Unless Congress acts swiftly, the United States could lose one of its most effective shields against ransomware and nation-state cyberattacks. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) is scheduled to expire on September 30, 2025, and with it, the legal framework that allows companies and the government to freely exchange cyber threat intelligence will vanish.
In a sobering op-ed published in Fortune, former FBI Cyber Division assistant director and cybersecurity advisor Tonya Ugoretz warns that letting the law lapse could have devastating consequences for national security, digital infrastructure, and even human lives.
“Without it,” she writes, “we risk dismantling a system that has quietly made America safer—one ransomware indicator at a time.”
What Exactly Is CISA 2015?
Enacted in the wake of high-profile hacks on OPM, Sony, and health care networks, the Cybersecurity Information Sharing Act of 2015 was built around one core principle: threat intelligence should flow freely between public and private sectors to stay ahead of cybercriminals and state-backed hackers.
CISA 2015:
- Allows companies to share threat indicators with DHS and other firms without legal liability.
- Enables Automated Indicator Sharing (AIS), which sends real-time alerts about malware hashes, suspicious domains, and attack vectors across a national network.
- Protects companies from regulatory, antitrust, or privacy lawsuits when participating in information exchange.
This act turned cybersecurity into a team sport, encouraging collaboration between federal agencies and sectors like finance, health care, energy, manufacturing, and tech.
CISA’s Hidden Role in America’s Ransomware Defense
While the average person might not have heard of CISA 2015, behind the scenes, it plays a starring role in America’s ransomware response capabilities.
When a hospital gets hit with LockBit or a manufacturer faces a new variant of Black Basta, the threat indicators—IP addresses, file hashes, behavior signatures—can be shared instantly across the entire AIS ecosystem. That data can then be weaponized to defend others before the malware spreads.
“Information sharing has saved countless organizations from becoming the next ransomware headline,” said Ugoretz. “But that pipeline will dry up if legal protections disappear.”
Healthcare Could Be Ground Zero
No sector is more at risk from the expiration of CISA than healthcare.
Hospitals are prime ransomware targets—due to both outdated infrastructure and the high value of medical records. A study by UCSF and Vanderbilt found that ransomware attacks led to measurable spikes in mortality, estimating that between 42 to 67 Medicare patients died due to delayed care between 2016 and 2021.
Ugoretz emphasizes that without CISA, hospitals may stop reporting indicators of compromise (IOCs), fearing lawsuits or regulatory fallout. That could cripple proactive defense strategies and leave the next hospital flying blind.
“This isn’t theoretical,” she notes. “It’s a matter of life and death.”
SMBs Will Be Left Defenseless
While large corporations can afford internal threat intelligence teams, most small and medium-sized businesses (SMBs)depend on shared cyber insights to survive.
If CISA 2015 is not renewed:
- SMBs may no longer receive AIS alerts through their managed security providers.
- Some may hesitate to report intrusions, fearing customer backlash or legal exposure.
- Malware campaigns could enjoy longer lifespans, especially in low-visibility sectors like logistics and manufacturing.
The outcome? A more fragmented, reactive, and vulnerable digital ecosystem.
Why CISA 2015 Was Built to Expire
CISA 2015 wasn’t meant to be permanent. It included a sunset clause—standard practice for major surveillance or data-sharing laws—to ensure future Congressional review. Now, a decade later, that clause is coming due.
The challenge? Congress is fractured, gridlocked, and distracted. Despite bipartisan recognition of cyber threats, cybersecurity laws tend to fly under the radar unless triggered by catastrophe.
Ugoretz warns that waiting for a cyber 9/11 to reauthorize basic security frameworks is a mistake we can’t afford.
Ransomware Attackers Evolve Faster Than Laws
Today’s ransomware isn’t what it was in 2015.
We’ve moved from smash-and-grab extortion to “double extortion” (encrypt + leak), and even “triple extortion”(encrypt + leak + DDoS). Groups like Clop, LockBit, and BlackCat now function like professional software companies, complete with affiliates, SLAs, and dark web support forums.
Meanwhile, emerging threats from AI-powered phishing, zero-day exploits, and deepfake-based social engineeringare escalating faster than policy can adapt.
Removing a law that helps defenders act in real-time would amount to cybersecurity malpractice in this environment.
Government and Private Sector at a Crossroads
Ugoretz isn’t alone in sounding the alarm.
The National CIO Review and Homeland Security Today have also published urgent commentaries, noting that expiration of CISA would:
- Weaken NIST and DHS cyber collaboration programs
- Undermine CISA’s own public-private partnerships
- Introduce legal uncertainty for every organization participating in threat sharing
“There’s a real risk that fear of lawsuits replaces our current culture of transparency and cooperation,” notes a cybersecurity strategist with a major U.S. bank.
The sentiment is echoed in the broader infosec community: don’t mess with what’s working.
A Time for Cyber Legislative Leadership
Despite record numbers of ransomware attacks in 2024 and 2025, the U.S. Congress has introduced no clear reauthorization bill for CISA 2015.
Some cybersecurity experts propose a broader “CISA 2.0” that would:
- Address privacy criticisms by tightening what data can be shared
- Expand liability protections to cloud platforms and MSPs
- Create a real-time AI-driven threat exchange powered by LLMs and behavior modeling
But even a basic re-authorization of the current law would be better than letting it silently expire.
What Happens If Congress Lets It Expire?
If Congress fails to act by September 30, 2025:
- The legal safe harbor for threat sharing disappears
- AIS participation will plummet
- Major firms may stop cooperating with federal cyber investigators
- Federal agencies may lose visibility into fast-moving campaigns
Worst of all, the vacuum may embolden cybercriminal groups, who closely monitor U.S. legislative and enforcement trends.
The Clock Is Ticking
With fewer than 40 days remaining before expiration, cybersecurity leaders are urging:
- Immediate Congressional hearings on CISA renewal
- An interim extension to prevent a lapse in protections
- A roadmap for an upgraded, modernized CISA framework
As Ugoretz writes, “In the fight against ransomware, time is the most critical variable. Right now, we’re about to lose it.”
Final Thoughts
America’s digital infrastructure is increasingly under siege—from ransomware cartels to nation-state hackers. In this hostile environment, sharing threat intelligence isn’t optional—it’s survival.
CISA 2015 has worked quietly and effectively for nearly a decade. Its expiration would not only disrupt how we fight cybercrime but could also result in real-world harm—from patient deaths in hospitals to business shutdowns across the country.
This is not a hypothetical cybersecurity debate—it’s a legislative ticking time bomb. And there’s still time to defuse it.
