Cyber info sharing ‘holding steady’ despite lapse in CISA 2015, official says

The sharing of digital threat information between the federal government and industry has remained consistent despite the expiration of a landmark cybersecurity law last month, a senior U.S. official said on Thursday.

“It’s holding steady right now,” Nick Andersen, executive assistant director for the cybersecurity division at the Cybersecurity and Infrastructure Security Agency, told reporters on the sidelines of the Palo Alto Networks Public Sector Ignite 2025 conference in Tysons Corner, Virginia.

That the cooperation continues “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” he added.

Andersen’s comments come roughly a month after the expiration of the 2015 Cybersecurity Information Sharing Act, which incentivized private entities to share threat data with the government with antitrust and liability safeguards. 

There has been widespread concern since the authority went dark that teamwork between the two sides would evaporate after years of incremental progress.

The House Homeland Security Committee advanced a bill to renew the effort last month and a short-term extension was attached to a stopgap government funding measure that eventually failed in the Senate and triggered the ongoing government shutdown. 

Earlier this month, Senate lawmakers introduced an updated renewal bill that would retroactively protect companies that share information during the shutdown.

Sen. Gary Peters (MI), the top Democrat on the Senate Homeland Security, and his colleagues have repeatedly gone to the Senate floor, including as recently as this week, for a quick voice vote to extend the 2015 law for 10 years only to be blocked by panel chair Rand Paul (R-KY).

Despite the ongoing cooperation, Andersen said the 2015 statute is “core and critical to us being able to accomplish our jobs and help manage risk more widely within the ecosystem.”

“We need a clean [reauthorization] for 10 years, just as we saw with CISA 2015, in order to be able to support the long-term mission success of CISA as an agency.”

He stressed the ongoing work between the two sectors is “relationship-based and based on the need for operational imperative.”

“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen told reporters.

Speaking at the conference earlier today, National Cyber Director Sean Cairncross described the 2015 statute as “vital.”

“It's a common-sense law,” he told the audience. “The White House is pushing for a 10-year, clean reauthorization of this authority. It's something that we want to see done. It's important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that's vital.”