PaJoFo Ponderings

Controversies in CISA Reauthorization

8 min read

In 2015, the personnel record system for much of the federal government was hacked; millions of highly detailed personal information forms were stolen, several officials from the Office of Personnel Management (OPM) resigned after Congressional investigation, and Congress resolved to never allow a similar breach to happen again.1 The result was the Cybersecurity Information Sharing Act, or CISA. Maligned by critics as an arbitrary overstep of government surveillance power in contravention of contemporary privacy reforms and lauded by critics as crucial to national cybersecurity and public safety, the act passed Congress with a ten-year reauthorization. Now, facing reauthorization, it has faced difficulties receiving anything more than a very short-term reauthorization with repeated lapses, and faces an uncertain fate.2 This paper will discuss the philosophic and ideological debates underlying the contested passage and reauthorization in order better understand the source of disagreement.

Arguments in Favor

Proponents of the measure and its reauthorization describe it as a critical clarification of laws around cybersecurity “information sharing,” communication about cyber vulnerabilities and attacks that companies, government, and private individuals discover on networks. Prior to the bill’s passage, the law was unclear about what companies could and could not share, and information sharing was stifled by legal concerns that such sharing “could open a company to legal liability and antitrust concerns.”3 CISA provided “the legal authority for private entities to: monitor their networks or those of their customers, upon authorization and written consent, for cybersecurity purposes; take defensive measures to stop cyber attacks; and share cyber threat information with each other and with the government to further collective cybersecurity.”4 Sharing is voluntary, and the use of the data is limited to cybersecurity and, according to advocates, a “very narrow set of crimes.”5 The act removes the possibility of legal liability from information sharers, which allows for more free sharing of information, and prevention and damage limitation of cyberattacks.6

Data collected and shared goes to the Department of Homeland Security (DHS) rather than any federal law enforcement agencies, which was chosen in the wake of the Snowden disclosures to be a civilian gateway, rather than nothing more than a new data pipeline for the National Security Agency (NSA).7 The data is also stripped of personally identifiable information according to guidance published by DHS, further reducing surveillance fears (though this was implemented after the bill was passed, and such guidance may be under threat of legal attack given the Loper Bright decision).8

The importance of information sharing and other defensive measures was highlighted in numerous high profile cyberattacks, including the OPM data breach, but also the Sony hack and long running harassment of defense contractors and subcontractors by PLA hackers as well.9 Without information sharing, there was always a new weak link in the chain, as targets that detected hacks and defended themselves would be passed over and information gained defensively would be lost on the next unlucky victims. Given the importance of cyber systems to US infrastructure, defense, and public safety, preventing and limiting the damage of cyberattacks is a bipartisan issue.

Arguments Opposed

While federal law enforcement criticized CISA for its civilian nature and limitations on what data could be used for, the bulk of opposition to the bill came from privacy concerns.10 By permitting voluntary sharing of information, opponents argued that it opened the way for government actors to receive private information without warrant; while the bill states that only “cyber threat indicators” can be shared, the definition is extremely broad.11 Additionally, though DHS receives shared threat indicators, all information is required to be forwarded to federal agencies ranging from the NSA to the Department of Commerce, substantially undermining claims of civilian control.12 The information used would also be usable for “investigation or prosecution of any crimes that could result in imminent death or serious bodily harm, or even just serious economic harm.”13 These, while vile, ought not, according to advocates, be prosecuted with information derived from a bill that was written with intent to increase cybersecurity, and “which would otherwise require the government to obtain a warrant based on probable cause to access much of that same information.”14 The authorization to companies to even collect such data also fell under scrutiny, and past failures by the government to adequately defend its own cybersecurity caused critics to ask if information sharing with the government was even a positive, or if such data might end up in more danger than it was before.15

Finally, critics noted that the information sharing being touted was not as valuable as claimed by advocates. Barriers to sharing information between private companies were already insignificant, and liability fears were overblown, especially as information relevant to cyber defense rarely included personally identifiable information in the first place.16 The worst cyberattacks would also fail to be intercepted by information sharing because the best hackers know how to avoid detection systems (and such systems are highly prone to false alarms); for example, the Sony hack would not have been prevented by information sharing.17

Core Elements of Controversy

The original passage of CISA was bipartisan, with substantial majorities in each chamber in favor of the measure. The differences between those in favor and against did not stem from irreconcilable difference in principles. Both sides agreed that preventing cyberattacks should be a priority and both saw value in data sharing on cyber vulnerabilities. Where the difference lay was in expectations of how the law would be put into practice and interpreted. Privacy concerned individuals read the broad language and assumed that the act would be used as the functional equivalent of warrantless, near limitless surveillance on Americans. There was not a significant debate over whether civil liberties were more important than national security, the debate was whether the bill would permit civil liberties violations in the first place; advocates for reauthorization now point to the lack of evidence of abuse as proof of their position.18 Overall, the essence of the debate revolved not around differences in policy priority, but in differences in trust in government to interpret the law in a way that ensured that data collection was not used for ill.

Bibliography

Daniel, Michael. “The Case for Reauthorizing CISA 2015.” Lawfare, August 4, 2025. https://www.lawfaremedia.org/article/the-case-for-reauthorizing-cisa-2015.

Eddignton, Patrick, and Sascha Meinrath. “Why the Information Sharing Bill Is Anti-Cybersecurity.” Cato Institute, July 22, 2015. https://www.cato.org/commentary/why-information-sharing-bill-anti-cybersecurity.

