Expiration of Cyber Information-Sharing Act Leaves U.S. Vulnerable

October 1, 2025 – Published on The Wall Street Journal

The collapse of congressional efforts to renew decade-old legal protections for sharing cyberattack intelligence between the private sector and the U.S. government leaves a dangerous gap in the nation’s cybersecurity defenses, experts say.

The 2015 Cybersecurity Information Sharing Act, or CISA—which expired early Wednesday after weeks of partisan gridlock and amid a government shutdown—sought to encourage organizations to provide information on new threats to cybersecurity teams in Washington. Among other protections, the legislation set guardrails to shield companies from antitrust and liability charges.

Sharing cyberattack data is seen as a core strategy for preventing Chinese, Russian and other state-sponsored hackers from burrowing deeper into U.S. infrastructure. Without legal protections, private-sector companies are now more likely to withhold critical attack information, leaving potential vulnerabilities exposed.

The loss of information-sharing protections comes amid a broad-based pullback on federal oversight, including staff cuts at the Cybersecurity and Infrastructure Security Agency. It also follows a shift in federal responsibility for infrastructure defenses to state and local governments. In the months ahead, some states may even be prompted to create their own CISA-like programs.

Yet any shift in oversight “would likely create compliance confusion and slow progress as teams realign, eventually rippling into the private sector,” said Jean-Paul Bergeaux, chief technology officer for federal programs at GuidePoint Security.

Over time, any security gaps “could be exploited by threat actors, undermining the broader cybersecurity ecosystem that CISA has helped strengthen,” Bergeaux said.

Read More HERE.