On Sept. 30, 2025, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) will expire. For a decade, the statute has been the legal backbone of U.S. cyber defense, born from the high-profile breaches that shook U.S. companies a decade ago and forced Congress to act. By creating a liability shield, CISA 2015 finally gave companies the reassurance to share threat data without fear of lawsuits. Without it, the United States risks sliding back into the pre-2015 world of legal uncertainty, ad hoc disclosures, and systemic blind spots, just as adversaries like China double down on espionage, ransomware, and supply-chain compromise.
Last week, on Sept. 3, the House Committee on Homeland Security unanimously advanced the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act), introduced by Rep. Andrew R. Garbarino (R-NY), to reauthorize CISA 2015. The move rightly underscores the statute’s central role in the United States’ collective security. Its renewal is now headed to the House floor and then the Senate––an imperative step at a moment of escalating digital threats.
Yet reauthorization remains uncertain, clouded by debates over the law’s institutional legacy––especially the performance of the Cybersecurity and Infrastructure Security Agency (CISA) and its controversial role in issues like countering disinformation. But conflating the statute with the agency would strip away the foundation that underpins the United States cyber defense. History shows that without a firm legal framework, the United States enters the next phase of cyber competition disarmed.
The Long Road to CISA 2015
Before CISA 2015, private companies often hesitated to disclose threat indicators—such as malware hashes, malicious IP addresses, zero-day vulnerabilities—due to concerns about privacy statutes, antitrust exposure, and regulatory blowback. For years, lawmakers, industry leaders, and security professionals had circled around the idea of information sharing, but consensus never materialized. CISA 2015 changed that calculus.
It took nearly five years of failed proposals and political battles before Congress could pass an information-sharing law. Early efforts, beginning with the Obama administration’s 2011 proposal and the failed Cybersecurity Act of 2012, revealed the central fault line: balancing the urgency of countering state-sponsored cyber threats with deep civil liberties concerns about government surveillance. Congress wrestled with these tensions through repeated failures, even as high-profile breaches kept pressure mounting. Only then did a bipartisan consensus emerge. CISA 2015 was a compromise statute, reflecting both political stalemate and the pressing need to protect American businesses and critical infrastructure. Its sunset clause, which requires periodic reauthorization, was designed to ensure ongoing congressional oversight and to recalibrate the law in response to evolving threats.
By offering liability protection, CISA 2015 created a legal safe harbor for the voluntary exchange of technical threat data and indicators of compromise (IOCs) between the private sector and federal agencies through the Department of Homeland Security (DHS). The law assured companies that if they provided cyber threat information in good faith, they would not face civil or antitrust liability—a protection that encouraged information sharing that might otherwise have stayed siloed. This protection allowed government and industry to build a real-time picture of hostile cyber campaigns, making it harder for attackers to reuse the same tools across multiple targets.
In the fraught aftermath of the Snowden disclosures, the choice of DHS as the civilian gateway was not incidental. It signaled a deliberate effort to distance the program from the perception of funneling information straight into the National Security Agency’s (NSA’s) machinery. The act was, at its core, a trust-building exercise. CISA 2015 has since become the legal backbone of the United States’ information-sharing apparatus.
Its effects rippled outward. What began as improvised responses to high-profile breaches hardened into permanent structures—from Automated Indicator Sharing (AIS) to the creation of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018—anchoring a more coordinated system of joint advisories, public disclosures, and integrated statecraft. This shift transformed an uneasy public-private partnership into one where state and industry now work in tandem to map, attribute, and disrupt cyber threats at scale. The agency has faced criticisms pertaining to recruitment strategy, participation rate, and a decline in sharing indicators of compromise. Nonetheless, it has been a necessary, albeit not sufficient, step towards a sustainable model of collective cyber defense.
