A critical, longstanding piece of America’s cybersecurity infrastructure is perilously close to vanishing overnight. 

On Tuesday, the Cybersecurity Information Sharing Act (CISA) expires — and with it, the legal protections that enable countless organizations to share threat intelligence with the federal government. Without swift congressional action, we risk dismantling years of progress in collaborative cyber defense at the precise moment we need it most.

As we approach CISA’s 10-year anniversary, we’re confronted with the reality that today’s threat landscape is virtually unrecognizable from a decade ago. In 2015, we worried about data breaches and website defacements. 

Today, we face AI-powered attacks, the proliferation of cybercrime-as-a-service, supply chain compromises that ripple across entire sectors, undetected cyberattacks that pre-positions adversaries, and sophisticated ransomware ecosystems where criminals and nation-states share resources to scale their cyber operations. 

The recent Salt Typhoon intrusions into U.S. telecommunications infrastructure underscore a harsh reality: our adversaries have evolved faster than our defenses.

The damaging cost of inaction

CISA’s expiration wouldn’t just be a bureaucratic hiccup — it would trigger a cascade of consequences across our digital infrastructure. The act’s safe harbor provisions and liability protections form the legal backbone that allows private companies to share cyber threat indicators with government agencies, without fear of lawsuits. Remove these protections, and organizations will retreat into information silos, leaving us blind to emerging threats.

Consider what could happen if these protections disappear: a financial institution that detects suspicious activity linked to a nation-state campaign could face legal exposure for sharing that intelligence. A single hospital’s medical records compromised during a cyberattack could put an entire health care system at risk. The telecommunications companies that need to coordinate during incidents like Salt Typhoon could lose their legal framework for collaboration. 

This isn’t speculation — it’s the pre-2015 reality we’d return to.

Beyond band-aids: modernizing for tomorrow’s threats

While the proposed WIMWIG Act aims to extend CISA through 2035, simply reauthorizing outdated frameworks won’t thoroughly address modern security challenges. We’re still operating in a reactive cybersecurity paradigm that tells organizations what already happened, rather than helping them understand what’s currently happening based on signals and criminal behaviors. 

Current information sharing focuses heavily on Indicators of Compromise (IoCs) — specific IP addresses, domains, and file hashes that attackers use. But in an era of AI and automation, threat actors constantly pivot their infrastructure, making these IoCs stale within days, hours, or even minutes.

The truth is, while threat intelligence serves larger organizations with mature security operations, most organizations struggle to leverage it effectively. We need intelligence that doesn’t just catalog past attacks but that provides predictive insights. 

This is why the real opportunity lies in shifting from reactive IoC sharing to proactive behavioral analytics and telemetry. Instead of sharing that an attacker used a specific IP address — which they’ll constantly spin up new infrastructure — we need to share how they moved through networks, what techniques they employed, and what behaviors preceded the attack. Three failed login attempts might mean nothing in isolation, but when combined with lateral movement patterns and privilege escalation behaviors, they reveal an active intrusion.

This shift becomes even more critical as we enter the age of non-human identities. Cloud services, operational technology, and AI systems are creating environments where machine identities outnumber human ones 10:1. 

Understanding the complex relationships and interactions across these hybrid environments requires contextual intelligence that transforms raw telemetry into actionable insights about ongoing threats and likely identities that will be targeted.

A path forward

Congress faces a choice: settle for short-term extensions that kick the can down the road or seize this moment to modernize our cyber defense systems. Some may view CISA’s potential expiration as a retreat from collective cyber defense, but it could instead represent an opportunity to build something stronger — a modern framework that demonstrates America’s commitment to defending against cyber threats at every level. 

Meaningful reauthorization must include: 

• Enhanced liability protections that cover behavioral anomalies, not just traditional IoCs. Organizations need legal clarity in order to share the rich, contextual intelligence that actually prevents attacks.
• Mandated reciprocity in intelligence flows. Too often, private sector sharing has been a one-way street. Federal agencies must provide consistent, enriched, and actionable intelligence back to industry partners, fostering true collaboration rather than mere collection.
• Incorporation of AI and automation capabilities that can process behavioral patterns at scale, enabling real-time threat detection across our increasingly complex digital ecosystem.
• Improved oversight mechanisms that ensure the program evolves with the threat landscape rather than remaining frozen in 2015-era security methodologies.

