Executive Summary

The U.S. House Committee on Homeland Security has released an urgent 'Cyber Threat Snapshot' report, sounding the alarm on a precarious state of U.S. cyber defense. The report details how a federal government shutdown, coupled with the expiration of key legal authorities for information sharing, is creating a perfect storm of vulnerability. Committee Chairman Andrew Garbarino warned that the lapse of the Cybersecurity Information Sharing Act of 2015 is creating 'dangerous blind spots' in the nation's networks. This comes at a time of escalating threats from nation-state actors, particularly those affiliated with the People's Republic of China (PRC) and Iran, and a continued barrage of attacks against U.S. critical infrastructure.

Regulatory Details

A central focus of the report is the lapse of the Cybersecurity Information Sharing Act of 2015 (CISA 2015). This law provided legal protections for private companies to share cyber threat information with the government (and vice-versa) without fear of liability. Its expiration severely chills this vital public-private partnership.

• Impact of Lapse: Without these protections, companies may be hesitant to share indicators of compromise (IOCs) or details of attacks, fearing lawsuits. This deprives government agencies like CISA and the FBI of the comprehensive threat data needed to see the bigger picture, connect disparate attacks, and warn other potential victims.
• Government Shutdown: The shutdown exacerbates the problem by furloughing a significant portion of the federal cybersecurity workforce. This means fewer analysts are available to process what little data is coming in, fewer experts are monitoring network sensors, and the government's overall response capability is degraded.

Affected Organizations

The report highlights a nationwide risk affecting:

• U.S. Federal Government: Directly impacted by furloughs and reduced operational capacity.
• U.S. State and Local Governments: The report notes major cyber incidents in at least 44 states in 2025.
• U.S. Critical Infrastructure: Identified as the primary target, with approximately 70% of all cyberattacks in 2024 aimed at these sectors (Manufacturing, Finance, Energy, Transportation, Healthcare, etc.).

Threat Landscape Overview

The committee's snapshot paints a grim picture of the current threat environment:

• Nation-State Actors: Increased activity from actors affiliated with China, Iran, Russia, and North Korea.
• Iranian Threat Spike: A 133% spike in Iranian-affiliated cyberattacks was recorded in May and June of this year.
• AI-Driven Attacks: One in six data breaches in 2025 involved attacks driven by artificial intelligence, indicating a shift towards more sophisticated and automated campaigns.
• Financial Cost: The average cost of a data breach in the U.S. has hit a record ten million dollars in 2025, double the global average.

Impact Assessment

The combined effect of the shutdown and the lapsed law is a significant degradation of the United States' national cybersecurity posture.

• Reduced Situational Awareness: The government is effectively 'flying blind' without the flow of data from the private sector, unable to detect large-scale campaigns in their early stages.
• Delayed Response: A reduced workforce means slower analysis, slower attribution, and slower dissemination of warnings to potential targets.
• Increased Risk to Critical Services: With critical infrastructure being the primary target, this weakened defense posture puts essential services like power, water, finance, and healthcare at a heightened risk of disruption.

Guidance and Recommendations

While the report is a warning, not a policy mandate, its implicit recommendations are clear:

1. End the Shutdown: Fully fund federal cybersecurity agencies to ensure they are staffed and operational.
2. Renew Information Sharing Legislation: Congress must act swiftly to reauthorize the Cybersecurity Information Sharing Act or pass a similar law that provides liability protection for private sector partners.
3. Strengthen Public-Private Partnerships: Even without the legislation, the report is a call to action for government and industry to find ways to continue collaborating to defend against common adversaries.