OPINION — Ransomware attacks conducted by criminals are persistently hitting airports, schools, and 911 dispatch centers, while foreign adversaries probe our critical infrastructure every day. Yet, two programs designed to build national cyber readiness to combat these threats — one that underpins public-private threat sharing, the other that builds local cyber defenses — have now expired. Congress’s inaction amid the government shutdown has left a widening gap in America’s cyber defenses.
Nearly a decade ago, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to encourage private companies and government agencies to voluntarily share cyber threat indicators, which officially expired on September 30. It was a bipartisan response to rising state-sponsored hacking campaigns, and it provided a legal framework — and protections — that still govern how threat data flows across public and private networks today.
This legal framework supports everything from classified alerts and incident reports to real-time information exchange across sectors like energy, transportation, and healthcare. Without it, experts warn that information sharing between companies and the federal government could drop by as much as 80 percent, severely degrading national cyber situational awareness.
Before the shutdown, steps toward a full reauthorization were underway, with bipartisan support in both chambers – but the process has now stalled entirely. One proposal, however, threatened to undermine the goals of the law. Senate Homeland Security Committee Chair Rand Paul’s (R-KY) version of CISA 2015 renewal would gut key legal protections — including liability and FOIA safeguards — and inject surveillance-related restrictions that have no place in cybersecurity law. His version would kill the trusted framework that enables timely, voluntary sharing of threat intelligence data, not improve it.
A more responsible path is already on the table. In early September, the House Homeland Security Committee Chair, Representative Andrew Garbarino (R-NY), introduced the Widespread Information Management for the Welfare of Infrastructure and Government Act, which would reauthorize CISA 2015 for ten years. It also includes a new outreach mandate to ensure that small and rural critical infrastructure owners and operators understand how to participate in information sharing efforts.
Meanwhile, the second program that expired is the State and Local Cybersecurity Grant Program (SLCGP) created through the 2021 bipartisan infrastructure law. Unlike CISA 2015, which supports federal-private coordination, this program was designed to build basic cyber capacity at the state and local level. It pushed state and local governments to create cybersecurity plans, conduct assessments, and adopt best practices – and provided the funding to put those plans into action. For many jurisdictions, this was their first real investment in cyber defense.
So far, the program has backed over 800 projects across 33 states and territories, totaling $838 million. In Utah, grant-funded tools helped stop a ransomware attack on a major airport and a 911 emergency dispatch center. In Maryland, it funded coordinated efforts across 40 counties. The program is not perfect — uneven cost-sharing requirements and bureaucratic restrictions limit its reach to smaller communities. But the results are clear: state officials say these projects “would not have been possible” without the SLCGP funding. This focus on state and local leadership on cybersecurity readiness is exactly what President Trump called for in his May 2025 Executive Order.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
With the SLCGP expired as of August 31, that momentum is now in jeopardy. Without new funding, states and municipalities — especially those without dedicated cybersecurity teams — will be forced to pause cybersecurity initiatives. The result is not just slower progress, but a direct weakening of our national cyber posture. Alongside Rep. Garbarino’s bill, Representative Andy Ogles (R-TN) introduced the Protecting Information by Local Leaders for Agency Resilience Act, which would reauthorize SLCGP for ten years. But the bill lacks a dedicated funding amount.
A robust reauthorization of the SLCGP must do more than simply extend the program on paper. It must ensure sufficient, stable funding over the next decade, remove restrictions that prevent states from using funds for widely relied-upon cybersecurity services, and lower cost-share requirements for small and rural jurisdictions. The “whole-of-state” model — in which state agencies coordinate shared services for local governments — must be preserved and expanded.
The House had done its part, passing both ten-year reauthorizations with bipartisan support and including temporary extensions in the continuing resolution. But the Senate failed to act, leading to an immediate lapse. Unless both measures are included in the National Defense Authorization Act for a full, long-term extension — progress will stall. Anything less is a failure to defend the American people where the threat is already inside the wire — and would amount to more collateral damage from the shutdown.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
