Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy.

The CISA Act of 2015 (not to be confused with the CISA Act of 2018, which established the government agency of the same name; the CISA referred to throughout this story is the Information Sharing law, not the agency) is due to expire 12:01 am ET on October 1, the same moment federal funding lapses absent a continuing resolution. 

The continuing resolution that the House passed last week, and which the Senate quickly rejected, included an extension of CISA and several other bills, mostly related to healthcare, until November 21, by which time politicians hoped they could hammer out something more definite. 

It’s not going well – but we’ll get to that. 

To its supporters, CISA’s provisions create a pipeline of critical threat warnings that flow between the government and businesses. To its detractors, CISA is nothing more than a privacy invasion disguised as a security measure. 

CISA, like American politics, is polarizing.

For those unfamiliar with the decade-old law, the Cybersecurity Information Sharing Act gives companies permission to share threat indicators with the government. It sounds like something no one would disagree with when you put it that way, but dig a little deeper and you’ll find that the Act permits companies to share cyber threat indicators with the feds but requires removing personal information not directly related to a threat before doing so.

As part of the law, companies that share such data with Uncle Sam are immune from lawsuits by customers who don’t want the government knowing their business. Those who share data under CISA are also given first dibs on new threat intelligence. 

There were attempts to add stronger privacy amendments, mind you, but those were stripped from the bill at the last minute. Even so, the statute includes civil-liberties guidelines and mandates scrubbing unrelated PII. Federal agencies may use shared information for specified purposes – including for the prosecution of crimes, whether cyber-related or not. 

Both sides of the CISA divide prioritize different things

As we reported a decade ago, privacy advocates were decidedly unhappy about CISA’s passage. Many elected officials were displeased with the CISA Act too. Senator Ron Wyden (D-OR), then a spry 66 years old and less than 20 years into his ongoing Senate career, described the bill as being little more than a way to legalize federal government surveillance. Wyden proposed an amendment to the CISA Act to add protections that required companies to remove personal information not necessary to describe or identify a cybersecurity threat from submissions to the government. The amendment didn’t pass. 

We reached out to several organizations that expressed dissatisfaction with CISA a decade ago to get their take on the possibility of its ending, but didn’t receive answers to our questions before publication. 

Supporters of CISA, including former FBI cyber division deputy assistant director Cynthia Kaiser, see it another way. After a decade in effect, CISA has become a critical part of US cyber threat reporting. 

“The CISA Act of 2015 has quietly become the backbone of our nation’s cyber defense,” Kaiser said in an op-ed published in Fortune last month advocating for CISA’s extension. 

The Act’s protections have facilitated threat warnings to thousands of organizations just this year,” Kaiser continued. “Its potential sunset threatens to unleash a wave of cyberattacks that will devastate the small and medium-sized businesses that form a foundational part of our economy.”

The ex-FBI leader claimed that CISA threat sharing had prevented billions of dollars in cyber incident losses over the past decade, but more than that, she said it’s led to a culture shift “where information sharing is the default rather than the exception.” 

“This principle of mutual aid and shared defense has made America stronger, and we cannot afford to abandon it now,” Kaiser concluded.

CISA is the least of our concerns

The House passed its own version of the continuing resolution last week, sending it to the Senate, where members shot down both the House bill and a version put forward by Senate Democrats. The only movement either side has made since then has been to dig its heels in even further and refuse to budge on what the other side wants. 

House Minority Leader Hakeem Jeffries (D-NY) laid blame on Republicans on Thursday, calling their CR “the largest cut to Medicaid in American history” and proclaiming that Democrats wouldn’t acquiesce to a bill that didn’t include continued funding for healthcare programs like clinic funding, community health centers, and other health programs set for a similar short-term extension to CISA under the House-passed bill. 

The Senate largely rejected the House continuing resolution amid disputes over healthcare provisions and spending levels.

Republicans, meanwhile, blame Senate Democrats for not backing Senate Republicans in their stripping of those measures in order to get the resolution to Trump’s desk for signature before the government shuts down at 0401 UTC (0001 ET) on Wednesday, October 1. 

We reached out to leaders in both chambers and parties to learn if there has been any progress toward passage of a bill that, at the very least, deals with the CISA issue. No one bothered to respond.

The Senate isn’t due back in chambers until Monday, September 29, when it plans to once again attempt to pass the continuing resolution. The House doesn’t intend to return from a long weekend until the following day, giving it practically no time to agree to a modified bill, if such a measure manages to pass the Senate. ®