Congress advances the Widespread Information Management for the Welfare of Infrastructure and Government (Wimwig) Act to replace the Obama-era Cybersecurity Information Sharing Act of 2015, which expires September 30th amid concerns over compliance gaps and increased organizational risks.
The House Homeland Security Committee passed the Wimwig Act in early September as a replacement for the Cybersecurity Information Sharing Act (CISA) of 2015. The original law, enacted during Barack Obama's presidency, established legal protections for organizations sharing cyber threat intelligence with each other and the government. CISA 2015 included a 10-year sunset clause and expires at the end of September. The replacement legislation preserves essential privacy and liability protections while clarifying language to address evolving threats and ensuring private-sector insight. The act passed with bipartisan support from both Democrats and Republicans, with lawmakers emphasizing the urgency of getting the legislation to President Trump's desk without delay.
CISA 2015 served as the backbone of cyber defense for the past decade by providing legal protections for threat intelligence sharing. The law enabled organizations to share cyber security data without fear of legal repercussions and provided antitrust protection for industry-to-industry sharing. For example, a managed service provider compromised in a supply chain attack could share victim data with the FBI without liability concerns. The law was enacted with a sunset clause partly due to concerns that the federal government could use it to gather more private data, and to allow lawmakers to evaluate its effectiveness.
The Wimwig Act includes several updates:
Representative Andrew Garbarino, chairman of the House Homeland Security Committee, stated, "Stakeholders from across industry sectors have endorsed this legislation because it preserves the essential privacy and liability protections in the Cybersecurity Information Sharing Act of 2015, clarifies the law's language to better address the evolving threat landscape, and ensures private-sector insight is properly captured."
He further emphasized that "failing to ensure the relevance and efficacy of one of the federal government's most foundational cyber security tools for the next decade would threaten not only our networks, but also the security of the homeland."
Cynthia Kaiser, senior vice-president of the Ransomware Research Center at Halcyon Security and former deputy assistant director for cyber policy at the FBI's cyber division, explained, "What I used to tell people at the FBI all the time is that we can't protect you and we can't protect others if we don't hear from you."
Kaiser warned about potential impacts, "What we can't have is these conversations still being arbitrated and then have it [CISA 2015] expire on 30 September, because even a month's lapse would cause problems."
The Cybersecurity Information Sharing Act of 2015 functions as a framework enabling cyber threat intelligence sharing between private organizations and government agencies. The law provides two main protections: liability protection for organizations sharing cyber intelligence with federal agencies during investigations, and antitrust protection for industry-to-industry information sharing. Without these protections, organizations face legal risks when collaborating on cyber defense efforts or reporting incidents to authorities.
The expiration of CISA 2015 without replacement threatens global cybersecurity collaboration beyond US borders. Federal agencies would reduce timely threat information and updates, potentially ending international advisories like the recent China Salt Typhoon bulletin co-signed by US, British, European, Australian, Canadian and New Zealand authorities. International law enforcement operations would suffer as agencies like the UK's National Crime Agency would receive less intelligence for cyber crime investigations. User organizations worldwide would see reduced threat intelligence from their governments due to decreased US data sharing. Additionally, cyber security suppliers and industries would limit information sharing due to antitrust and liability concerns, potentially deteriorating global information sharing that has underpinned cyber defense collaboration for the past decade.
Healthcare organizations and their technology partners rely heavily on the threat intelligence sharing enabled by CISA 2015 to defend against ransomware and other cyber attacks targeting patient data. Even a brief lapse in these protections could force breach counsel to change their advice to healthcare companies about reporting incidents to federal authorities, potentially leaving the sector more vulnerable to attacks. Congress must pass the Wimwig Act before September 30th to maintain the cyber defense infrastructure that protects sensitive healthcare information and enables coordinated responses to threats targeting the healthcare industry.
The sunset clause was included to allow lawmakers to reassess its effectiveness and address privacy concerns.
It clarifies vague language from CISA 2015 to reduce uncertainty for companies sharing threat data.
The Wimwig Act updates definitions to include emerging AI-driven cyberattack tactics.
It provides one-time security read-ins and directs federal agencies to offer voluntary technical help.
AIS is a system that enables real-time cyber threat intelligence exchange between the private sector and government.