WASHINGTON — On and off Capitol Hill, those watching cybersecurity worry the lapse of two key federal programs will discourage information sharing between companies and the federal government, leaving an opening for a cyberattack. And if an attack occurred, the nation’s cybersecurity agency’s shutdown staffing level might not be sufficient to face it head-on.

As government funding expired, so too did the 2015-era law known as the Cybersecurity Information Sharing Act, or CISA 2015, and the State and Local Cybersecurity Grant Program. On top of those expirations, the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency is operating with a fraction of its workforce since appropriations lapsed last week.

Sen. Gary Peters of Michigan, the ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, introduced a bill earlier this week that would reauthorize the CISA law for 10 years with a provision to make its protections retroactive to Oct. 1, when the law lapsed.

“Without these protections in place. We are [in an] incredibly vulnerable position. I believe that our national and economic security are at risk for as long as these safeguards are not available,” Peters told reporters.

Information-sharing protections

CISA 2015 created liability protections, including from antitrust law, for companies sharing indicators of a cyber-threat with the federal government or with each other. The law also exempted the information from public disclosure under the Freedom of Information Act or similar state or local laws. Those protections lapsed when the law was not renewed.

Republicans’ House-passed continuing resolution contains an extension of the law through the length of the CR, which would give lawmakers just weeks to act again on information-sharing protections. The Democratic-led CR contains a similar provision to extend the program through the end of October.

Peters said he’s heard support from “key stakeholders, including the Trump administration,” for a “10-year, clean reauthorization” rather than a short-term fix.

“You can’t operate with just a few-week patch, then another few-week patch. That’s no way to run a business. It’s no way to run a sophisticated cybersecurity operation. You need to have … some certainty, and that’s why the 10-year bill is critical.”

A Republican aide with the House Homeland Security Committee, speaking on condition of anonymity, pressed the need for the Senate to pass the CR and “ensure that CISA 2015 authorities are reauthorized.”

Peters’ new reauthorization bill would also rename the law the “Protecting America from Cyber Threats Act,” ending matching acronyms between the information-sharing law and the DHS agency. Sen. Mike Rounds, R-S.D., co-sponsored the measure.

Peters said he’s heard Senate Homeland Security Chair Rand Paul, R-Ky., conflate CISA 2015 with the DHS agency, which some Republicans accuse of interfering with free speech.

“There are some of my Republican colleagues who have some concerns about CISA as the agency. And I remind them, this is not about the agency,” Peters said.

Since the middle of September, Peters has sought unanimous consent four times that the Senate proceed to consideration of a previous bill that would renew the law for 10 years. Sens. Ruben Gallego, D-Ariz., and Angus King, I-Maine, have also asked for the Senate to proceed to the bill. Paul has repeatedly objected, with Sen. James Lankford, R-Okla., objecting once as well.

In mid-September, the Senate Homeland Security panel canceled a planned markup that Peters said was scheduled to include reauthorization of CISA 2015. Paul’s office did not respond to a request for comment.

Despite Paul’s objections on the floor, Peters is confident that reauthorization would be popular on a bipartisan basis.

In early September, the House Homeland Security Committee voted to advance a bill, sponsored by Rep. Andrew Garbarino, R-N.Y., that would have extended cyber information sharing for 10 years with minor changes, including stipulating that procedures for information sharing must allow for real-time communication of threat indicators and defensive measures and be consistent with the protection of classified information.

The Republican aide said the bill also would make changes to define critical infrastructure and artificial intelligence, as well as require the federal government to provide technical assistance to companies on a voluntary basis.

Likely impacts

Michael Daniel leads the Cyber Threat Alliance, a membership organization for companies to share cyber-threat intelligence. He said that so far, the group hasn’t detected any changes in information sharing, but he wouldn’t have expected any so soon after CISA 2015 expired.

Larry Clinton, leader of the Internet Security Alliance, agreed that he hasn’t seen much change yet, especially among large companies. But some organizations are starting to worry about regulatory fines or leaked information.

“We are hearing that there are spaces where corporate attorneys are . . . getting much more involved in these conversations than they had been,” he said.

Daniel said that in private sector sharing like what his organization facilitates, FOIA requests are less of a concern, but “what is a concern in many of the cases is antitrust protection, and particularly if you’re talking about companies in the cybersecurity industry sharing information with each other.”

Both Daniel and Clinton are in favor of some modernizations to CISA 2015, which could potentially be negotiated during a two- or five-year extension, particularly to the definition of a cyber-threat indicator. Daniel would like to see that definition include threats to supply chains or indicators related to artificial intelligence.

Clinton would like to see incentives for companies to share information about single points of failure in their systems, which could lead to damage not just in attacks but in accidental cyber-incidents.

“They are, in fact, systemic threat actors. But they’re not defined that way in the 2015 act.”

Outside of a potential short extension if a CR passes, it’s not yet clear how a longer CISA 2015 reauthorization would move toward passage.

Peters mentioned “procedures” to get a 10-year renewal to a vote on the Senate floor, but didn’t offer specifics. The Republican aide said that House committee staff have an “active working relationship” with Paul’s team but might see “differing paths forward” on CISA 2015.

Daniel said that other than the short-term extension in the CR, “there’s not a clear path forward in terms of another vehicle that you can do a legislative update to CISA on.”

The ranking member on the House Homeland panel, Rep. Bennie Thompson, D-Miss., bemoaned cybersecurity not being higher on the Republican majority’s priority list, despite bipartisan support.

“Republicans control the House, Senate, and White House — they could have gotten CISA 2015 and SLCGP reauthorizations passed if they cared more about protecting Americans from cyber attacks from China than lining the pockets of billionaires,” he said in a statement.

State and local grants

The information-sharing law’s expiration coincided with that of the CISA agency’s program to give state and local governments cybersecurity grants.

A House Democratic staffer who spoke on condition of anonymity said that in Republican and Democratic states the program has been “enormously successful” in reducing the risk of cyberattacks.

“That’s what keeps services for everyone’s constituents up and running,” they said, including hospitals and water.

Daniel laid out how a cyber attack can affect an entire community — if a school system is attacked with ransomware, he said, kids can miss school and therefore lead parents to miss work.

“You can’t get city services if your city government is shut down,” he said.

The House Homeland Security Committee voted in September to approve a bill, sponsored by Rep. Andy Ogles, R-Tenn., that would have reauthorized the program for 10 years and allowed grants to go to state and local governments that are using AI systems.

Daniel said it would be difficult to point to specific causality between the lapse of the program and individual cyberattacks on local governments, but he thinks governments would feel the lack of the funds “remarkably quickly.”

The Republican committee aide said that there are “various paths” toward renewing the program, including adding it to larger legislative vehicles.

Furloughs at CISA

While the federal government is partially shut down, the CISA agency is operating at a lower staff level than usual. According to DHS’ shutdown plan, the agency had just over 2,500 employees at the end of May, but will operate with fewer than 900 during the lapse in appropriations.

The Democratic staffer said the agency is in “shambles” and that it’s not clear to Congress who has been affected by layoffs earlier this year.

Daniel said the agency might not currently have the staff to respond to a major cybersecurity incident.

“You’re talking about an agency that’s really sort of operating at a bare bones kind of level,” he said, adding that “these are threats that don’t tend to take a break.”

Peters is concerned about the lapsed programs and cuts at CISA.

“Every day that goes by, I become increasingly concerned about the vulnerabilities that we face from cyberattacks, and I’m very fearful we could face a major cyberattack during this period.”

_____

©2025 CQ-Roll Call, Inc. Visit at rollcall.com. Distributed by Tribune Content Agency, LLC.