OPINION — Ransomware attacks conducted by criminals are persistently hitting airports, schools, and 911 dispatch centers, while foreign adversaries probe our critical infrastructure every day. Yet, two programs designed to build national cyber readiness to combat these threats — one that underpins public-private threat sharing, the other that builds local cyber defenses — have now expired. Congress’s inaction amid the government shutdown has left a widening gap in America’s cyber defenses.

Nearly a decade ago, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to encourage private companies and government agencies to voluntarily share cyber threat indicators, which officially expired on September 30. It was a bipartisan response to rising state-sponsored hacking campaigns, and it provided a legal framework — and protections — that still govern how threat data flows across public and private networks today.

This legal framework supports everything from classified alerts and incident reports to real-time information exchange across sectors like energy, transportation, and healthcare. Without it, experts warn that information sharing between companies and the federal government could drop by as much as 80 percent, severely degrading national cyber situational awareness.

Before the shutdown, steps toward a full reauthorization were underway, with bipartisan support in both chambers – but the process has now stalled entirely. One proposal, however, threatened to undermine the goals of the law. Senate Homeland Security Committee Chair Rand Paul’s (R-KY) version of CISA 2015 renewal would gut key legal protections — including liability and FOIA safeguards — and inject surveillance-related restrictions that have no place in cybersecurity law. His version would kill the trusted framework that enables timely, voluntary sharing of threat intelligence data, not improve it.

A more responsible path is already on the table. In early September, the House Homeland Security Committee Chair, Representative Andrew Garbarino (R-NY), introduced the Widespread Information Management for the Welfare of Infrastructure and Government Act, which would reauthorize CISA 2015 for ten years. It also includes a new outreach mandate to ensure that small and rural critical infrastructure owners and operators understand how to participate in information sharing efforts.

Meanwhile, the second program that expired is the State and Local Cybersecurity Grant Program (SLCGP) created through the 2021 bipartisan infrastructure law. Unlike CISA 2015, which supports federal-private coordination, this program was designed to build basic cyber capacity at the state and local level. It pushed state and local governments to create cybersecurity plans, conduct assessments, and adopt best practices – and provided the funding to put those plans into action. For many jurisdictions, this was their first real investment in cyber defense.

So far, the program has backed over 800 projects across 33 states and territories, totaling $838 million. In Utah, grant-funded tools helped stop a ransomware attack on a major airport and a 911 emergency dispatch center. In Maryland, it funded coordinated efforts across 40 counties. The program is not perfect — uneven cost-sharing requirements and bureaucratic restrictions limit its reach to smaller communities. But the results are clear: state officials say these projects “would not have been possible” without the SLCGP funding. This focus on state and local leadership on cybersecurity readiness is exactly what President Trump called for in his May 2025 Executive Order.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

With the SLCGP expired as of August 31, that momentum is now in jeopardy. Without new funding, states and municipalities — especially those without dedicated cybersecurity teams — will be forced to pause cybersecurity initiatives. The result is not just slower progress, but a direct weakening of our national cyber posture. Alongside Rep. Garbarino’s bill, Representative Andy Ogles (R-TN) introduced the Protecting Information by Local Leaders for Agency Resilience Act, which would reauthorize SLCGP for ten years. But the bill lacks a dedicated funding amount.

A robust reauthorization of the SLCGP must do more than simply extend the program on paper. It must ensure sufficient, stable funding over the next decade, remove restrictions that prevent states from using funds for widely relied-upon cybersecurity services, and lower cost-share requirements for small and rural jurisdictions. The “whole-of-state” model — in which state agencies coordinate shared services for local governments — must be preserved and expanded.

The House had done its part, passing both ten-year reauthorizations with bipartisan support and including temporary extensions in the continuing resolution. But the Senate failed to act, leading to an immediate lapse. Unless both measures are included in the National Defense Authorization Act for a full, long-term extension — progress will stall. Anything less is a failure to defend the American people where the threat is already inside the wire — and would amount to more collateral damage from the shutdown.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

The Cybersecurity Information Sharing Act (CISA), a cornerstone of U.S. cybersecurity policy passed in 2015, now faces expiration on September 30, unless Congress renews it. The legislation facilitates the sharing of cyber threat intelligence (CTI) between the federal government and the private sector. It specifically provides legal cover to companies that voluntarily share threat information, encouraging collaboration and transparency without fear of regulatory or legal consequences. The faster, free exchange of information enables better detection of cyber threats, say experts, quickening response and recovery time after an attack.