The urgency is real

With bipartisan reauthorization efforts facing tight timelines, the window to get this right is closing fast. If CISA 2015 lapses, it shouldn’t be due to political gridlock but because we’ve chosen to seize this opportunity to build a cyber defense framework worthy of the challenges ahead.

Every day of delay gives our adversaries a greater advantage. Every moment of uncertainty weakens our collective cyber defense. Congress must act decisively, not just to preserve what we have, but to build the proactive, behavior-based intelligence-sharing ecosystem our national security demands.

In just a day, we’ll either have a modernized framework for collaborative cyber defense, or we’ll watch a decade of progress crumble. The choice before Congress isn’t just about renewal — it’s about transformation. Let’s ensure any outcome strengthens, not weakens, our nation’s cyber resilience. 

The time for action is now — we must defend and protect forward.

Kevin E. Greene is the chief cybersecurity technologist for public sector at BeyondTrust. He previously held tech roles at OpenText, the MITRE Corporation and in the cybersecurity division of the Department of Homeland Security’s Science and Technology Directorate.

The post Expired protections, exposed networks: The stakes of CISA’s sunset appeared first on CyberScoop.

Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds. 

This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.

In a machine-speed conflict, the need to have a person develop, test and approve a countermeasure becomes a critical liability. Consider an industrial control system (ICS) managing a municipal water supply. An AI-driven attack could manipulate valves and pumps in milliseconds to create a catastrophic failure. A human-led security operations center might not even recognize the coordinated anomaly for hours. 

An AI-driven defense, however, could identify the attack pattern, correlate it with threat intelligence, and deploy a countermeasure to isolate the affected network segments in seconds, preserving operational integrity. In this new paradigm, the most secure and resilient systems will be those with the least direct human interaction. Human oversight will — and must — shift from the tactical to the strategic.

The fallacy of AI safety

Much of the current discourse on “AI safety” centers on the complex goal of AI with human values. As AI pioneer Stuart Russell notes in his book “Human Compatible,” a key challenge is that “it is very difficult to put into precise algorithmic terms what it is you’re looking for.” Getting human preferences wrong is “potentially catastrophic.” 

This highlights the core problem: trying to program a perfect, universal morality is a fool’s errand. There is no global consensus on what “human values” are. Even if we could agree, would we want an apex predator’s values encoded into a superior intelligence? 

The reality is that AI systems — built on neural networks modeled after the human brain and trained on exclusively human-created content — already reflect our values, for better and for worse. The priority, therefore, should not be a futile attempt to make AI “moral,” but a practical effort to make it secure. 

As author James Barrat warns in “The Final Invention,” we may be forced to “compete with a rival more cunning, more powerful & more alien than we can imagine.” The focus must be on ensuring human safety by architecting an environment where AI operations are constrained and verifiable.

Reconciling probabilistic AI with deterministic control

AI’s power comes from its probabilistic nature. It analyzes countless variables and scenarios to identify strategies and solutions — like the AlphaGo move that was initially laughed at but secured victory — that are beyond human comprehension. This capability is a feature not a bug. 

However, our entire legal and policy infrastructure is built on a deterministic foundation. Safety and security certifications rely on testable systems with predictable outcomes to establish clear lines of accountability.

This creates a fundamental conflict. Who is liable when a probabilistic AI, tasked with managing a national power grid, makes an unconventional decision that saves thousands of lives but results in immediate, localized deaths? 

No human will want, or be allowed, to accept the liability for overriding an AI’s statistically superior strategic decision. The solution is not to cripple the AI by forcing it into a deterministic box, but to build a deterministic fortress around it. 

This aligns with established cybersecurity principles — such as those within NIST SP 800-53 — that mandate strict boundary protection and policy-enforced information flow control. We don’t need to control how the AI thinks; we need to rigorously control how it interacts with the world.

The path forward: AI containment

Three trends are converging: the hyper-acceleration of security operations, the necessary removal of humans from the tactical loop, and the clash between probabilistic AI and our deterministic legal frameworks. The path forward is not to halt progress, but to embrace a new security model: AI containment.

This strategy would allow the AI to operate and innovate freely within human-defined boundaries. It requires us to architect digital “moats” and strictly moderate the “drawbridges” that connect the AI to other systems. 

By architecting systems with rigorously enforced and inspected interfaces, we can monitor the AI, prevent it from being poisoned by external data and ensure its actions remain within a contained, predictable sphere. This is how we can leverage the immense benefits of AI’s strategic intelligence while preserving the deterministic control and accountability essential for our nation’s most critical missions.