Fein, Ashden, Jess Gonzalez Valenzuela, Analese Bridges, John Webster, and Clair O’Rourke. “Cybersecurity Information Sharing Act of 2015 Reauthorized Through September 2026.” Inside Privacy, February 6, 2026. https://www.insideprivacy.com/cybersecurity-2/cybersecurity-information-sharing-act-of-2015-reauthorized-through-september-2026/.

Fruhlinger, Josh. “The OPM Hack Explained: Bad Security Practices Meet China’s Captain America.” CSO Online, February 12, 2020. https://www.csoonline.com/article/566509/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html.

Godwin, Mike. “The Many, Many, Many Flaws of CISA.” R Street Institute, October 27, 2015. https://www.rstreet.org/commentary/the-many-many-many-flaws-of-cisa/.

Granick, Jennifer Stisa. “The Right Way to Share Information and Improve Cybersecurity.” Just Security, March 26, 2015. https://www.justsecurity.org/21498/share-information-improve-cybersecurity/.

Greenberg, Andy. “CISA Security Bill: An F for Security But an A+ for Spying.” Tags. Wired, March 20, 2015. https://www.wired.com/2015/03/cisa-security-bill-gets-f-security-spying/.

Greene, Robyn. “Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, Not Cybersecurity.” April 9, 2015. https://static.newamerica.org/attachments/2741-cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/CISA_Cyber-Surveillance.488b3a9d2da64a27a9f6f53b38beb575.pdf.

Hacking Policy Council. “Hacking Policy Council Letter of Support for CISA 2015.” August 7, 2025. https://www.documentcloud.org/documents/25992960-hpc-letter-of-support-for-cisa-2015/.

Kargar, Simin. “The Next Cyber Breach Will Not Wait: Why Congress Must Reauthorize CISA 2015.” Just Security, September 12, 2025. https://www.justsecurity.org/120195/the-next-cyber-breach-will-not-wait-why-congress-must-reauthorize-cisa-2015/.

Langley, Mitchell. “Congress Struggles to Renew Cyber Threat Sharing Act Amid Rising Cybersecurity Concerns - Security Spotlight.” Security Spotlight. Security Spotlight, September 25, 2025. https://dailysecurityreview.com/security-spotlight/congress-struggles-to-renew-cyber-threat-sharing-act-amid-rising-cybersecurity-concerns/.

Footnotes

  1. Josh Fruhlinger, “The OPM Hack Explained: Bad Security Practices Meet China’s Captain America,” CSO Online, February 12, 2020, https://www.csoonline.com/article/566509/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html.

  2. Ashden Fein et al., “Cybersecurity Information Sharing Act of 2015 Reauthorized Through September 2026,” Inside Privacy, February 6, 2026, https://www.insideprivacy.com/cybersecurity-2/cybersecurity-information-sharing-act-of-2015-reauthorized-through-september-2026/.

  3. Michael Daniel, “The Case for Reauthorizing CISA 2015,” Lawfare, August 4, 2025, https://www.lawfaremedia.org/article/the-case-for-reauthorizing-cisa-2015.

  4. Ibid.

  5. Ibid.

  6. Hacking Policy Council, “Hacking Policy Council Letter of Support for CISA 2015,” August 7, 2025, https://www.documentcloud.org/documents/25992960-hpc-letter-of-support-for-cisa-2015/.

  7. Simin Kargar, “The Next Cyber Breach Will Not Wait: Why Congress Must Reauthorize CISA 2015,” Just Security, September 12, 2025, https://www.justsecurity.org/120195/the-next-cyber-breach-will-not-wait-why-congress-must-reauthorize-cisa-2015/.

  8. Daniel, “The Case for Reauthorizing CISA 2015.”

  9. Kargar, “The Next Cyber Breach Will Not Wait.”

  10. Daniel, “The Case for Reauthorizing CISA 2015.”

  11. Mike Godwin, “The Many, Many, Many Flaws of CISA,” R Street Institute, October 27, 2015, https://www.rstreet.org/commentary/the-many-many-many-flaws-of-cisa/.

  12. Robyn Greene, “Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, Not Cybersecurity,” April 9, 2015, https://static.newamerica.org/attachments/2741-cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/CISA_Cyber-Surveillance.488b3a9d2da64a27a9f6f53b38beb575.pdf.

  13. Ibid.

  14. Ibid.

  15. Patrick Eddignton and Sascha Meinrath, “Why the Information Sharing Bill Is Anti-Cybersecurity,” Cato Institute, July 22, 2015, https://www.cato.org/commentary/why-information-sharing-bill-anti-cybersecurity.

  16. Jennifer Stisa Granick, “The Right Way to Share Information and Improve Cybersecurity,” Just Security, March 26, 2015, https://www.justsecurity.org/21498/share-information-improve-cybersecurity/.

  17. Andy Greenberg, “CISA Security Bill: An F for Security But an A+ for Spying,” Tags, Wired, March 20, 2015, https://www.wired.com/2015/03/cisa-security-bill-gets-f-security-spying/.

  18. Mitchell Langley, “Congress Struggles to Renew Cyber Threat Sharing Act Amid Rising Cybersecurity Concerns - Security Spotlight,” Security Spotlight, Security Spotlight, September 25, 2025, https://dailysecurityreview.com/security-spotlight/congress-struggles-to-renew-cyber-threat-sharing-act-amid-rising-cybersecurity-concerns/.

Graph View