Cybersecurity is a team sport, yet small and medium-sized businesses (SMBs) have spent years on the sidelines, despite being the targets of an estimated 43 percent of cyberattacks in the United States. As Congress discusses renewing the United States’ cybersecurity information-sharing framework, it’s time to finally welcome SMBs into the cybersecurity community. 

On September 30, the framework for sharing important cybersecurity information between government and industry, the Cybersecurity Information Sharing Act of 2015 (CISA 2015), will expire unless Congress acts. This law—distinct from the similarly named Cybersecurity and Infrastructure Security Agency (also CISA)—provides essential legal protections that allow private companies to share cyber threat information among themselves and with the government.

There is already bipartisan support for renewing CISA 2015. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) introduced legislation to extend the current law for another ten years without changes, an approach supported by major trade associations. The bill’s authors correctly emphasize the importance of preserving the established information-sharing environment. Yet, renewing CISA 2015 unchanged leaves the cybersecurity community blind to critical threat intelligence that SMBs uniquely hold.

As originally passed, CISA 2015 removed legal barriers and disincentives to sharing cyber threat data. It provides liability protections and exemptions from certain public disclosure requirements or regulatory penalties for companies that share threat indicators in good faith. These protections significantly reduce the risk of lawsuits or regulatory enforcement when organizations exchange information with the Department of Homeland Security (DHS) or other companies under the framework, provided the information was anonymized and used strictly for a “cybersecurity purpose.”

These protections dramatically enhanced cybersecurity information sharing. In the private sector, entities such as the Cyber Threat Alliance formed to facilitate voluntary company-to-company information sharing. Information Sharing and Analysis Centers (ISACs), organizations dedicated to collecting, analyzing, and disseminating sector-specific threat data, have also grown substantially. The National Council of ISACs now comprises twenty-seven sector-specific ISACs, while the Multi-State ISAC alone exceeded 18,000 members last year. These members share cyber threat information directly because of the protections offered by CISA 2015. Even government programs have evolved in response. DHS’s Automated Indicator Sharing (AIS) platform has significantly improved rapid information exchanges and threat awareness, aided by CISA 2015 protections.

SMBs are being left behind

Still missing from this list, however, are the large number of SMBs that operate across the United States. SMBs have largely been overlooked, are subject to a large number of attacks, and their employees face social engineering threats such as phishing and fraud 350 percent more than those at large companies. While platforms such as DHS’s AIS are beneficial to larger corporations, SMB participation remains limited due to high costs, technical complexity, and inadequate outreach. This exclusion leaves SMBs vulnerable and deprives the cybersecurity community of a significant source of threat intelligence.

Since 2015, the cyber threat landscape has evolved, with SMBs now frequent targets. Roughly one in three small businesses will suffer a cyberattack in the next year, with each incident costing an average of nearly $255,000, almost an order of magnitude greater than the 2014 average cost of $27,752. This changed threat landscape and lack of participation in information sharing leaves a gap. 

Any new CISA 2015 authorization should address this gap to benefit the entire cybersecurity ecosystem. SMBs represent a valuable source of threat data, and integrating their insights would significantly enhance predictive capabilities and resilience. Strengthening SMB defenses would also reduce opportunities for attackers to exploit smaller entities as gateways to larger networks. 

How Congress can update CISA 2015

To achieve this integration, Congress should ensure any reauthorization addresses four targeted reforms. 

First, clarify definitions. The term “cybersecurity purpose” should explicitly include protections against social engineering threats such as fraud and phishing, ensuring SMBs receive comprehensive coverage for the threats they face.

Second, incentivize more participation among SMBs. Congress should authorize a DHS-managed initiative specifically designed to provide smaller businesses with accessible, actionable threat intelligence and affordable cybersecurity resources. Federal support could take the form of grants, vouchers, or subsidized cybersecurity solutions. 

Third, codify successful operational models into law. This was attempted last year with a bill introduced by Representative Eric Swalwell (D-CA-14) that would codify CISA 2015’s Joint Cyber Defense Collaborative (JCDC). The JCDC has successfully united federal agencies and private companies to effectively respond to high-profile cyber incidents, including the exploitation of Ivanti gateway vulnerabilities and the July 2024 CrowdStrike outage. Currently, JCDC and many similar programs lack explicit statutory authority, making them vulnerable to termination by executive action, which is what happened to the Critical Infrastructure Partnership Advisory Council in March of this year. Codifying such programs ensures sustained and consistent cybersecurity collaboration irrespective of political shifts.

Fourth, rename the law to clearly distinguish it from the Cybersecurity and Infrastructure Security Agency. Cybersecurity acronyms are hard enough as it is. A new name, such as the Cyber Intelligence Sharing and Protection Act (CISPA), a name from an earlier version of CISA 2015, would eliminate the confusion caused by acronym duplication. 

Reauthorizing CISA 2015 with these targeted improvements—clearer definitions, SMB support, codification of proven programs, and a distinct identity—will ensure that SMBs play their part in and benefit from making the next decade of cybersecurity more resilient than the last.

Tanner Wilburn is a recent graduate of the Indiana University Maurer School of Law with an MS in cybersecurity risk management from the Luddy School of Informatics, Computing, and Engineering. 

Sara Ann Brackett is an assistant director with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. 

Urmita Chowdhury is an assistant director for trainings and competitions at the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs. 

Further reading

Fri, Dec 20, 2024

In it to win it: Understanding cyber policy through a simulated crisis 

Blog Post By Safa Shahwan Edwards and Emerson Johnston

Competitors and judges from the Cape Town Cyber 9/12 Strategy Challenge share their perspectives on the competition's impact on the African cybersecurity landscape.

Cybersecurity South Africa

Wed, Jun 4, 2025

The Pentagon’s software approval process is broken. Here’s how to fix it.

New Atlanticist By Hannah Hunt

To equip US military personnel with the tools they need, the Department of Defense must treat secure software delivery as a warfighting imperative.

Cybersecurity Defense Technologies

Tue, May 6, 2025

Counting the costs: A cybersecurity metrics framework for policy

Report By Stewart Scott

Improved cybersecurity metrics can unlock more efficient policy and give policymakers a better sense of how they are faring at improving security.

Cybersecurity

Related Experts: Sara Ann Brackett and Urmita Chowdhury

Image: October 9, 2023: A man uses a computer keyboard in Toronto. (Credit Image: Graeme Roy/The Canadian Press via ZUMA Press) Via REUTERS