Cristin Flynn Goodwin
Introduction
The years 2013, 2014, and 2015 brought challenging days for those who worked in cybersecurity. Wave after wave of massive breaches saw the data of hundreds of millions of people stolen by cyber criminals. Names that now have faded into the background but at the time were headline-generating news: Target, JP Morgan Chase. Home Depot. Later in 2014 and into 2015, we saw the rise of nation state attacks, with the Sony Pictures hack by North Korea, then the Office of Personnel Management hack by China, and the Russian attack against the Ukrainian power grid. Threat intelligence and incident response teams were working overtime to identify threats and respond to constant incidents.
It was against this backdrop that the Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted. At the time, some private sector entities – particularly those in regulated sectors – expressed concern about liability arising out of the risk of disclosing information to the federal government. CISA’s passage enabled private sector entities to share cyber threat indicators with the federal government and each other in a way that otherwise did not exist, under a framework that provided legal protections and privacy safeguards.
The Act expires on September 30, 2025. Congress should reauthorize CISA 2015. Not for the obvious reasons – that it calms the anxieties of legal teams worried about information donation in the face of legal risk, or that it gives the Cybersecurity and Infrastructure Security Agency (CISA) insights from the private sector that it would not otherwise have and can then share with the federal government, critical infrastructures, and even the world at large. Those reasons should be enough to reauthorize CISA 2015.
The real reason for a reauthorized CISA 2015 is for what it will enable over the next 10 to 15 years. As the Cybersecurity and Infrastructure Security Agency matures into a more operationally capable agency that can hunt for threats across the Federal Civilian Executive Branch (FCEB) and generate its own first-party data, only then will CISA move from being a conduit for information provided by others to the era of information “giving” when it has generates its own information to share.
Information Sharing versus Information Dissemination
Nation-state actors, criminal syndicates, and opportunistic hackers exploit vulnerabilities across sectors, often using the same tactics, techniques, and procedures (TTPs) against multiple targets. Information sharing enables defenders to learn from each other’s experiences, identify patterns, and respond more effectively. It’s been the foundation of cybersecurity policy since Presidential Decision Directive 63 in 1998, and part of the ethos of the cybersecurity community. Those who have data exchange it with others to unite against a common threat and protect the largest number of customers possible. This data exchange also creates efficiencies across sectors.
CISA 2015 was designed to facilitate this sharing by creating a voluntary framework for sharing cyber threat indicators and defensive measures. It provides liability protections, antitrust exemptions, and safeguards against public disclosure, thereby reducing the legal and reputational risks that might otherwise deter companies from sharing sensitive information. As the Protecting America’s Cyber Networks Coalition emphasized in its May 2025 letter to Congress, “CISA 2015 helps defenders improve their security measures while raising costs for attackers.”[1]
Unfortunately, that sharing mindset conflicted with the mission the agency was given back in 2018 when Congress established it, and the cognitive dissonance persists. When CISA was created as a legal entity in 2018, the Cybersecurity and Infrastructure Security Agency Act (CISA 2018), assigned it the responsibility of coordinating “a national effort to secure and protect against critical infrastructure risks” and to “integrate relevant information, analysis, and vulnerability assessments” regardless of source, and to disseminate information analyzed across the government and with the private sector.[2]
That dissemination obligation meant that information given to the agency became information it had the authority to distribute. It also elevated CISA to a unique position in the federal cybersecurity landscape, making CISA both a broadcaster of threat intelligence to the private sector and a coordinator of cybersecurity efforts across the FCEB. When companies seek broad amplification or rapid dissemination for FCEB action, CISA can be a trusted partner for information dissemination and distribution. That’s when CISA is at its best, and its advisories amplify information about important and critical vulnerabilities for response teams.[3]
But it also meant that companies needed to think carefully about what to give CISA, and when to provide it. The data it would share would be distributed across the FCEB and shared with agencies in the intelligence community first and assessed for impact and need to reach either trusted members of CISA’s private sector community (the Joint Cyber Defense Collaborative), or a broader reach (critical infrastructure information sharing and analysis centers and organizations (ISACs and ISAOs)), or the general public. This awareness brings a level of intentionality to any company’s decision-making process to give information to CISA.
Knowledge is Power – And Someone Else’s Knowledge is Someone Else’s Power
One of the great realities in DC and in cybersecurity is that knowledge is power. Generally speaking, CISA has not had a significant amount of first party data to share. But it doesn’t have to be that way in the future. Back in 2018, CISA was given the under-appreciated responsibility of securing Federal information and infrastructure.[4] This mission is difficult and challenging, given the stubborn independence of agencies, the variety of missions, and disparity of budgets across the FCEB.
