The Trump administration wants your voter data.

Since President Donald Trump took office in January, the Department of Justice has made an ambitious effort to collect sensitive voter data from all 50 states, including information that one election expert described as “the holy trinity” of identity theft: Social Security numbers, driver’s license numbers and dates of birth.

In states where Trump’s party or allies control the levers of government, this information is handed over willingly. In states where they do not, the DOJ has formally asked, then threatened and then sued states that refuse. The department has also claimed many of these reluctant states are failing to properly maintain their voter registration rolls, and has pushed states to more aggressively remove potentially ineligible voters.

This week, Democrats in the House and Senate introduced new legislation that seeks to defang those efforts by raising the legal bar for states to purge voters based on several factors, such as inactivity or changing residency within the same state.

The Voter Purge Protection Act, introduced by Sen. Alex Padilla, D-Calif., and Rep. Joyce Beatty, D-Ohio, would amend the National Voter Registration Act to make it more difficult for states to kick large numbers of voters off their rolls for actions that Democrats — and many election officials — say are common, overwhelmingly benign and not indicative of voter fraud.

Padilla told reporters that the legislation would help ensure “that Americans cannot be stripped of their right to vote without proof that a voter has either passed away or has permanently moved out of their state.”

Voters targeted for removal must also be notified by election officials “so that there’s no surprise when they show up to vote on election day that their name is not on the list and it’s too late to address whatever the issue may or may not be,” Padilla said.

Beatty pointed to her home state, where Republican Secretary of State Frank LaRose removed more than 155,000 voters from active voter rolls in 2024, as an example where federal protections are needed. The primary factor for purging those voters were records showing they had not cast a ballot in an election for the past four years.

She claimed more than half of the voters who stand to be affected by similar purges in 2025 and 2026 are registered in counties where demographic minorities make up a majority of voters.

“Let me be clear: voting is not use-it-or-lose the right, because too often these so-called voter purges have silenced voices, people of color, people of low income communities, and even our seniors who have waited and fought for the right to vote,” Beatty said.

Meanwhile, a comprehensive post-election audit conducted by LaRose’s office in 2024 identified and referred 597 “apparent noncitizens” on state voter rolls to the state Attorney General for further review, out of 8 million state voters. Critically, 459 of those registered voters never cast an actual ballot, and similar audits performed by LaRose in 2019, 2021 and 2022 found that such people made up similarly miniscule percentages of all active registered voters in the state. Last month, his office put out a press release touting an additional 78 “apparent noncitizens” registered, 69 of whom had no evidence of voting.

“States have the responsibility to keep accurate voter rolls and ensure election integrity,” LaRose added. “In order to meet that responsibility, we need more access to data from the federal government. I will continue to push until we have the resources we need to do our jobs to the standard Ohioans deserve.”

As any state election official will tell you, voter registration lists are never static — every day, people die, get married (or divorced), take on different names, become naturalized citizens or experience a range of other life events that can impact their registration status or result in outdated information. Further, it’s not typically viewed as unusual or a sign of fraud when voters sparingly make use of their registration to vote, though most election experts endorse some level of database maintenance to remove inactive voters.  

But it is often these discrepancies that get highlighted by Trump and state allies as evidence of unacceptably messy voter rolls that justify stricter removal policies.

And there are election officials — mostly in Republican-controlled states — who have embraced the philosophy that even small numbers of questionable registrations or voter fraud must be aggressively stamped out or it will lead to American voters losing faith in their democracy. LaRose and Georgia Republican Secretary of State Brad Raffensperger have long championed a similar approach to voter maintenance, and have called for Congress to pass laws making it easier for states to remove voters during election years.

“List maintenance is about election security and voter confidence,” Raffensperger said last month while announcing that approximately 146,000 Georgia voters would be moved to inactive voter rolls, including 80,754 voters who had moved to another county within the state. “We want every Georgian to have full faith in the system, knowing that our elections are free, fair — and fast.”

Critics have pointed out that states already have numerous, effective means for preventing mass voter registration or fraud that have been borne out by post-election audits finding very low instances of fraud, and that overly harsh policies around list maintenance can and do end up disenfranchising far more eligible voters than bad actors. Further, they argue against removing large numbers of voters without a robust follow-up process from states to give affected voters an opportunity to appeal or address any discrepancies that may affect their registration.

The bill has 22 Democratic co-sponsors in the Senate and 24 in the House but is unlikely to gain serious consideration under a Republican-controlled Congress, where most GOP members have long believed voter fraud is rampant and are broadly supportive of state and federal efforts to remove voters based on those same factors.

