Critical cybersecurity protections for American businesses have disappeared in the throes of congressional gridlock – leaving the private companies vulnerable to legal exposure when sharing vital threat intelligence with the federal agencies. The expiration is a major setback in national cybersecurity coordination efforts at a time of rising cyber threats from foreign enemies and criminal enterprises targeting critical systems infrastructure.
Congress Gridlock Kills important Cybersecurity
The current government shutdown has had reverberating effects beyond normal Federal operations and has upset much-needed cybersecurity frameworks that safeguard American businesses and infrastructure. Congressional leaders were unable to agree on funding initiatives that would have ensured essential legal safeguards on the collaboration of the cybersecurity of the private sector with government agencies.
Without legal protections, industry experts predict, information sharing will be greatly curtailed by companies, with the potential for dangerous intelligence gaps in national cybersecurity defenses. The lack of these protections causes corporate legal departments to reconsider their assumptions about calculating risk when it comes to whether to share sensitive threat data with federal partners.
Private companies used to have full legal protections for sharing cybersecurity information with others in good faith, such as the ability to avoid being sued, antitrust action, and to be protected from disclosing information under the Freedom of Information Act. These protections facilitated speedy information-sharing that assisted in computer cyberattacks circulating through multiple organizations and vital infrastructure sectors.
Cybersecurity Information Sharing Act expires on October 1
The Cybersecurity Information Sharing Actย of 2015 officially lapsed on October 1, 2025, eliminating a decade of legal frameworks that supported the cooperation between government and the private sector in the context of cybersecurity to expire. Senator Gary Peters and Senator Mike Rounds had introduced legislation in April to extend the law for ten more years, but reauthorizations went nowhere as political disagreements prevented them.
Senator Rand Paul blocks reauthorization efforts
Senate Homeland Security Committee Chair Rand Paul has consistently lobbied against reauthorization efforts, insisting that major changes be made to the legislation before he would support any reauthorization. His objections have held the law back from renewal in the face of bipartisan support from cybersecurity professionals and industry organizations across a number of sectors.
Senator Peters directly criticized Paul’s obstruction, stating, “There is only one person standing in the way” of reauthorization efforts to restore vital cybersecurity protections. Kentucky Republicans’ demands for changes have complicated what many saw as a routine legislative renewal of successful cybersecurity cooperation frameworks.
Impact on Information Sharing:
- Legal liability protections eliminated
- Antitrust lawsuit shields removed
- FOIA exemptions no longer available
- Corporate decision-making slowed significantly
Industry leaders predict a dramatic reduction in cooperation
David Kennedy from TrustedSec warns that companies will be sharing “much less data” because of liability issues, which can lead to fracturing relationships built over the past decade. Amy Shuart from Business Roundtable highlights this change from cybersecurity officials to legal experts that will cause delays in response times to threats.
Weakened defenses increase in the presence of cyber threats
The expiration date of the law coincides with unprecedented problems with cybersecurity that American organizations are facing, including recent compromises of nine telecommunications companies by cyber-hackers with China-linked ties called Salt Typhoon. These attackers successfully intercepted audio from President Trump’s and former Vice President Harris’s communications during their campaign, showing extremely advanced foreign intelligence capabilities.
The lapse of America’s premier cybersecurity info-sharing law creates dangerous vulnerabilities in national cyber defenses at a time when threats are on the rise. While companies can still voluntarily share information, not having legal protections will likely decrease the level of cooperation, which could leave the organizations unprepared for sophisticated cyberattacks that could have been prevented with timely intelligence sharing.