Congress fails to renew law, US networks at risk

Law to renew key cybersecurity statute fails

Congress has failed to renew a critical cybersecurity law as deadlines passed. The lapse puts U.S. networks and private systems more vulnerable. Lawmakers have expressed bipartisan support, but procedural gridlock stopped reauthorization.

The expiration coincides with a government funding standoff, adding complexity. Many in industry and government now warn of reduced cooperation. The stakes are high for national and infrastructure security.

What law just expired?

The law in question is the Cybersecurity Information Sharing Act (CISA) of 2015. It provided liability protections for entities sharing cyber threat data with government agencies. The expiration means those legal shields no longer apply automatically.

In the absence of those protections, many organizations may hesitate to share sensitive threat data. Meanwhile, the authorization for the State and Local Cybersecurity Grant Program (SLCGP) also expired.

Cybersecurity Information Sharing Act 2015

CISA 2015 allowed private and public sectors to share cyber threat indicators with legal shields, and included confidentiality safeguards, Freedom of Information Act (FOIA) exemptions, and antitrust safe harbors.

It encouraged timely, voluntary threat information exchange. It also included confidentiality and antitrust protections.

The law aimed to accelerate detection and response to cyberattacks. Over time, it facilitated coordination across infrastructure sectors. Experts warn that its lapse now undermines that institutional backbone.

Role of private–government info sharing

Private companies run most of the critical infrastructure: telecom, energy, utilities, and data centers. Their networks face daily cyber threats. Sharing threat signals with federal agencies helps governments assess national risk levels.

In turn, agencies issue alerts, patches, and guidance back to private networks. This two-way flow supports faster incident response. With protections removed, that communication is less certain.

Legal protections now lapsed

Before, when firms shared indicators or attack details, they were shielded from litigation or regulatory exposure. Those protections discouraged lawsuits over disclosure or antitrust concerns. Now, without the law, companies may face liability or scrutiny for disclosing threat info.

Legal and compliance teams may block disclosures. The chilling effect could slow threat alerts and cooperation. Some defenders will self-censor to avoid risk.

Risks to threat data flow

As legal risk rises, fewer companies may send cyber threat signals in real time. Without that input, government agencies and cybersecurity centers lose visibility.

Blind spots may grow in national defenses. Attackers can exploit delays or opacity. Coordination across sectors is weakened. Response times to new threats could suffer significantly.

Private firms now cautious sharing

Many firms are reported to be reassessing sharing policies. Legal counsels in some organizations are considering returning to internal-only logs, anonymized disclosures, or more restricted sharing.

Threat intelligence exchanges may shrink. Smaller companies lacking legal teams are especially vulnerable. The lapse forces more risk-averse behavior.

CISA’s weakening capacity trouble

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) is struggling with resource constraints. The agency’s staffing and operational reach have shrunk.

Its ability to analyze, distribute, and act on data is reduced. It now operates with less capacity during a critical time. Other federal cyber agencies also feel the strain. The expiration reduces one tool in CISA’s toolkit.

State and local grant program lost

Another casualty is the State and Local Cybersecurity Grant Program (SLCGP). That program financed cybersecurity initiatives in states and municipalities. It helped upgrade defenses in local networks, 911 systems, water systems, and municipal IT.

Without funding, many projects will pause or halt. Smaller jurisdictions are most at risk. The lapse threatens cyber readiness far below the federal level.

Effect on critical infrastructure networks

Critical infrastructures like power, communications, and transportation depend on robust, coordinated cybersecurity. The lapse weakens cross-sector surveillance and warning systems. Hackers could exploit weaker links in smaller or less protected segments.

Disruptions could cascade from local to national levels. The risk of blackout, service interruptions, or data breaches increases. The integrity of core networks now faces broader threats.

Cyber adversaries watch carefully

Foreign actors and cybercriminal groups monitor U.S. policy changes. A weakened threat-sharing regime presents an opportunity. State-sponsored hackers may launch tests, probing defenses.

Insider or supply chain attacks could go undetected more easily. Attack campaigns could leverage the lapse to stay hidden longer. The strategic timing of this expiration is alarming to defenders.

Calls in Congress to restore

Bipartisan lawmakers are pushing bills to reauthorize CISA 2015 cleanly for 10 years. Senator Gary Peters and others have proposed extensions with retroactive liability protection. House committees have passed reauthorization proposals.

But procedural objections in the Senate and funding impasses block progress. Some senators want changes to the liability or free speech clauses. The urgency is growing.

Proposed legislation for revival

The Protecting America from Cyber Threats Act is one proposed bill to renew the law. It includes retroactive liability protection for shared threat data. It would restore legal certainty for firms that continued sharing during the lapse.

Some versions include stricter oversight or revisions. Balancing liability, free speech, and cybersecurity is central. Legislative fate remains uncertain.

What stakeholders demand now?

Industry, cybersecurity firms, utilities, and state agencies want clear, fast reauthorization. They demand protection from lawsuits, stable rules, and no gaps in operation. Some call for “shutdown-proofing” CISA so it can’t be derailed in funding fights.

Legal protections need clarity. Stakeholders also push for increased funding and expanded authority. The demand is for certainty in volatile times.

Timeline and uncertainty ahead

The lapse took effect as of September 30, 2025. Congress may extend it via the National Defense Authorization Act (NDAA) or a new funding resolution.

But procedural blocks persist. The longer the gap remains, the higher the damage and risk. Threat actors won’t wait. The next few weeks are critical. Reauthorization or reform needs to move fast.

Will Meta’s AI cross another legal line? Explore why Meta faces a $109 million lawsuit from Eminem.

What this means for security?

In summary, U.S. networks are entering a more vulnerable era. The lapse impairs how cyber threats are detected, shared, and responded to.

Private, federal, and local defenders face a coordination void. Infrastructure protection becomes harder. Adversaries may push more boldly. Rebuilding trust in threat sharing and legal frameworks will be crucial.

Is the US turning up the heat in the cyber war? Explore US sets $10M bounty on Russians behind cyber breaches.

Which aspect of this law lapse worries you most: threat sharing, legal liability, or infrastructure gaps? Tell us in the comments.

Read More From This Brand:

• Congress bows out state AI laws could change everything
• Google reverses Biden-era YouTube bans in a move praised as a big win for free speech
• TikTok faces fresh uncertainty as Trump signs an executive order

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.