Scott Orton is CEO of Owl Cyber Defense.

The post Contain or be contained: The security imperative of controlling autonomous AI appeared first on CyberScoop.

The top lawmakers on a key House cybersecurity panel are hoping to remove a barrier to entry for cyber jobs in the federal government.

Introduced this week, the Cybersecurity Hiring Modernization Act from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, would prioritize skills-based hiring over educational requirements for cyber jobs at federal agencies. 

Mace and Brown — the chair and ranking member of the House Oversight Cybersecurity, Information Technology, and Government Innovation Subcommittee, respectively — said the legislation would ensure the federal government has access to a “broader pool of qualified applicants” as the country faces “urgent cybersecurity challenges.”

“As cyber threats against our government continue to grow, we need to make sure our federal agencies hire the most qualified candidates, not just those with traditional degrees,” Mace said in a press release Thursday. “This bill cuts red tape, opens doors to skilled Americans without a four-year diploma but with the expertise to get the job done, and strengthens our nation’s cybersecurity workforce.”

Brown said in a statement that expanding the cyber workforce is “imperative” to “meet our nation’s growing need for safe and secure systems.” The bill aims to “remove outdated hiring policies, expand workforce opportunities to a wider pool of talented applicants, and help agencies hire the staff that they need,” she added. 

The bill calls on the Office of Personnel Management to annually publish any education-related changes that are made to minimum qualification requirements for federal cyber roles. OPM would also be charged with aggregating data on educational backgrounds of new hires for those cyber positions.  

Agencies would still be permitted to include minimum education requirements for cyber jobs, but “only if a minimum education qualification is required by law to perform the duties of the position in the State or locality where the duties of the position are to be performed,” per the bill text. Education can be considered if that schooling “directly reflects the competencies necessary to satisfy that qualification and perform the duties of the position.”

Easing education requirements for federal cyber contracting jobs was a priority for Harry Coker, the Biden administration’s national cyber director, and other legislation in recent years has also attempted to address the issue. 

Mace has also tried in the past to scrap minimum education requirements on federal cybersecurity jobs, introducing the Modernizing the Acquisition of Cybersecurity Experts Act in 2023. The bill passed the House but stalled out in the Senate.

The post House lawmakers take aim at education requirements for federal cyber jobs appeared first on CyberScoop.

A national security-focused Commerce Department component would get fresh IT investments to help keep dual-use U.S. technologies from ending up in the wrong hands under a bill reintroduced late last week by a bipartisan pair of House lawmakers.

The Bureau of Industry and Security IT Modernization Act from Reps. Jason Crow, D-Colo., and Tom Kean, R-N.J., calls for upgrades to information technology systems at Commerce’s Bureau of Industry and Security (BIS), which is charged with advancing national security priorities via tech leadership and export controls.

Those IT upgrades are aimed at helping BIS better track American-made dual-use technologies — which can be used for either commercial or military purposes — so that they aren’t made available to China, Russia or other foreign adversaries. 

“Protecting the U.S. from foreign threats is not a partisan issue,” Crow said in a press release. “Our bipartisan bill helps keep us safe by making it harder for critical U.S. technologies, like chips and advanced computer software, from falling into the hands of America’s adversaries.”

Said Kean: “As America’s adversaries, like China and Russia, become more brazen and aggressive, it is more important than ever to strengthen our export controls and sanctions enforcement to protect our national security. The bipartisan BIS IT Modernization Act is a critical step to ensure the Bureau of Industry and Security has the modern tools it needs to keep American technology out of the hands of those who seek to use it against us and our allies.”

The bill calls on the bureau to replace its current IT systems with “a unified environment” featuring “seamless case and customer relationship management” and is able to provide analysis of trade data from external providers, per the bill text.

The lawmakers envision “cutting-edge data fusion” paired with analytics, other decision-making capabilities and supply chain “illumination tools” to paint a better picture of the global industrial relationship landscape.

The technology would track military users and flag “evasive trade patterns and shell companies” through enhanced processes. The bill also seeks to expand data-sharing initiatives with federal agencies, the intelligence community, international partners and industry.

The cost for these efforts would be $25 million annually from fiscal years 2026 through 2029. The House Foreign Affairs Committee and the Senate Banking Committee would be consulted on the particulars and part of the appropriations process. 

