The Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted during a period of heightened anxiety over massive state-sponsored breaches and the burgeoning threat of global ransomware. Its architects envisioned a nationwide “digital neighborhood watch,” where private companies and the federal government would swap “indicators of compromise” (IOCs) in real-time, shielded by broad liability protections.

However, nearly a decade later, the framework of CISA 2015 has stagnated, and the landscape of cybersecurity has evolved. As the law faces its sunset and the debate over its renewal intensifies, a cold-eyed assessment of its flagship program, the Automated Indicator Sharing (AIS) system, reveals a system that is not only failing to meet its objectives but is increasingly viewed as an obsolete relic of an earlier era of cyber defense.

A Program in Terminal Decline

The primary justification for renewing CISA 2015 is the expansion of threat intelligence sharing. Yet, according to the federal government’s own auditors, the law has presided over a dramatic contraction, not an expansion, of shared intelligence.

The Department of Homeland Security’s Office of Inspector General (OIG) has released several scathing reports (notably OIG-24-60 and the final 2025 assessment OIG-25-46) documenting the steady erosion of the AIS program. The data paints a picture of a “ghost town” of information exchange:

• Participation Collapse: The number of non-federal participants using AIS to share information peaked at 304 in 2020. By late 2022, that number had plummeted to 135. As of late 2024, active non-federal participants have dwindled to fewer than 90.

• Indicator Freefall: More telling than the number of participants is the volume of data shared. Between 2020 and 2022, the sharing of IOCs through AIS declined by a staggering 93%.

• The “Single Source” Mirage: While CISA reported a surge in shared indicators in 2024 (climbing from 1 million to 10 million), the OIG revealed that 89% of that data came from a single private-sector participant.

This “unevenness” is a critical indicator of systemic failure. When a national security program relies on a single corporate benefactor for nearly 90% of its utility, it is no longer a “nationwide sharing” initiative; it is a specialized partnership disguised as a broad statutory success. The federal government’s inability to recruit and retain a diverse range of data producers suggests that the private sector has voted with its feet, finding the AIS framework fundamentally mismatched to modern operational needs.

The Superiority of Decentralized, Sectoral Information Sharing

The second reason to oppose the renewal of CISA 2015 is that the market and the nonprofit community are already doing what CISA failed to deliver. Commercial threat intelligence services, nonprofit Information Sharing and Analysis Centers (ISACs) and industry consortia like the Cyber Threat Alliance have emerged as the gold standard for information sharing. Oddly, the CISA-run system, at its core an attempt to centralize power, relies entirely on the volition of information sharers to get its data. Unlike commercial and some nonprofit threat intel services, which operate telemetry services that automate data collection, CISA relies on voluntary decision by agencies and enterprises to send data into the AIS.

The Power of Context

Modern cybersecurity is no longer about having a “list” of bad IP addresses; it is about understanding the Tactics, Techniques, and Procedures (TTPs) of specific adversaries.

• ISACs: ISACs were products of the Clinton administration’s critical infrastructure security commission. From the late 1990s on, sector-specific groups like the Financial Services ISAC (FS-ISAC) or the Electricity ISAC (E-ISAC) have provided “vetted” intelligence. When a bank shares data with FS-ISAC, it is reviewed by human analysts who understand the specific banking software and regulatory environment. This “contextualized” data is actionable.

• Commercial Feeds: Companies today pay for specialized feeds (such as those from CrowdStrike, Mandiant, or LevelBlue) that provide high-fidelity data tailored to their specific attack surface.

In contrast, the AIS program—mandated by CISA 2015—focuses on machine-to-machine bulk sharing of raw indicators. This approach prioritizes quantity over quality.

Renewing CISA 2015 under the guise of “improving” information sharing ignores the reality that the “sharing” problem has been solved elsewhere. The federal government’s attempt to duplicate these high-trust, high-context environments through a centralized, one-size-fits-all statute has proven to be a redundant exercise that consumes millions in taxpayer dollars with little added value.

The Centralization Myth: Data Without Responsibility

The fundamental philosophical flaw of CISA 2015 is its attempt to centralize cyber threat data in federal hands, while the responsibility for action remains decentralized and the sources of data are highly distributed. This creates a structural bottleneck that actively hinders effective defense. The only real agenda behind the renewal of the act is tbe bureaucratic interest of the Cybersecurity and Infrastructure Security Agency (CISA) to give itself a bigger budget and a more central role in “managing” cybersecurity.

The Responsibility Gap

Cybersecurity is an operational, “on-the-ground” discipline. The entities best positioned to detect, mitigate, and recover from an attack are the IT departments of the specific organizations being targeted, or specialist threat intel providers. A hospital in Ohio or a municipal water plant in Florida need specific, immediate intelligence about threats to their specific infrastructure. While it’s true that information specifically targeted at hospitals or water plants could be useful to these actors, the vast majority of threat intel out there is not relevant to them.

The AIS program operates on a “hub-and-spoke” model where all roads lead to the Department of Homeland Security. The “centralized” data repository becomes a “black hole”—data enters, is scrubbed for privacy, analyzed by a distant bureaucracy, and by the time it is redistributed, the threat has often morphed or the “indicator” (like an IP address) has been discarded by the attacker. But most of the data is just not relevant.

The “Noise” Problem

For most organizations, the bulk data provided by the AIS is not an asset; it is noise. Security Operations Centers (SOCs) are already overwhelmed by thousands of alerts per day. Ingesting millions of unvetted, uncontextualized indicators from a nationwide AIS often leads to “alert fatigue,” where real threats are missed because analysts are chasing ghost indicators that have no relevance to their specific environment.

By attempting to centralize this data, CISA 2015 encourages a “compliance-over-security” mindset. Organizations may feel they are doing their part by “sharing with the government,” but this centralized reporting does little to actually harden their own defenses or provide them with the specific intelligence needed to survive a sophisticated intrusion.

Conclusion: Let it Expire

The Cybersecurity Information Sharing Act of 2015 was a product of its time—a well-intentioned but ultimately flawed attempt to treat digital defense like a centralized military operation. The evidence from the past decade is clear:

1. The program is failing statistically, with participation and data volume in freefall.

2. Superior alternatives exist in the private and nonprofit sectors that provide the context and trust the government cannot replicate.

3. The centralized model is structurally unsound, creating a repository of “noise” that provides little value to the organizations actually responsible for securing the nation’s infrastructure.

Renewing CISA 2015 would be a victory for bureaucratic inertia, but a defeat for cybersecurity efficacy. Instead of reauthorizing a law that supports a declining and ineffective AIS program, policymakers should pivot toward supporting the organic, decentralized ecosystems of the ISACs and focusing federal resources on securing the government’s own notoriously vulnerable networks. Cyber defense belongs at the edge, in the hands of the practitioners—not in a centralized federal database that the industry has clearly outgrown.