The Cybersecurity Information Sharing (WIMWAG) Act at a Crossroads: Renewal, Revision, and Privacy Concerns

Ramyar Daneshgar

Ramyar Daneshgar

4 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Executive Summary

The Cybersecurity Information Sharing Act (CISA), originally enacted in 2015, has served as the legal foundation for cybersecurity cooperation between the private sector and the federal government. The statute created liability protections for companies that share threat indicators and defensive measures with federal agencies. These protections have enabled large-scale intelligence sharing that strengthens national security against cyberattacks.

Courtesy of Congress.gov

CISA is scheduled to expire on September 30, 2025. To address this deadline, lawmakers are advancing the What Is Mine We All Guard (WIMWAG) Act, a bill that would extend CISA’s protections through 2035 while revising key provisions related to privacy, liability, and scope of information sharing. Although the legislation has bipartisan support, debates continue around the balance between national security, commercial liability protections, and constitutional rights, particularly regarding the potential effect on political speech.

Historical Context: Why CISA Was Created

The Cybersecurity Information Sharing Act (CISA) of 2015 was born from the recognition that cyber threats cannot be mitigated in isolation. Prior to its passage, companies were reluctant to share incident data with government partners for two primary reasons. First, there was significant litigation risk: disclosures about breaches or vulnerabilities could expose organizations to shareholder suits, consumer class actions, or regulatory penalties. Second, there was a privacy law conflict: transmitting personal or sensitive data to federal agencies risked violating existing statutes, including sector-specific frameworks such as HIPAA and GLBA.

CISA sought to resolve these concerns by creating a statutory liability shield for private entities that shared cyber threat indicators and defensive measures “in good faith” with the Department of Homeland Security (DHS) and other federal agencies. To further encourage participation, the statute emphasized voluntary cooperation rather than mandatory disclosure.

Cybersecurity Information Sharing Act of 2015

The Act also included explicit privacy safeguards, requiring companies to remove personal information before sharing and limiting how federal agencies could use received data. DHS was directed to automate and expedite dissemination of shared threat indicators through platforms such as the Automated Indicator Sharing (AIS) program, enabling near real-time visibility across the federal and private sector.

Over the past decade, this framework has provided the legal scaffolding for large-scale intelligence sharing and has measurably improved situational awareness, particularly during high-impact incidents such as the SolarWinds compromise and nationwide ransomware campaigns. At the same time, privacy advocates have consistently criticized the law, arguing that the personal information removal requirements have not always been consistently applied or enforced.

The WIMWAG Bill: Extending to 2035

The proposed WIMWAG legislation would extend CISA’s liability protections and data sharing framework for another ten years. It also seeks to address key weaknesses in the original statute.

1. Privacy Enhancements

  • Clearer Definitions of Personal Data: The bill introduces refined categories of personal identifiers, aiming to prevent broad collection of consumer information under the guise of cybersecurity.
  • Mandatory Auditing: DHS and partner agencies must conduct annual audits verifying that personal data was removed prior to ingestion. Results must be reported to Congress.
  • Independent Privacy Officer: Each participating federal agency must appoint a designated officer responsible for overseeing data minimization.

2. Liability Revisions

  • Narrower Safe Harbors: Liability protections are limited to “cybersecurity-related information.” Companies cannot use CISA as a blanket defense if they share consumer or commercial data unrelated to threat indicators.
  • Framework-Linked Protection: The bill ties liability shields to compliance with established frameworks, including NIST SP 800-171 and ISO 27001. Organizations that align with these standards receive enhanced safe harbor protections.
  • Good Faith Clause Expansion: Courts are granted clearer guidance on evaluating “good faith” by considering documented redaction practices, incident response procedures, and audit logs.

3. Oversight and Transparency

  • Congressional Reporting: Agencies must submit annual reports disclosing the number of indicators received, categories of incidents, and retention periods.
  • Inspector General Reviews: The Inspector General of DHS will conduct triennial reviews to assess whether the statute has been misapplied to suppress political speech or capture unrelated communications.
  • Public Transparency Portal: A centralized portal will provide aggregated, de-identified statistics on information sharing activity, increasing public trust.

Although the WIMWAG Act is positioned as a bipartisan reform, several contentious issues remain:

  1. Political Speech Suppression Concerns
    Critics argue that the broad definition of “cyber threat indicators” could be misapplied to include communications linked to political discourse, particularly in contexts involving disinformation campaigns. Civil liberties organizations warn that information sharing could have an effect on online speech if companies fear liability for failing to flag content.
  2. Commercial Liability and Overreach
    Some business groups question whether narrowing liability protections will discourage participation by exposing companies to lawsuits. The concern is that overly restrictive liability shields may shift the risk calculus for private entities and reduce voluntary cooperation.
  3. Scope of Federal Access
    Privacy advocates continue to emphasize the need for independent review of whether agencies use shared data strictly for cybersecurity purposes or expand into unrelated law enforcement investigations. Without clear safeguards, critics argue that CISA could evolve into a backdoor surveillance mechanism.

Comparative Insight: CISA vs. International Regimes

The debate over CISA renewal mirrors global conversations.

  • European Union: The EU’s Network and Information Systems Directive (NIS2) requires mandatory reporting of certain incidents but does not provide broad liability shields. Instead, it imposes fines for non-compliance.
  • Asia-Pacific: Jurisdictions like Singapore and Japan have emphasized public-private partnerships but with stronger governmental control over incident reporting.

By contrast, the U.S. model remains uniquely voluntary and liability-focused, relying on incentives rather than penalties. The WIMWAG Act seeks to preserve this approach but adds new accountability guardrails.

Practical Implications for Companies

For private entities that regularly engage with federal threat-sharing programs, the WIMWAG Act has direct compliance and risk management implications.

  • Data Governance: Companies must ensure that information shared with DHS and other partners is stripped of personal identifiers to remain within statutory protections.
  • Framework Alignment: Organizations that can document compliance with industry standards such as NIST SP 800-53, ISO 27001, and CIS Controls may be better positioned to invoke safe harbor protections under the revised statute.
  • Documentation and Audit Trails: Maintaining detailed records of information sharing decisions, including redaction procedures, will be critical for demonstrating good faith and avoiding liability exposure.

Conclusion

The pending expiration of CISA creates both urgency and opportunity. The WIMWAG Act represents an attempt to modernize the framework for cybersecurity information sharing, extend liability protections, and address longstanding privacy concerns. However, unresolved questions about the boundaries of federal access, the definition of political speech, and the balance of liability protections ensure that the renewal debate will remain contested.

Read more