Expired protections, exposed networks: The stakes of CISA’s sunset

A critical, longstanding piece of America’s cybersecurity infrastructure is perilously close to vanishing overnight. 

On Tuesday, the Cybersecurity Information Sharing Act (CISA) expires — and with it, the legal protections that enable countless organizations to share threat intelligence with the federal government. Without swift congressional action, we risk dismantling years of progress in collaborative cyber defense at the precise moment we need it most.

As we approach CISA’s 10-year anniversary, we’re confronted with the reality that today’s threat landscape is virtually unrecognizable from a decade ago. In 2015, we worried about data breaches and website defacements. 

Today, we face AI-powered attacks, the proliferation of cybercrime-as-a-service, supply chain compromises that ripple across entire sectors, undetected cyberattacks that pre-positions adversaries, and sophisticated ransomware ecosystems where criminals and nation-states share resources to scale their cyber operations. 

The recent Salt Typhoon intrusions into U.S. telecommunications infrastructure underscore a harsh reality: our adversaries have evolved faster than our defenses.

The damaging cost of inaction

CISA’s expiration wouldn’t just be a bureaucratic hiccup — it would trigger a cascade of consequences across our digital infrastructure. The act’s safe harbor provisions and liability protections form the legal backbone that allows private companies to share cyber threat indicators with government agencies, without fear of lawsuits. Remove these protections, and organizations will retreat into information silos, leaving us blind to emerging threats.

Consider what could happen if these protections disappear: a financial institution that detects suspicious activity linked to a nation-state campaign could face legal exposure for sharing that intelligence. A single hospital’s medical records compromised during a cyberattack could put an entire health care system at risk. The telecommunications companies that need to coordinate during incidents like Salt Typhoon could lose their legal framework for collaboration. 

This isn’t speculation — it’s the pre-2015 reality we’d return to.

Beyond band-aids: modernizing for tomorrow’s threats

While the proposed WIMWIG Act aims to extend CISA through 2035, simply reauthorizing outdated frameworks won’t thoroughly address modern security challenges. We’re still operating in a reactive cybersecurity paradigm that tells organizations what already happened, rather than helping them understand what’s currently happening based on signals and criminal behaviors. 

Current information sharing focuses heavily on Indicators of Compromise (IoCs) — specific IP addresses, domains, and file hashes that attackers use. But in an era of AI and automation, threat actors constantly pivot their infrastructure, making these IoCs stale within days, hours, or even minutes.

The truth is, while threat intelligence serves larger organizations with mature security operations, most organizations struggle to leverage it effectively. We need intelligence that doesn’t just catalog past attacks but that provides predictive insights. 

This is why the real opportunity lies in shifting from reactive IoC sharing to proactive behavioral analytics and telemetry. Instead of sharing that an attacker used a specific IP address — which they’ll constantly spin up new infrastructure — we need to share how they moved through networks, what techniques they employed, and what behaviors preceded the attack. Three failed login attempts might mean nothing in isolation, but when combined with lateral movement patterns and privilege escalation behaviors, they reveal an active intrusion.

This shift becomes even more critical as we enter the age of non-human identities. Cloud services, operational technology, and AI systems are creating environments where machine identities outnumber human ones 10:1. 

Understanding the complex relationships and interactions across these hybrid environments requires contextual intelligence that transforms raw telemetry into actionable insights about ongoing threats and likely identities that will be targeted.

A path forward

Congress faces a choice: settle for short-term extensions that kick the can down the road or seize this moment to modernize our cyber defense systems. Some may view CISA’s potential expiration as a retreat from collective cyber defense, but it could instead represent an opportunity to build something stronger — a modern framework that demonstrates America’s commitment to defending against cyber threats at every level. 

Meaningful reauthorization must include: 

• Enhanced liability protections that cover behavioral anomalies, not just traditional IoCs. Organizations need legal clarity in order to share the rich, contextual intelligence that actually prevents attacks.
• Mandated reciprocity in intelligence flows. Too often, private sector sharing has been a one-way street. Federal agencies must provide consistent, enriched, and actionable intelligence back to industry partners, fostering true collaboration rather than mere collection.
• Incorporation of AI and automation capabilities that can process behavioral patterns at scale, enabling real-time threat detection across our increasingly complex digital ecosystem.
• Improved oversight mechanisms that ensure the program evolves with the threat landscape rather than remaining frozen in 2015-era security methodologies.

The urgency is real

With bipartisan reauthorization efforts facing tight timelines, the window to get this right is closing fast. If CISA 2015 lapses, it shouldn’t be due to political gridlock but because we’ve chosen to seize this opportunity to build a cyber defense framework worthy of the challenges ahead.

Every day of delay gives our adversaries a greater advantage. Every moment of uncertainty weakens our collective cyber defense. Congress must act decisively, not just to preserve what we have, but to build the proactive, behavior-based intelligence-sharing ecosystem our national security demands.

In just a day, we’ll either have a modernized framework for collaborative cyber defense, or we’ll watch a decade of progress crumble. The choice before Congress isn’t just about renewal — it’s about transformation. Let’s ensure any outcome strengthens, not weakens, our nation’s cyber resilience. 

The time for action is now — we must defend and protect forward.

Kevin E. Greene is the chief cybersecurity technologist for public sector at BeyondTrust. He previously held tech roles at OpenText, the MITRE Corporation and in the cybersecurity division of the Department of Homeland Security’s Science and Technology Directorate.