In August, the FBI released a warning about two hacker groups targeting Salesforce platforms to access sensitive customer data. Over 700 companies are believed to have been affected so far. Other attacks continue to plague utilities, critical infrastructure and businesses across the private sector, with experts warning there will be no let up any time soon.

There is wide consensus of the law’s importance. The House of Representatives is considering the Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act, which calls for the reauthorization of CISA 2015 for another decade.

The White House has also signaled that it is a near-term priority. National Cyber Director Sean Cairncross said earlier this month, “This law galvanized our collaboration a decade ago, and the White House understands the advantages and liability protections this legislation provides.” He added that he is “actively working” with Congress on reauthorization.

House Republicans have included a short-term extension of CISA 2015 to a stopgap government funding bill that would sustain the law through November 21, giving a little more time to finalize longer-term reauthorization.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

A Pillar to Public-Private Collaboration

A number of notable cybersecurity experts with experience spanning multiple administrations noted at this week’s Cyber Initiatives Group Fall Summit that the measure is critical to U.S. cybersecurity. Executive Assistant Director for Cyber at CISA, Nick Andersen described the legislation as “foundational” for information sharing. He warned that without the liability protections provided under the law, private companies may hesitate to share critical threat intelligence information with the government.

“[If] we’re not able to provide some assurance that somebody can share information with us, whether it is a threat indicator or as a defensive measure, that their exercise within their own environment … won’t expose them to regulatory or legal risk, that makes it a lot harder for us to all do our jobs,” Andersen said.

“Getting CISA 2015 reauthorized is such a key priority for us as an agency and should really be a priority for all of us interacting with the critical infrastructure owner and operator community day to day,” said Andersen.

The bulk of the U.S. cyberattack surface is privately owned, leaving companies on the front lines of defense. Gloria Glaubman, who served as Senior Cyber Advisor at the U.S. Embassy in Tokyo, noted that “most of the target surface is owned by private industry… So they're the ones that first detect the state sponsored campaigns and we are relying on them to have robust security architecture.”

Experts also stress that private companies are often not equipped with the cyber expertise needed to respond quickly enough to an intrusion. And the threats are getting even harder to spot. Speaking on threats from China, like Volt and Salt Typhoon, Glaubman noted: “They’re using legitimate tools, routers, vendor gear rather than noisy custom malware. And that’s completely different from what we’ve seen in the past, which allows them again to live off the land, which makes it hard to detect.”

Matt Hayden, former Assistant Secretary for Cyber, Infrastructure, Risk and Resilience Policy at DHS, said companies need to ask themselves: “Can they react when given nuanced threat intel dynamically, quickly … Can you actually generate a time to detect, a time to respond when provided with authentic CTI-based data on the enterprises you manage and control?”

“If we’re talking in days or weeks of CTI data being provided to a CISO, and they’re still checking patches and assessing their environment, they’re the ‘have nots’,” Hayden said. “You really have a preparedness challenge from the defender’s perspective.”

It is here that CISA 2015 comes in, say the experts, allowing private companies to share the needed information to enable the government to counter and publicize the threat.

Beyond Information Sharing

Experts say the conversation must extend beyond sharing threat intelligence to include rethinking how we view targeted companies. There are still fears that companies will be penalized for having systems that are vulnerable to cyber intrusions, which creates conflicting pressure that may stop them from sharing information with the government and asking for help. John Carlin, former Acting Deputy U.S. Attorney General, emphasized that when a U.S. company is targeted by a nation-state actor, “we must treat the U.S. company as a victim … but it is not baked into our legal regulatory framework.”

“It’s still too often the case that at the same time they’re getting help from some government agencies, others are looking to punish the victim,” Carlin said. “The cost of that in terms of impeding… sharing information is too high given the threat that we face.”

General Timothy Haugh (Ret.), former NSA Director and Commander of U.S. Cyber Command, argued during an interview at the summit that true cybersecurity resilience requires more than rapid information sharing, but real whole-of-society cooperation. “We need to evaluate public-private partnerships not just by how much information is shared, but by how they make us more secure as a nation,” he said. “Where can industry receive assurances that if they collaborate with the federal government for a nation state hacking activity, how can they get some form of protection when they share that information that won't be used for a response from certain regulatory bodies?”

“There's that conversation not about information sharing as a metric,” Haugh said, “but as security of our nation and security of intellectual property, denial of foreign intelligence collection, and securing our critical infrastructure.”

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.