On October 1, the 2015 Cybersecurity Information Sharing Act (CISA 2015) silently lapsed at the beginning of the government shutdown. With it no longer active, we lose a crucial information-sharing structure between private industry and government, which makes the United States more vulnerable to malicious actors. CISA 2015 provided legal and antitrust protections, as well as FOIA requests, that upheld national security interests. However, due to politicians conflating CISA 2015 with the Cybersecurity and Infrastructure Security Agency (CISA), the reauthorization process for the legislation has come to a halt—and not reviving CISA 2015 is bound to have grave impacts.

Below are highlights from my conversation with Venable’s Caitlin Clarke, Advanced Cyber Law’s Cristin Flynn Goodwin, and CSIS’s James Andrew Lewis. With their decades of experience in cybersecurity—including participation in some of the foundational legislation on the issue—they explain the current state of CISA 2015, offer a deep dive into CISA 2015 and CISA the agency, and share their suggestions for what should happen next.

Below is a lightly edited and abridged transcript of our discussion. You can listen to this and other episodes of Explain to Shane on AEI.org and subscribe via your preferred listening platform. If you enjoyed this episode, leave us a review, and tell your friends and colleagues to tune in.

Shane Tews: Can you start us off by updating us on what is going on with CISA 15 the Cybersecurity Information Sharing Act of 2015’s reauthorization?

Caitlin Clarke: We can all agree that cyber threats from foreign adversaries or financially motivated criminal actors pose a serious and growing challenge. Actors are exploiting vulnerabilities at a faster pace than ever before. And with threat actors beginning to embed artificial intelligence into their operations, this pace is only going to increase.

In 2024, Microsoft reported that their customers faced 600 million attacks daily from cyber criminals and nation state actors. In 2025, CrowdStrike reported a 150 percent increase in China-nexus activity across all sectors from 2024 over 2023. And according to Dragos 2025 OT cybersecurity report, cyber criminals are responsible for thousands of attacks on industrial organizations a year, with around 75 percent of those attacks resulting in some disruption to operations, and25 percent of those attacks resulting in full operation shutdown. Now, I am not only a cybersecurity professional, I’m a mom of three.

And I was reading just this morning in the newspaper about a school system that was shut down because of a cyber attack. I don’t know about you, but if I had my three children home today because of a cyber attack, I wouldn’t know what to do with them. And that’s just a basic thing that we face across this country every day. And I think it’s really important to delineate between the Cybersecurity Information Sharing Act of 2015 and the Cybersecurity and Infrastructure Security Agency, which is housed within DHS.

The Cybersecurity Information Sharing Act of 2015 protections, which you described as some of the liability protections from disclosure, from regulatory action, from being involved in the FOIA process, those do not expand the Cybersecurity and Information Security Agency’s authority or mandate any new reporting. Instead, it’s a framework which established that companies who choose to share cybersecurity threat information can do so responsibly and without fear of legal repercussions.

This voluntary exchange of timely data allows organizations, both within the US government and private sector, to identify attacks sooner, limit their spread, and strengthen defenses across sectors. Allowing these protections to lapse just introduces unnecessary risk. It adds friction and delay in information sharing. Indicators of compromise or indicators of attack could arrive to companies too late or not at all. Nation state actors could operate longer without detection. Our collective visibility into new or ongoing cyber campaigns would be degraded. And the result just weakens resilience at a moment when cyber attacks are increasing in speed and scale across all sectors of the US economy.

The lack of reauthorization of CISA 2015 poses some serious concerns. If you were in a company in this position, what would you advise them to do?

Cristin Flynn Goodwin: First, you’ve got to go back and look at all of your information sharing contracts, because any cybersecurity contract that’s been written since this legislation, I’ve noticed there’s a real trend to incorporate the definitions of CISA 2015, and use those as the foundation for protecting information. Those may not be sustainable. So, you’ve got to go back and revisit your contracts and make sure you’ve got some sort of a writer or amendment that continues to protect information and sharing information, should the legislation fall away. You need some additional defenses.

Second, you’ve got to make sure they’re removing personal or proprietary information unless it’s necessary and approved by counsel. Because if you lose that protection and that gets exposed, then the privacy pieces that were not there back in 2012, 2015, now carry much higher risk and exposure to your company and to the frontline TI teams.

Third, you’ve got to make sure you’re using trusted platforms with strong governance. Because when you’re sharing information, if you’re doing it in an open Slack channel, and there’s other people in it, and you’re not clear on the rules of the road of how you’re sharing, that information can propagate. And again, you’re back in European privacy jail. You’re not sure about how that information is being used, so you’re running into problems with other legal regimes.

And then fourth, document every sharing decision. This is one that’s hard for incident responders and threat intelligence teams, because that’s not the way that the community evolved. But if you don’t have these protections in place, suddenly, the discoverability of what you have is different. And so you’ve got to make sure that you’ve got something there that proves who you shared with, Colonel Mustard in the library with the candlestick. So having that documented and working with counsel is important, because that blanket protection that you had company to company, is going to be gone.

Now, on the industry to government side, things are still pretty much the same for now, that those protections are in place. So, it’s information giving, whatever you give to CISA, they still have the legal right to distribute as they choose. That hasn’t changed. But once that goes away, then you must remember that that authority is gone. The information distribution right that they have is then changed. So go back and look at where CISA’s authorities were before that legislation came to pass and think about that.

Do you think that we need to change the legislative language in CISA 2015 to move on?

James Lewis: The part there is that, as always, the more tech neutral you can make it, the better. So AI, for example, is in some of the bills that are floating around now, which is good. But the basic problem, can I share information with a federal agency about a potential crime or a potential source of liability? Those protections don’t have to be tech specific.

And I think the original bill was pretty good that way that we got it. It was hard to get this bill passed in 2015. But if you need to add things like artificial intelligence, and I know that certainly I think the Homeland Security Committee bill has it in, it wouldn’t hurt. But the broad principles are unchanged. The broad protections need to be the same no matter what the technology is.

And one of the tensions in the original bill, and it still continued for a while, was, who do you call? Right? And do you call FBI, or do you call DHS? Do you call CISA? One of the things that’s changed since 2015 is, both agencies have gotten better at fielding those calls. And it’s not just your local FBI office good to involve, if you can. It’s the cybersecurity people here in Washington. CISA has a good structure there.

So, the complaint was always, well, I’m told I have to call 17 different agencies. Honestly, you don’t anymore. If you are comfortable just calling CISA, call CISA and let them know, and they’ll have good advice. If you can cover it, call FBI as well, so that you’re covered on the criminal side. A lot of the issues we’re seeing in the bill renewal are issues that were the issues of 2015, and we’ve kind of fixed them. So maybe it’s time to move on.