adopted similar frameworks, recognizing the competitive advantage CISA 2015 provides. Its potential expiration would not only weaken domestic defenses but also signal a decline in the U.S. model of cybersecurity collaboration. Reauthorization is widely supported across political lines, including from DHS Secretary Kristi Noem, who has emphasized the law’s role in strengthening public-private partnerships [1].
A straightforward reauthorization, with any necessary technical adjustments made over time, is the most viable path forward. The current framework has already demonstrated its value, preventing billions in potential losses and fostering a culture of proactive information sharing. In an era of increasing cyber threats from state-sponsored actors, ransomware gangs, and adversarial nations, maintaining this collaborative approach is more critical than ever [1].
The reauthorization of CISA 2015 is not a political issue—it is a national security imperative. Cyber attacks know no partisan boundaries, and the only way to counter them is through shared intelligence and mutual support. As former FBI officials have emphasized, the ability to act quickly on threat information depends on the willingness of businesses to share what they know. This principle has made American networks more resilient, and abandoning it now would be a costly mistake [1].
Congress must act swiftly to ensure the law’s continuation before the end of 2025. Failing to do so risks leaving critical infrastructure, businesses, and public health systems exposed to preventable cyberattacks. The time to act is now—before the next ransomware crisis becomes a full-blown national disaster.
—
Source: [1] Former FBI cyber leader: The cybersecurity law that’s quietly keeping America safe is about to expire (https://fortune.com/2025/08/17/former-fbi-cybersecurity-ransomware-law-expire/)