It would be a mistake to let the law lapse due to criticisms of AIS and the CISA agency. History shows what happens when information sharing is left to chance—ad hoc fixes, missed warnings, and preventable breaches. From SolarWinds to Microsoft Exchange exploits, ransomware waves crippling hospitals, and breaches of financial regulators and federal court systems the lesson is clear: no institution is insulated from cyberattacks.
The Hard Lessons Behind CISA 2015 That Support Renewal
The case for renewing CISA 2015, now embedded in the WIMWIG Act, is not about bureaucratic housekeeping. It is about strategic survival in the era of great power competition with China, as well as strengthening cyber deterrence.
For more than a decade, Chinese cyber espionage has targeted American companies, government agencies, and even the media. They have pillaged intellectual property, breached critical systems, and compromised sensitive data to fuel Beijing’s industrial growth, military modernization, and its effort to control the narrative at home and abroad. More recent operations such as Salt Typhoon, which infiltrated major telecommunication companies to spy on American officials, and Volt Typhoon, which involved persistent intrusions into U.S. critical infrastructure, show the scale and sophistication of these campaigns. These activities remain a central instrument of Chinese statecraft.
Some of the landmark cyber incidents that shaped the CISA 2015 debate illustrate the indispensable yet fraught partnership between the U.S. government and the private sector in defending against foreign cyber threats—and how fragile cooperation can be without a legal framework. This was particularly clear in the campaigns tied to China, which repeatedly exposed both the United States’ vulnerabilities and Beijing’s strategic intent. Together, they set the stage for the compromises and hard lessons that culminated in CISA 2015.
CISA 2015 vs. China’s Cyber Playbook
In 2013, a classified Defense Science Board report revealed something staggering: designs for U.S. missile defense, combat aircraft, and naval systems had all been compromised—and stolen by China. The contractors were household names: Boeing, Lockheed, Northrop Grumman. The advantages for China were obvious: billions saved in R&D, a generational leap in weapons design, and a strategic edge in any future conflict. The Pentagon tried to adapt, launching pilot programs to give defense companies access to threat data. But as soon as prime contractors hardened their defenses, Chinese operators shifted to subcontractors—the softer targets in the supply chain. The lesson was again clear: without broad, bidirectional information sharing between government and industry, the United States would remain on the defensive.
In the years leading up to CISA’s passage, industry was reluctant to engage with law enforcement, wary of one-way information flows, fearing liability, and some distrusting the government after the Snowden revelations. That uneasy dynamic reached a turning point in May 2014 with the indictment of five PLA hackers. For the first time, the Justice Department charged foreign military officers of an adversarial state with cyber-enabled commercial espionage. The case was only possible because private-sector victims shared evidence with the FBI and agreed to be part of a national security lawsuit—a rare moment when corporate losses were converted into statecraft.
Meanwhile, private firms were also advancing rapidly in digital counterintelligence. In 2013, Mandiant’s APT1 report had already laid bare the scope of Chinese operations, publicly attributing campaigns to the same PLA unit that was indicted a year later. The firm had shared findings with the Justice Department before going public—a courtesy rather than a necessity. The episode underscored that the private sector could often move faster and with fewer constraints than federal agencies to bring critical evidence into the public domain.
But even as these cases highlighted the potential for closer cooperation, they also revealed how uneven and fragile the system still was. That vulnerability came into full view with the 2015 Office of Personnel Management (OPM) breach. Between 2013 and 2015, Chinese hackers exfiltrated millions of federal personnel files, 5.6 million fingerprints, and the intimate details of security clearance forms—a counterintelligence jackpot. Earlier that year, the same threat actor, Deep Panda, had breached insurance giant Anthem and stolen personal information of 78 million customers, including defense contractors and government employees. Anthem notified and cooperated with the FBI about the breach, yet that information did not translate into a systematic increase in defenses across the government.
