Experts push for reauthorization of CISA 2015 before September deadline

On May 15, 2025, the House Committee on Homeland Security’s Subcommittee on Cybersecurity and Infrastructure Protection held a hearing on reauthorizing the Cybersecurity Information Sharing Act of 2015 (CISA 2015), a popular cybersecurity initiative that is set to expire in September. 

CISA 2015 establishes a legal framework that allows for private companies to report cyberattacks to the federal government in exchange for liability protections. By incentivizing private companies to share cyber attack information, experts argue that our nation’s cybersecurity efforts are stronger. 

“Any lapse in CISA 15 would create significant uncertainty, weaken the U.S. cybersecurity posture, and undermine a decade of progress in building trust between national security, law enforcement, critical infrastructure owners and operators and others in industry,” testified John Miller, Senior Vice President of Policy and General Counsel at the Information Technology Industry Council (ITI).

Chairman Andrew Garbarino (R-NY) emphasized that without the safeguards provided by CISA 2015, “we can be certain that our nation would be more vulnerable to cyber threats.”

Evolutions in cybersecurity since 2015

Cyber threats have evolved significantly since 2015. New threats include AI-powered attacks, ransomware, supply chain infiltration, and increasingly sophisticated state-sponsored campaigns.

“Nation state actors are conducting relentless cyber operations against our critical infrastructure, banking systems, communication networks, energy grids, and government agencies,” warned Karl Schimmeck, Executive Vice President and Chief Information Security Officer of Northern Trust. “These attacks are not just attempts to steal data. They are designed to disrupt, destabilize, and undermine confidence in our institutions.”

Clean reauthorization vs. improvements

While all witnesses agreed that CISA 2015 must be reauthorized before September, there was a debate about whether to pass a “clean” reauthorization or make improvements to the law.

Katherine Kuehn, CISO in residence at the National Technology Security Coalition, recommended “a reauthorization cleanly and then look at how we optimize and look at things down the road for a couple reasons. We’re at the beginning of AI. We’re still trying to figure out some things regarding the different types of attacks.”

Ranking Member Eric Swalwell (D-CA) expressed similar caution: “I am a little hesitant to want to amend this at all at this point, at this late hour, risking that opening this up would not see it reauthorized.”

However, Rep. Andy Ogles (R-TN) and others suggested that the law should be improved to address emerging threats, particularly in the realm of artificial intelligence.

What happens if CISA 2015 isn’t reauthorized?

Witnesses were unanimous in warning about the consequences if Congress fails to act. Miller predicted “an immediate chilling effect” on information sharing. 

Schimmeck added that without reauthorization, “firms would immediately hesitate. There’d be uncertainty in what would be shared. Things would slow down. The other thing is you would very much be locking out the small and medium sized businesses and companies and vendors.”