Back to All Insights

The Shutdown Ends Tonight. CISA Renewal Still Won't Move.

Published on

At 510 words, this post will take 2 minutes to read.

US Capitol, topic of Brandon Karpf's analysis on CISA renewal and national security policy.

The House votes around 7 PM tonight (November 12) to end the longest government shutdown in American history. Forty-one days of chaos concludes with a continuing resolution that funds most agencies through January 30. The cybersecurity community hopes this creates legislative space for the Cybersecurity Information Sharing Act (CISA) renewal.

It won’t.

CISA (the Act, not to be confused with the Agency) expired October 1, the same day the shutdown began. Pure coincidence, terrible timing. Since September 30, private companies lost their liability protection for sharing threat intelligence with the government. The automated sharing program still runs (DHS kept the technical infrastructure operational during the lapse) but without legal protections, attorneys advise their clients to stop participating. Some estimates suggest information sharing dropped 80% since expiration.

Nobody’s talking about it. The shutdown consumed all legislative oxygen. While federal workers missed paychecks and air traffic control staffing collapsed, a critical national security framework quietly died. Senator Rand Paul killed it, more precisely. He blocked reauthorization unless it includes explicit anti-censorship language preventing CISA (the agency) from content moderation work. Paul won’t budge. Democrats won’t accept his terms. Stalemate.

Watch for three signals that renewal might advance before January 30 when the new CR expires. First, does Paul announce willingness to negotiate his censorship provisions? His draft bill from September sits unchanged—a two-year extension with new oversight requirements and AI integration language. Second, does House Homeland Security Chairman Andrew Garbarino revive the WIMWIG Act, his ten-year clean reauthorization bill introduced September 2? That proposal died when the shutdown started. Third, does industry pressure intensify? Fifty-two trade organizations sent a joint letter in May demanding renewal. They’ve been silent since expiration.

The likeliest outcome? Another punt. The January 30 CR deadline arrives, Congress scrambles to avoid another shutdown, CISA renewal gets mentioned in committee hearings, nothing moves. We repeat this cycle until someone’s network gets breached badly enough that political will materializes.

Meanwhile, private sector adapts. ISACs evolved beyond government frameworks years ago. Financial services exchanges threat data through FS-ISAC at speeds federal systems can’t match. Telecommunications providers just launched C2-ISAC—deliberately structured without any government involvement. The Cyber Threat Alliance routes information between security vendors bilaterally. When formal mechanisms atrophy, informal networks fill gaps. They always do.

This creates perverse incentives. If information sharing works without CISA, why renew it? The liability protections matter for legal departments, but operational teams built workarounds. The Automated Indicator Sharing program processed ten million indicators in 2024 compared to one million in 2023. That growth might flatline post-expiration, or companies might just route the same data through different legal structures.

Three months until the next deadline. Garbarino reintroduces WIMWIG or he doesn’t. Paul softens his position or he doesn’t. Industry mobilizes coordinated advocacy or stays quiet.

My prediction? Clean extension bundled into the next CR with promises to “address these critical issues comprehensively” in 2026. Translation: everyone acknowledges the problem, nobody wants to fight about censorship provisions during an election year, so we kick it forward again.

The shutdown ended. The legislative dysfunction continues. CISA remains expired.