Topics:
In the waning days of 2015, Congress passed—and then President Obama signed—the Cybersecurity Information Sharing Act of 2015 (CISA ’15), in order to improve and incentivize the sharing of cyber threat indicators and information about defensive measures taken against cyber threats between public and private sectors.
CISA ’15 came just 18 months after a U.S. federal grand jury indicted five members of the Chinese People’s Liberation Army (PLA) for violations of the Computer Fraud and Abuse Act, the Economic Espionage Act, and other offenses. From 2006 to 2014, these actors were alleged to have targeted six victims in U.S. nuclear power, metals, and solar power industries—maintaining unauthorized access, stealing trade secrets, and accessing highly sensitive communications.
In the 10 years since its passage, we have seen an evolution in the cyber threats facing our nation. In addition to the data breach focus expressed by the Congressional Research Service and the Executive Branch’s state-sponsored espionage concerns of 2015, today’s ransomware, data breaches, and new threats to U.S. critical infrastructure put our individuals, businesses, society, and national security at even greater risk. In short, when it comes to protecting the confidentiality and availability of personal health and financial information, R&D and other intellectual property, and our lifeline critical infrastructure, the stakes are even more urgent.
Failure to reauthorize CISA ’15 will cost industry and taxpayers too much—we will place at even greater risk opportunities for innovation and our own personal privacy.
Yet because of its 10-year authorization, CISA ’15 will expire on Sept. 30 unless Congress reauthorizes it. Failure to reauthorize the Cybersecurity Information Sharing Act of 2015 would significantly compound collective risk and national security by eliminating one of the few effective incentives helping to protect the digital systems we depend upon as a nation.
2015 saw a cybersecurity landscape on the precipice of change. Retailers such as TJ Maxx, Home Depot, and Target suffered data breaches that exposed personal financial records of tens of millions of households across the country. The average cost of a cyber incident also started to steadily increase—jumping from $11.6 million in 2013 to $12.7 million in 2014. The Congressional Research Service, tasked with analyzing legislation to facilitate cybersecurity information sharing, found that the cost to join a specialized information sharing organization was only $100,000 per year, an amount that pales in comparison to the cost of a data breach. They further observed “[i]t would seem that companies could increase their cybersecurity at relatively little cost by sharing information about cyberattacks.”
Today, the concerns about the confidentiality of intellectual property and financial records highlighted in the summer of 2015 have been joined by fears of lost availability from encryption-based attacks and public disclosures of sensitive data through data leaks. One particularly costly form of cybercrime—ransomware—utilizes a combination of these tactics to threaten the availability of information, post private information to data leak sites, and extort victims. Ransomware remains highly prevalent: payments in 2024 reached $813.55 million, a 35% decrease after topping $1 billion paid out in 2023, according to Chainalysis.
In addition to the skyrocketing costs of ransomware targeting large and small businesses alike, in early 2024 we learned that People’s Republic of China State-Sponsored Actors compromised and maintained persistent access to U.S. critical infrastructure through a campaign frequently referred to as “Volt Typhoon.” More recently, other actors also assessed to be affiliated with the PRC have been exploiting the widely used SharePoint vulnerability. Yet another PRC-linked group carried out the well known 2023 Exchange Online compromise. And in recent weeks, in a first-of-its-kind advisory, the United States, along with 12 other partner governments, issued a cybersecurity advisory aimed at victims of “Salt Typhoon,” a campaign that targeted foreign telecommunications and Internet service providers (ISPs), as well as the lodging and transportation sectors. The advisory warned that this campaign may have gained access that could provide Chinese intelligence services “with the capability to identify and track their targets’ communications and movements around the world.”
In light of these alarming trends, reauthorizing CISA '15 should be a no-brainer: it helps improve cybersecurity by incentivizing information sharing with the shield of liability and privacy protections. As noted by the Congressional Research Service in 2015, CISA ’15’s provisions do not significantly increase costs to businesses or taxpayers. More recently, a July 2025 Government Accountability Office report found that “[p]olicies and actions implemented under the Cybersecurity Information Sharing Act of 2015 have positively contributed to the sharing of cyber threat information between federal and nonfederal entities.”
Moreover, most of the concerns surrounding its initial passage did not materialize. In debate over the Act, privacy advocates raised concerns about the types of information it covered, fearing that personal information unrelated to cybersecurity could be shared broadly and used for purposes well beyond cybersecurity. They also worried that the Act would usher in additional government information collection.
In response to these concerns, CISA ’15 requires the Departments of Justice and Homeland Security to develop implementation guidance, which have helped allay privacy advocates’ fears. The Act also requires reporting every two years by the Inspectors General of the Intelligence Community and the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury. Their reports have not recommended any actions, indicating that the Executive Branch has not abused the authorities the Act granted. Of specific note, the most recent report found that the reviewed agencies “did not need to take steps to minimize adverse effects on the privacy and civil liberties of U.S. persons from activities carried out under the Act because there were no known adverse effects.”
In practice, CISA ’15 should be seen as essential to protect American innovation and consumer privacy. While threat actors’ tactics, techniques, and procedures (TTPs) have evolved since CISA ’15’s first passage, their targets remain largely unchanged: criminal groups seek information they can monetize on the dark web, while nation states look to leapfrog U.S. technological dominance by stealing intellectual property and gaining access to lifeline infrastructure, likely to hold it—and us—at risk.
Information about these incidents and associated TTPs is critical to apprehending the perpetrators and preventing the next compromise of high value R&D, sensitive personal information, and our critical infrastructure. CISA ’15 has provided incentives to spur this sharing and a market to support it; it is a successful example of American innovation.
As the capability and deployment of artificial intelligence continues to expand, its use in implementing CISA ’15’s objectives will accelerate our ability to shut out these threat actors and limit the prevalence of software vulnerabilities they all too often exploit. Far from a liability, CISA ’15’s reauthorization will enable greater opportunities to leverage AI in support of cybersecurity, which benefits the entire innovation ecosystem.
Without the ability to correlate and cross reference incidents across victims and sectors, the network defenders who toil daily to keep malicious actors out of our public and private sectors will be blind, leaving all of us exposed and our national and economic security at greater risk.
Failure to reauthorize CISA ’15 will cost industry and taxpayers too much—we will place at even greater risk opportunities for innovation and our own personal privacy. Congress should act immediately to reauthorize CISA ’15 and ensure we don’t give malicious actors a payday that Americans cannot afford.
Megan Stifel has worked at the intersection of national security, law, and technology for more than two decades. She is currently the Chief Strategy Officer at the Institute for Security and Technology, where she also serves as Executive Director of the Ransomware Task Force. Megan previously served as a Director for International Cyber Policy at the National Security Council and in the US Department of Justice as Director for Cyber Policy in the National Security Division, as well as in the Criminal Division’s Computer Crime and Intellectual Property Section. She also worked for the US House of Representatives Permanent Select Committee on Intelligence. Megan is a Member of the Aspen Global Leadership Network and a Fellow at the National Security Institute.
