How the Cybersecurity Information Sharing Act of 2015 Helps the Food and Agriculture Sector Defend Against Attacks

Cyberattacks on U.S. critical infrastructure are accelerating in both frequency and sophistication, threatening critical infrastructure that provides food, power, healthcare, and the technology systems that power our economy. Network defenders rely on a collective of trusted forums to share information about these attacks in near real-time. By working together, companies can better defend than they could individually. Companies share information on attacks they see, and receive information shared by others. This sharing has become a core aspect of our defense of our critical infrastructure.

This sharing is possible largely due to a legal framework established by Congress. For nearly a decade, this law, the Cybersecurity Information Sharing Act of 2015 (CISA 2015), has provided the legal foundation for trusted, voluntary information sharing across industry and between industry and government. It has enabled faster detection, coordinated response, and stronger national resilience against cyber adversaries. Unless Congress takes action, this law will expire on September 30, 2025.

Why It Matters

The threat landscape has never been more complex. Nation-state actors and organized cybercriminal groups are targeting U.S. critical infrastructure with increasing sophistication. The rapid evolution of artificial intelligence has accelerated the pace, ease, and complexity of attacks, enabling adversaries to automate reconnaissance, craft highly-convincing phishing campaigns, and exploit vulnerabilities faster than ever before. The recent Salt Typhoon campaign, which infiltrated global telecommunications networks and compromised core internet routing infrastructure, underscores the scale of these risks. Similarly, supply chain attacks and subsequent breaches, including the compromise of U.S. Treasury systems and other key government agencies, revealed how deeply adversaries can penetrate both government and private networks.

Impact on Food and Agriculture

Across the food supply chain, numerous companies – from processors to distributors – have suffered disruptive cyberattacks. The Food and Agriculture – Information Sharing and Analysis Center (Food and Ag-ISAC) tracks and collects information on cyberattacks within the sector. We tracked 206 attacks against the industry in 2024, and an additional 152 to date this year. We are observing dozens of threat actors active in the industry. For 2024, these actors are broken down as follows:

• 53% of observed actors were ransomware operators, seeking to disrupt essential business operations and food production or for profit.

• 28% of observed threat actors were nation state actors, attempting to infiltrate networks as part of a long-term strategic plan to advance their national security goals.

• 15% of observed actors were cybercriminals, seeking to steal money, customer data, or other critical information.
  

Fortunately, these attacks have not led to national-level disruptions of the food supply.  However, they do demonstrate how incidents can ripple through society, impacting food availability, economic stability, and public confidence. This complex threat environment and the potential national security implications of successful attacks requires public and private sectors to work in close partnership. Information sharing serves as the cornerstone of that collaboration.

IT Supply Chain Attacks

Food and agriculture companies not only face risks from direct attacks, but they are also potential victims of so-called “supply chain” attacks on technology providers. These attacks can have impacts on the users of the targeted technology. Recent incidents highlighting the cascading effects of cyberattacks include:

• Change Healthcare (2024): A ransomware breach disrupted medical claims nationwide, delaying billions in healthcare payments.

• Snowflake-Related Breaches (2024): Attackers exploited weak credential practices and misconfigurations by some customers of the Snowflake platform, leading to unauthorized access to sensitive data across multiple organizations.

• PowerSchool Breach (2024): A cyberattack on the widely used education technology platform impacted thousands of school districts nationwide and exposed tens of millions of student and teacher records, making it one of the largest education-related breaches on record.

• MOVEit Exploit (2023): A zero-day vulnerability in widely-used file transfer software led to breaches across hundreds of organizations globally, impacting sectors such as education, healthcare, finance, government, and technology services.
  

These incidents demonstrate how a single compromise in the IT ecosystem can cascade across other industries. Without robust information sharing, defenders cannot keep pace with adversaries exploiting zero-day vulnerabilities and supply chain weaknesses.

Why CISA 2015’s Protections Are Essential

Cyber attackers are actively collaborating and sharing with each other, making their attacks even more effective. CISA 2015 enables defenders to collaborate and protect themselves more effectively. By providing liability, anti-trust, and Freedom of Information Act (FOIA) protections, CISA 2015 provides a legal framework that incentivizes the voluntary sharing of actionable information across industry and with government, while preserving privacy and confidentiality.

This framework enables companies to share actionable threat indicators without fear of legal or regulatory repercussions. Renewal of CISA 2015 provides regulatory and legal clarity and consistency, reducing uncertainty for companies that share threat intelligence in good faith. Removing these protections introduces legal ambiguity and risks creating a chilling effect that discourages sharing and leaves the entire sector more vulnerable.

Conclusion

For sectors such as food and agriculture, where operational disruptions risk causing economic ripple effects, collaboration is essential. Reauthorizing the Cybersecurity Information Sharing Act of 2015 will preserve the trusted framework that allows industry and government to share critical threat intelligence quickly and securely. The Food and Ag-ISAC looks forward to continuing to serve as a resource for policymakers on this important matter.