Both congressmen have championed other legislation in recent years related to technology and national security, including a bill from Kean to strengthen protections against overseas threats to U.S. networks and one from Crow that would track emerging technologies around the globe. 

The reintroduction of the bill comes at a time when the U.S. seems to be walking back parts of its export control policy, which limited or outright banned the sales of chips, artificial intelligence tools and other tech items to China. According to the BBC, the Trump administration struck a deal to allow chip makers Nvidia and AMD to pursue export licenses to China by paying the U.S. government 15% of its Chinese revenues.

The post House lawmakers seek better tech for Commerce in fight against foreign powers appeared first on CyberScoop.

News of two major Microsoft security events in as many weeks should concern every federal agency, not just because of the breaches themselves, but because of what they reveal about how the company does business.

First, ProPublica uncovered that Microsoft allowed Chinese engineers to work on sensitive U.S. military cloud projects under the supervision of underqualified subcontractors. Then came a global cyberattack exploiting a critical flaw in Microsoft SharePoint, breaching U.S. agencies, universities, and energy firms. 

These aren’t isolated incidents. They’re symptoms of a business model built around restrictive and anticompetitive software licensing practices.

Time and again, Microsoft’s security failures turn into federal growth opportunities. After cyberattacks in 2021, Microsoft promised the Biden administration $150 million in free cybersecurity upgrades. What wasn’t said upfront? These freebies locked agencies into Microsoft tools, making it costly and complex to switch. Once agencies were locked in, Microsoft raised prices. This wasn’t charity or goodwill on Microsoft’s behalf: It was a calculated move to crowd out competitors, win long-term contracts, and deepen federal dependence on Microsoft’s ecosystem.

Then, in 2023, Chinese hackers known as Storm-0558 exploited a vulnerability in Microsoft’s cloud email service. They breached more than 500 individuals and 22 organizations worldwide, including senior U.S. government officials. A 34-page report by the Cyber Safety Review Board (CSRB) later described Microsoft’s security culture as “inadequate,” warning it “requires an overhaul” given the company’s central role in the tech ecosystem. It said Microsoft’s CEO and board should institute “rapid cultural change,” including publicly sharing “a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.”

The CSRB also criticized Microsoft’s delayed and opaque communications. The company waited until March 2024 to correct a misleading September 2023 blog post about the cause of the breach, after months of questioning from investigators.

Meanwhile, in early 2024, Russian hackers known as Midnight Blizzard infiltrated Microsoft’s corporate systems. Initially described as a limited incident, Microsoft later admitted that the breach was far more extensive: The hackers accessed sensitive internal emails, and even Microsoft’s source code. According to the company, Midnight Blizzard may now be using information found in customer emails to pursue further attacks.

At a June 2024 House Committee on Homeland Security hearing to address the series of cybersecurity incidents, Brad Smith, Microsoft’s vice chair and president, testified that the “bad news for the folks who want to sell plan B” is that public sector clients “don’t want to switch. They want us to get it right and we have to get it right to deserve their business.”

Smith is half right; customers don’t see a plan B, but that’s because their choice to switch providers has been effectively cut off. At the core of all of this is Microsoft’s software licensing strategy. The company routinely ties its core productivity software to an ever-growing bundle (which at the upper tier includes over 30 products), limits integrations with third-party providers, making it difficult for customers to diversify their system, and restricts how customers can use their previously purchased software on other cloud providers. These practices are not just business tactics that lock-in customers — they are very real security concerns. Every single customer who received an alert from Microsoft over the weekend regarding the SharePoint hack has had to learn that the hard way. 

In addition to exposing companies to cybersecurity vulnerabilities, these practices also raise significant antitrust concerns — and are under scrutiny from regulators around the world, including reportedly by the Federal Trade Commission. 

Microsoft’s largest customer — the U.S. government — needs to wake up to this threat. When customers license Microsoft software, they aren’t just buying tools — they’re buying into a system where exit is difficult, choice is limited, and security is too often an exposure.

The question isn’t whether Microsoft will respond to its latest failures. The company’s decades-long playbook — blaming the government for not doing more, then offering free upgrades post-breach only to raise prices and deepen lock-in — suggests they will deflect with a “nothing to see here” approach while capitalizing on vulnerabilities. 

The real question is whether the government will continue to accept a model that turns licensing restrictions into national dependence and vulnerabilities into profit, and repeatedly exposes our nation’s most critical information to those who wish to harm us.

Ryan Triplette is executive director of the Coalition for Fair Software Licensing.