Despite the passage of time, the need for this responsibility remains acute. Cyberattacks have grown more sophisticated since 2018, and the Federal government is a frequent target. SolarWinds, Hafnium Exchange, the Log4j attack, the MOVEit compromise in 2023, and more recently, the Microsoft SharePoint TopShell vulnerability used to compromise the National Nuclear Security Administration, according to press reports[5] are just a few of the more well-known examples of attacks. CISA needs more fulsome hunting capabilities to find attack activity sooner, in order to limit impact. This can’t be left to the Departments alone. CISA has to be equipped to be the nation’s threat hunting team. and has to use its dissemination mandate to share what it’s seeing.
As an example, CISA continues to operate its EINSTEIN 1 tool as an intrusion detection tool installed across the FCEB to “monitor the flow of network traffic transiting between FCEB agencies and the internet.”[6] This netflow data can be helpful for cybersecurity responders to help detect anomalies, identify affected systems, trace the path of an attack, provide historical data to search for indicators of compromise (IOCs). It’s not a complete story, but it can be useful. In the aggregate, it could also be used to tell stories over time – CISA observed X classes of anomalies, or Y types of IOCs over time by using their data to create and share reports via its dissemination channels – through JCDC, to critical infrastructures, or with the public.
Agencies like the FBI and NSA have long held an advantage in the intelligence sharing ecosystem because they generate their own data. They are not merely consumers of threat intelligence, they are producers, with something to “share” to “partners.” This reciprocity fosters deeper partnerships and more robust exchanges. But if CISA were to engage more deeply with its authority from CISA 2018 and begin to hunt for nation state activity across the FCEB, it would have over 100 agencies and bodies, hundreds of thousands of persons, and likely millions of devices and service accounts from which it could draw data about threats and anomalies.[7]
CISA would have the ability to analyze this data over time, and the stories it would tell would be powerful. It would show the emergence of new attacks, new indicators of compromise, new zero-day vulnerabilities, new tactics, techniques, and procedures (TTPs) attempted by attackers, and those could be shared – actually shared – with companies whose products or services were involved in the events or incidents. The reports generated would be game changing, because CISA’s data and insights would set a true baseline on a massive scale, and potentially serve as early warnings of broader attack activity to come. The headlines would write themselves.
This is where CISA needs to be. An equal partner – sharing first party data it has collected with big tech, the NSA, and the FBI, as equals. Only then will it be able to achieve its dissemination and security missions established by Congress.
The Path Forward: A New Era of Information Sharing
Of course, allowing CISA 2015 to lapse would not simply freeze progress, it would reverse it. Companies that are anxious about sharing with government know that CISA 2015 provides legal protections. Lawyers have been using CISA 2015 references and definitions in private sector information sharing agreements across the industry. Removing CISA 2015 would upend the stability of those private sector exchanges and the protections afforded by CISA 2015.
More importantly, retraction of these authorities would undermine the future of CISA’s most promising mission: hunting for threats across the FCEB and sharing its findings with its partner ecosystem. This capability, still in its early stages, could be a transformative shift in how the federal government defends its networks. The current model of decentralized detection, where each agency is responsible for monitoring its own networks, has serious limitations. It creates data silos, slows response times, and makes it difficult to identify coordinated attacks that span multiple agencies. Threat actors exploit this reality time and time again, despite agency obligations to notify CISA.
CISA’s centralized hunting capability offers a solution. By aggregating telemetry from across the FCEB, the agency can detect patterns that no single agency could see on its own. It can identify common indicators of compromise, correlate seemingly unrelated events, and issue alerts that benefit the entire FCEB ecosystem. Then, using its CISA 2018 authorities, it can disseminate information to responders to help protect against what CISA finds. This builds an actual sharing ecosystem. One where parties are exchanging information, rather than one side giving data and the other side is disseminating that information.
But this model only works if CISA has the legal authority, technical infrastructure, and stakeholder trust to operate at scale. CISA is on the cusp of becoming something it has never been before: a producer of first-party threat intelligence, a hunter across the federal enterprise, and a peer in the global cybersecurity community. Reauthorizing CISA 2015 is the key to unlocking that potential.
[1] Coalition Letter Supporting Reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) | U.S. Chamber of Commerce
[2] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202.
[3] Cybersecurity Alerts & Advisories | CISA
[4] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202(c)(3).
[5] US nuclear weapons agency hacked in Microsoft SharePoint attacks