Asked by CyberScoop how Democrats would navigate that reality, Padilla said the legislation was part of a broader overall effort to push back on these efforts at all levels of constitutional governance. That includes states fighting to protect their constitutional role as administrators of elections when denying data requests from the federal government, within the court system as states and voting rights groups fight in court to block the administration’s use of the SAVE database as a pretext for voter removal, and through public awareness and politics.

Teeing up legislation to prevent states from potentially disenfranchising voters from spurious purges, he said, is part of asserting Congress’ constitutional role in a much broader fight about the way elections are run.

“We’re pushing back on it at every turn and calling attention to it, so that voters understand what they may be facing and make all the necessary preparations so that their right to vote is not denied, whether it’s in next year’s midterm elections or even other regular or special elections before then,” Padilla said.

The post Dems introduce bill to halt mass voter roll purges  appeared first on CyberScoop.

A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.

Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.

The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.

“There are some of my Republican colleagues who have concerns about CISA as the agency, and I remind them, this is not about the agency,” he said. “It’s about … cybersecurity protections and the ability to have liability protections and to be able to share information. I’ve often heard the chair conflate the two, and I have to continually remind him.”

A House bill also would establish a different name.

Paul has objected to Peters’ attempts on the floor to extend CISA 2015. A shorter-term extension of the law was included in the House-passed continuing resolution to keep the government open, but that bill didn’t advance in the Senate, prompting a shutdown.

Peters’ latest bill, like earlier legislation he co-sponsored with Sen. Mike Rounds, R-S.D., would extend CISA 2015 for 10 years. He rejected the idea of trying to get a shorter-term extension until a longer-term extension could be passed.

“One thing that is very clear from all of the stakeholders is that they need long-term certainty when it comes to these protections, that you can’t operate with just a few-week-patch and then another few-week–patch,” Peters said. “That’s no way to run a business. That’s no way to run a sophisticated cybersecurity operation.”

Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements  for members.

The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.

“An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

Peters said he’s heard from organizations becoming increasingly nervous about the expiration, but didn’t want to comment on whether any had stopped sharing because that’s “sensitive information, important information, and our adversaries should know as little about what’s happening as possible.”

Peters said he wouldn’t comment on his deliberations with Paul, or comment on Paul’s motives for objecting to his floor maneuvers. Paul cancelled a planned markup of his own version of CISA 2015 renewal legislation in September that included language on free-speech guarantees under CISA the agency, with a spokesperson saying Democrats had requested more time and were “not negotiating in good faith.”

Peters told reporters that claim was “absolutely false … the problem is not on our end.”

The revised Peters legislation doesn’t touch on the topic of free speech. Democrats and Republicans have blamed one another for the government shutdown.

“Firstly, this authority will be turned back on when Democrats, including the bill sponsor, vote to reopen the government,” said Gabrielle Lipsky, a spokesperson for Paul. “The Senator has made it clear that a longer-term reauthorization will need robust free speech protections included.”

Peters said he had spoken to Senate Majority Leader John Thune, R-S.D., about getting the bill through Senate procedures. He and Rounds have both been speaking with colleagues to gain backing. The Trump administration also has been lobbying senators to support a CISA 2015 reauthorization.

“I’m confident that if this bill gets to the floor for a vote, it will not only pass, it will pass overwhelmingly,” he said. “And that’s what we’re working to do.”

The post Sen. Peters tries another approach to extend expired cyber threat information-sharing law appeared first on CyberScoop.

Tech experts and companies offering encrypted messaging services are warning that  pending European regulation, which would grant governments broad authority to scan messages and content on personal devices for criminal activity, could spell “the end” of privacy in Europe.

The European Union will vote Oct. 14 on a legislative proposal from the Danish Presidency known as Chat Control — a law that would require mass scanning of user devices, for abusive or illegal material. Over the weekend, Signal warned that Germany — a longtime opponent and bulwark against the proposal — may now move to vote in favor, giving the measure the support needed to pass into law.

On Monday, Signal CEO Meredith Whittaker warned that her company, which provides end-to-end encrypted communications services, could exit the European market entirely if the proposal is adopted.

“This could end private comms-[and] Signal-in the EU,” Whittaker wrote on BlueSky. “Time’s short and they’re counting on obscurity: please let German politicians know how horrifying their reversal would be.”

According to data privacy experts, Chat Control would require access to the contents of apps like Signal, Telegram, WhatsApp, Threema and others before messages are encrypted. While ostensibly aimed at criminal activity, experts say such features would also undermine and jeopardize the integrity of all other users’ encrypted communications, including journalists, human rights activists, political dissidents, domestic abuse survivors and other victims who rely on the technology for legitimate means.