The post Microsoft’s software licensing playbook is a national security risk appeared first on CyberScoop.

As cyber officials work to contain Salt Typhoon inside U.S. telecom networks, the House on Monday passed a bill that would officially designate one federal agency to lead efforts in protecting the nation’s digital infrastructure from such threats.

The National Telecommunications and Information Administration Organization Act cleared the House via voice vote and is now teed up for Senate consideration — the same position the bill found itself in last year before stalling out in the upper chamber. 

The legislation from Reps. Jay Obernolte, R-Calif., and Jennifer McClellan, D-Va., would rebrand the Office of Policy Analysis and Development as the Office of Policy Development and Cybersecurity, and codify the NTIA’s responsibilities to lead policy initiatives and coordinate with other agencies on cyber practices for the country’s communications networks.

“NTIA is already central to advancing market-driven strategies that foster innovation, expand broadband deployment and promote a competitive digital economy,” McClellan said. “But this legislation ensures that NTIA is equally empowered to help safeguard that digital future, particularly as the cybersecurity threats we face grow more complex and more dangerous by the day.”

The Salt Typhoon attack spree last year on major American telecommunications companies, she added, was a “sobering reminder” of the vulnerabilities that live in U.S. infrastructure and “how deeply” the fallout of cyberattacks can be felt in multiple sectors, ranging from health care to national security. 

The top Democrat on the Senate Intelligence Committee last year called the far-reaching breach by the Chinese hacking group “the worst telecom hack in our nation’s history.” In interviews with CyberScoop, a half-dozen sources pointed fingers at a lack of coordination and miscommunication between federal agencies and the telecom industry.

The bill calls on NTIA to take the lead on coordinating “transparent, consensus-based, multistakeholder processes” for the development and implementation of cybersecurity and privacy policies in communications networks. Public-private partnerships would be fostered to encourage “collaboration between government agencies and stakeholders,” said Rep. Bob Latta, R-Ohio, chairman of the House Energy & Commerce Committee’s energy subcommittee.

There is also a callout in the legislation for increased collaboration between security researchers, software developers and telecoms. Collaboration will be paramount as telecoms attempt to purge the vestiges of Salt Typhoon from their networks, a feat that experts told CyberScoop will be exceedingly difficult if not impossible. 

Additionally, the legislation seeks NTIA-led policies on security resilience and the pursuit of accelerated “innovation and commercialization with respect to advances in technological understanding of communications technologies,” per the bill text.

“As more and more of Americans’ lives move into a digital format, it’s leaving the information of Americans more and more vulnerable to cyberattacks,” Obernolte said. “That’s why it is critical that we establish cybersecurity protocols and capabilities to counter the threats, not just to foreign actors, but of cybercriminals and transnational criminal organizations who attempt to breach our data security and access the data of Americans.”

A separate bill that passed the House later Monday has additional cyber-related responsibilities for the NTIA and its leader, the assistant secretary for communications and information. The Understanding Cybersecurity of Mobile Networks Act would require the Commerce Department official to lead a report that examines mobile service networks’ cybersecurity and vulnerabilities that those networks and devices face from adversaries.

The legislation, co-sponsored by Reps. Greg Landsman, D-Ohio, and Kat Cammack, R-Fla., charges the NTIA chief with coordinating an interagency group to inform the report that includes experts from the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security’s Science and Technology Directorate.

That group, Landsman said, would “build out all of the information we need to ensure that we understand where all of our vulnerabilities are, that we are dealing with those vulnerabilities, where are the gaps, how our foreign adversaries are accessing data, how could they be accessing our data, and how to further our ability to stop our enemies from attacking our individual devices.” 

In compiling the report, NTIA should also consult with the Federal Communications Commission, the intelligence community, privacy and encryption researchers and academics, international stakeholders, standards and technical organizations, and industry, per the bill text. The legislation also calls for an analysis of the commercially available tools that can help consumers assess networks’ cybersecurity.

“It’s a good step towards ensuring we can protect our global networks from evolving threats,” said Rep. Frank Pallone, ranking member of the House Energy & Commerce Committee. “And I know we will continue to work towards securing our country’s data, devices and networks, whether from a foreign adversary or domestic threat.”

This story was updated July 15 with details on the passing of the Understanding Cybersecurity of Mobile Networks Act.

The post House passes bill to formalize NTIA’s cyber role following Salt Typhoon attacks appeared first on CyberScoop.