OPINION / EXPERT PERSPECTIVE — The clock is ticking toward September 30, 2025, when one of America's most vital cybersecurity protections will expire unless Congress acts. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) has quietly become the backbone of our nation's cyber defense. Without creating any additional regulations, it enabled the rapid sharing of threat intelligence between government and businesses that has prevented countless cyberattacks over the past decade. The Act’s protections have facilitated threat warnings to thousands of organizations just this year. Its potential sunset threatens to unleash a wave of cyberattacks that will devastate the small and medium-sized businesses (SMBs) that form a foundational part of our economy.
As someone who has worked on both sides—first leading public-private partnerships at the FBI and now facilitating industry collaboration—I've witnessed firsthand how CISA 2015 transformed our cybersecurity landscape. The law provides crucial liability protections that encourage companies to share threat indicators with the government and each other, while offering antitrust protection for industry-to-industry collaboration. Without these safeguards, the robust information sharing that has made American networks more secure simply stops.
The SMB Crisis Waiting to Happen
The consequences of letting CISA 2015 lapse will fall most heavily on America's small and medium-sized businesses. Recent data from NetDiligence’s 2024 Cyber Claims Study shows that ransomware cost SMBs an average of $432,000 per attack. These businesses don't have the cash reserves to weather extended downtime. At most, many can only survive three to four weeks of operational disruption before facing permanent closure.
According to industry analysis, small and medium enterprises represent 98% of cyber insurance claims while accounting for $1.9 billion in total losses, underscoring their vulnerability in today's threat landscape. CISA 2015’s expiration will significantly weaken the early warning system that has helped businesses stay ahead of emerging threats. Without the government's ability to share robust intelligence about new attack methods, SMBs become sitting ducks for cybercriminals who specifically target organizations that can't afford to lose days or weeks.’’
The Cyber Initiatives Group Fall Summit on Wednesday, September 17 from 12p – 3p is convening experts to engage on the most pressing cybersecurity risks. Save your virtual seat now.
Healthcare: Where Cybersecurity Becomes Life and Death
The stakes become particularly dire in healthcare, where ransomware attacks don't just threaten profits—they threaten lives. The University of Minnesota School of Public Health’s experts estimate that ransomware attacks killed 42 to 67 Medicare patients between 2016 and 2021. These numbers represent a horrifying trend: threat actors deliberately target hospitals because they know healthcare systems will pay quickly to avoid putting patients at risk.
If information sharing degrades after CISA 2015's sunset, hospitals–and all other critical infrastructure–very likely will lose crucial early warnings about ransomware variants and other attack methods. When a hospital's systems are threatened, rapid information sharing matters. Minutes count in medical emergencies, and delays can be fatal.
Economic Ripple Effects
The economic impact extends far beyond individual companies. SMBs make up the vast majority of (99%) businesses in the U.S., and employ nearly half of the private sector’s workforce. According to the U.S. Chamber of Commerce, they’re responsible for 43.5% of our GDP, so their widespread failure would create devastating ripple effects throughout the economy.
More concerning, America's technological leadership depends on the robust threat intelligence sharing that CISA 2015 enables. Our cybersecurity companies lead the world precisely because they have access to comprehensive threat data that helps them develop superior products and services.
Other countries modeled its cybersecurity information sharing after our system, recognizing that America's approach gives us a competitive advantage. If we allow this framework to collapse, we're not just making individual businesses more vulnerable—we're undermining the foundation of American cybersecurity leadership that other nations seek to emulate.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The Path Forward: Clean Reauthorization Now
There's bipartisan agreement that CISA 2015 should be reauthorized, with experts from across the political spectrum recognizing its vital importance. DHS Secretary Kristi Noem has urgently called for reauthorization, emphasizing that public-private partnerships have grown stronger because of the information-sharing guidelines established in CISA 2015.
The cleanest path forward is a straightforward reauthorization while Congress works through any technical improvements. The core framework has proven its worth over a decade of operation, facilitating billions of dollars in prevented losses and creating a culture where information sharing is the default rather than the exception.
Beyond Politics: A National Security Imperative
In an era of political division, cybersecurity remains one of the few areas where Americans across the political spectrum can find common ground. We need to defend against constant attacks coming from the likes of Chinese actors using ransomware during SharePoint vulnerabilities to Iranian groups deploying ransomware as a political weapon to hundreds of criminal ransomware groups operating at any given time.
The solution isn't more regulation or government overreach. It's the collaborative approach that CISA 2015 has fostered. As I used to tell businesses when I was at the FBI: we can't help you if we don't hear from others, and we can't help others if we don't hear from you. This principle of mutual aid and shared defense has made America stronger, and we cannot afford to abandon it now.
Congress must act before September 30. If we allow our cybersecurity information sharing framework to collapse it will devastate small businesses, endanger the sick, and undermine America's position as the global leader in cybersecurity. The time for action is now, before the attacks that could have been prevented become the disasters we failed to stop.
This column by Cipher Brief Expert Cynthia Kaiser was first published in Fortune.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