The pending EU vote is the latest chapter in a decades-long battle between governments and digital privacy proponents about whether, and how, law enforcement should be granted access to encrypted communications in criminal or national security cases. 

Supporters point to increasing use of encrypted communications by criminal organizations, child traffickers, and terrorist organizations, arguing that unrestricted encryption impedes law enforcement investigations, and that some means of “lawful access” to that information is technically feasible without imperiling privacy writ-large.

Privacy experts have long argued that there are no technically feasible ways to provide such services without creating a backdoor that could be abused by other bad actors, including foreign governments.

Whittaker reportedly told the German Press Agency that “given a choice between building a surveillance machine into Signal or leaving the market, we would leave the market,” while calling repeated claims from governments that such features could be implemented without weakening encryption “magical thinking that assumes you can create a backdoor that only the good guys can access.”

The Chaos Computer Club, an association of more than 7,000 European hackers, has also opposed the measure, saying its efforts to reach out to Germany’s Home Office, Justice Department and Digital Minister Karsten Wildberger for clarity on the country’s position ahead of the Chat Control vote have been met with “silence” and “stonewalling.”

The association and U.S.-based privacy groups like the Electronic Frontier Foundation have argued that the client-side scanning technology that the EU would implement is error-prone and “invasive.”

“If the government has access to one of the ‘ends’ of an end-to-end encrypted communication, that communication is no longer safe and secure,” wrote EFF’s Thorin Klowsowski.

Beyond the damage Chat Control could cause to privacy, the Chaos Computer Club worried that its adoption by the EU might embolden other countries to pursue similar rules, threatening encryption worldwide.

“If such a law on chat control is introduced, we will not only pay with the loss of our privacy,” Elina Eickstädt, spokesperson for the Chaos Computer Club, said in a statement. “We will also open the floodgates to attacks on secure communications infrastructure.”

The Danish proposal leaves open the potential to use AI technologies to scan user content, calling for such technologies “to be vetted with regard to their effectiveness, their impact on fundamental rights and risks to cybersecurity.”

Because Chat Control is publicly focused on curtailing child sexual abuse material (CSAM), the intital scanning will target both known and newly identified CSAM, focusing on images and internet links. For now, text and audio content, as well as scanning for  evidence of grooming — a more difficult crime to define — are excluded. 

Still, the Danish proposal specifies that scanning for grooming is “subject to … possible inclusion in the future through a review clause,” which would likely require even more intrusive monitoring of text, audio and video conversations. 

It also calls for “specific safeguards applying to technologies for detection in services using end-to-end encryption” but does not specify what those safeguards would be or how they would surmount the technical challenges laid out by digital privacy experts.

The post Potential EU law sparks global concerns over end-to-end encryption for messaging apps  appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency doesn’t have any plans in place for continuing a threat information-sharing program should a 2015 law that laid the groundwork for its creation expire Wednesday, according to a new watchdog report.

The inspector general report points to yet more potential complications for threat data exchanges between industry and the government should the 2015 Cybersecurity Information Sharing Act, known as CISA 2015, lapse. Already, private-sector groups and cyber professionals have been sounding alarms about what would happen if the law’s legal safeguards disappear — something that’s now almost certain to happen after Tuesday’s expiration deadline is set to transpire without action from Congress.

The IG report takes a look at the Automated Indicator Sharing (AIS) program that the Department of Homeland Security established in the year after passage of CISA 2015. The voluntary program was designed to allow the exchange of machine-readable cyber threat indicators (CTIs), like malicious IP addresses, and defensive measures (DMs), defined as activity that protects information systems against cyber threats.

According to the IG, CISA (the agency) has not finalized plans for continued use of the program in the event of the expiration of the 2015 law.

“Without finalizing this plan, CISA could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the Nation’s critical infrastructure from cyber threats,” the report, dated Sept. 26, states.

While creation of the AIS program was one of the most direct outcomes of the passage of CISA 2015, many industry groups do not consider it the most important impact of the law, instead focusing on the legal protections it provides. Still, the IG report details how much activity the AIS program is involved in: 10 million cyber threat indicators shared in 2024.

That figure also points to weaknesses within the program, however, according to the IG. The 10 million indicators is a big jump from the prior calendar year, when the number was 1 million.

“Although the number of CTIs and DMs increased in 2024, CISA continues to rely on a small number of partners to share information,” the report states. “CISA officials attributed recent increases in shared CTIs and DMs to a private-sector partner’s significant contribution. In 2024, this private-sector partner added more than 4 million CTIs and DMs to each of the Federal and public collections — accounting for 89 percent of the public collection and 83 percent of the Federal collection.”