The OPM breach exposed a deeper vulnerability: the U.S. government was no better at defending itself than the private sector. OPM had treated the problem as an IT issue––not a national security threat—just as a corporation would. The aftermath forced a mindset shift. The incident put meeting basic cybersecurity standards on federal agencies’ agendas. It also pushed the government to consider sensitive personal data in the context of national security—a movement that, a decade later, culminated in the DOJ’s 2025 rule on this very issue. If the first half of the problem was the lack of trust for bidirectional information sharing, the Anthem and OPM incidents revealed the other half: even as the government demanded cooperation from industry, it lacked a system to put private-sector intelligence to use in its own defense.
In the run-up to CISA 2015’s passage, these Chinese campaigns stood out not only for their scale and brazenness, but also for the strategic lessons they forced on Washington about the limits of ad hoc cooperation on information sharing. Yet the high-profile threats were not limited to China. Other adversaries were pressing the issue as well.
The Sony Hack
North Korea’s 2014 attack on Sony Pictures drove that point home. Pyongyang unleashed destructive malware in retaliation for The Interview, a satirical film depicting an assassination plot against Kim Jong Un, raising uncomfortable new questions. A movie studio was not critical infrastructure, but the symbolism was unmistakable. North Korea had attacked a U.S. company to silence free expression.
The fallout exposed glaring gaps in U.S. cyber defense. Attribution was slow, fragmented, and contested. For weeks, the FBI struggled to marshal evidence while private experts doubted its conclusions. The White House scrambled to find proportionate responses. The eventual attribution was unprecedented. President Obama publicly blamed North Korea—the first time a sitting U.S. president formally had held another state accountable for a cyberattack on U.S. soil. The sanctions that followed marked another first: the use of economic coercion in response to a cyber operation.
Most importantly, the breach showed the private sector’s indispensable role. Sony was both victim and gatekeeper, holding critical forensic data the government needed to understand the attack. The FBI hailed the case as a “prime example” of cooperation, but the reality was ad hoc and fragile. Without liability protections and trust, such exchanges could not be relied upon.
The lesson was immediate. In his January 2015 State of the Union address, Obama urged legislation to let companies share cyber threat information with the government “without fear of lawsuits.” Within days, the White House introduced a proposal with liability protections, bidirectional information flow, and privacy safeguards at its core. By year’s end—after the OPM breach added urgency—Congress finally passed CISA 2015, the first durable legal framework binding the private sector into the nation’s cyber defense.
A Strategic Choice: Why Continuity Matters
Allowing CISA 2015 to lapse would be a significant loss. CISA 2015 was born of hard lessons: sustained commercial cyber espionage against American companies, the frustrations of a private sector left to fend for itself, and the recognition that the government could not defend the digital domain in isolation. Only after its passage did cooperation become systematic rather than episodic. What had long been hesitant, ad hoc exchanges gradually hardened into consistent cooperation, building trust, creating institutional and cross-sectoral muscle memory, and giving the public-private partnership its first, and only, durable legal foundation. Failure to reauthorize CISA 2015 would not only undo this progress but also signal to foreign adversaries that the United States is retreating from collective defense against cyber vulnerabilities.
The threats ahead will not wait. Adversarial cyber campaigns are growing bolder, more disruptive, and strategically calibrated. Time and again, incidents of high-stakes espionage and sabotage have shown that American corporations are not collateral damage but the front line of modern conflict. Ignoring those lessons now would invite more of the same vulnerabilities—on a larger scale, with even higher stakes.
CISA 2015 is not a panacea; it is a foundation on which effective cyber defense is built. Passing the WIMWIG Act to renew CISA 2015 is essential to secure the pillars of American security, economic prosperity, and technological superiority. Continuity of the act preserves the only proven bridge between government and industry––the bridge that history has shown to be indispensable in an era of great-power competition. It ensures that the United States does not stumble back into the blind spots and vulnerabilities of the pre-2015 world. The real question now is whether Washington will choose resolve or risk signaling retreat at precisely the wrong moment.
The post The Next Cyber Breach Will Not Wait: Why Congress Must Reauthorize CISA 2015 appeared first on Just Security.
