Just after midnight on October 1, one of America’s most important cybersecurity statutes quietly expired. The Cybersecurity Information Sharing Act (CISA), enacted in 2015 to enable real-time threat data exchange between the private sector and the US government, was allowed to lapse without renewal.
The silence surrounding this moment belies its significance. In an era when cyberattacks are disrupting hospitals, hijacking pipelines, delaying travel times, accessing critical infrastructure and probing defense networks daily, the expiration of CISA is not a routine legislative oversight. It is a strategic vulnerability.
CISA was never itself a cure-all, but it was a vital foundation. The law offered liability protection for companies that shared cyber threat indicators with federal agencies. This created a two-way pipeline for intelligence that allowed defenders to detect, understand, and counter threats faster.
That legal clarity and safe harbor were absolutely essential. Without them, many organizations, particularly in critical infrastructure sectors, will now hesitate to share what they know, and when they know it. In the hands of adversaries, even a few hours’ delay in detection can mean the difference between containment and absolute catastrophe.
A Perfect Storm of Risk
Honestly, the timing could not be worse. Nation-state actors are deploying increasingly sophisticated tools, especially with the proliferation of AI technology, and ransomware groups are acting more like state proxies than criminals. At the same time, the United States is facing a historic shortage of cybersecurity talent. More than 500,000 positions currently remain unfilled. This is a shortfall that affects every layer of our defense posture, from vulnerability management to incident response. It is critical that we fill this shortfall quickly and with the best candidates suited for the work.
When you combine these factors, like shrinking visibility due to reduced information sharing and diminished capacity due to workforce gaps, the risk for our nation’s critical systems becomes exponentially higher.
Rebuilding the Shield
The path forward is clear but requires urgency and coordination. Congress should move quickly to reinstate and modernize CISA’s authorities, ensuring that liability protections and information-sharing frameworks reflect the realities of today’s threat landscape. At the same time, we must treat cybersecurity workforce development as a matter of national security, with targeted investments, public-private partnerships, and innovative training models that bring new talent into the field at scale. This process is hindered further at the moment due to the current government shutdown which will leave us even more vulnerable while it continues.
Cyber defense is not the responsibility of any one agency, company, or sector. It is a shared mission. Allowing key legal frameworks to lapse at a time of escalating risk sends the wrong signal to our allies, our industry partners, and most importantly, to our adversaries.
The expiration of CISA should not be the end of the conversation. It should be the start of a much broader, more strategic effort to strengthen the connective tissue of America’s cyber defenses before the consequences of inaction become impossible to ignore.