The report doesn’t identify that private-sector partner. An earlier report attributed a steep drop in the sharing of cyber threat indicators to an unnamed federal partner withdrawing from the program.

“CISA’s overreliance on information shared by specific participants may lead to inconsistent results and prevent long-term program growth if top contributing partners stop participating,” the report reads.

There were only 18 federal participants in 2024 in all, and 87 non-federal participants. That’s an increase from last year in both cases, but a fall from the 2020 peak of 304 total participants. Some of those participants, though, are industry-specific information sharing and analysis centers that might include hundreds of organizations.

CISA’s response to the IG’s findings left the program’s future uncertain should the 2015 law expire, according to the report.

“Program officials stated that although CISA continues to be committed to sharing CTIs and DMs in an automated, unclassified machine-readable format such as AIS, the decision on whether to maintain the capability will be based on available resources and leadership’s priorities,” the report states. “CISA officials said if the Act were to expire, they would analyze the value of AIS, including the average operational cost of $1 million per month and a likely reduction in CTI and DM volume, to determine whether resources could be redirected from other agency priorities to support AIS.”

CISA referred requests for comment to the agency’s response contained within the report.

“It is important for readers of this report to understand that automated threat intelligence and information sharing with our global partners and stakeholders remains a priority for CISA, and that there are no immediate or near-term plans to discontinue the Automated Information Sharing [sic] service, regardless of the status of the Cybersecurity Act of 2015,” reads the response from Madhu Gottumukkala, the acting director of CISA. “Subject to available appropriations, CISA remains authorized to operate Automated Information Sharing irrespective of the possible sunset of the Cybersecurity Information Sharing Act of 2015 on September 30, 2025, and CISA will continue to modernize and evolve Automated Information Sharing to meet the needs of its partners and stakeholders.”

The post Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law appeared first on CyberScoop.

The Department of Homeland Security estimated over the weekend that it would send home about two-thirds of employees at the Cybersecurity and Infrastructure Security Agency in the event of a government shutdown.

It’s the first time that the second Trump administration has released its contingency plan in response to what would happen if Congress doesn’t keep the government funded after Oct. 1 — something that looks likely at the moment. The furlough of two-thirds of CISA employees is also relatively close to the last time the Biden administration produced shutdown guidance in 2023.

According to the DHS document, 889 of CISA’s 2,540 personnel would keep working through a government funding lapse. That workforce estimate is from May, and could be smaller now. In 2023, DHS anticipated that it would keep 960 of its then-3,117 employees at work.

The Biden administration said that year that it would have had the ability to recall another 790 CISA employees if needed. The latest DHS guidance doesn’t include any information on recallable employees, and CISA didn’t immediately respond to a request for that figure Monday.

Furloughs of cyber personnel could have a whole host of potentially negative consequences, government officials and outside cyber experts have warned. Those consequences could be even worse as the Trump administration slashes the federal workforce, some say.

A temporary reduction could invite more attacks on the federal government; slow down patching, cyber projects and regulations; prompt permanent departures from workers disillusioned about the stability of federal cyber work; hinder cybercrime prosecutions; and freeze cyber vulnerability scans.

The latest CISA furlough estimates are “scary,” one cyber researcher wrote on the social media platform Bluesky. The White House has also instructed agencies to plan for mass firings in the event of a shutdown.

At other agencies, some federal cybersecurity-related personnel are likely to continue working during a federal funding lapse, because the law deems some government functions as “excepted,” such as those focused on missions like national security, law enforcement or protection of property and human safety. For example, at the Health and Human Services Department, the fiscal year 2026 contingency plan states that “HHS estimates that 387 staff (excluding those otherwise authorized by law) will be excepted for the protection of computer data.”

Unlike in past years, agencies are hosting contingency plans on their websites on a case-by-case basis, rather than on the website of the Office of Management and Budget. Some plans that have been published, such as those for the Department of Defense, don’t specify figures for cyber personnel.

Hundreds of thousands of federal workers could be furloughed, in total.

Two major cybersecurity laws, one providing legal protections for cyber threat data sharing and another providing state and local grants, are also set to expire in mere days. A House-passed continuing resolution would’ve temporarily extended them, but the legislation didn’t advance in the Senate.

The post Two-thirds of CISA personnel could be sent home under shutdown appeared first on CyberScoop.

Pessimism is mounting about the chances that Congress will reauthorize a cyber threat information-sharing law before it’s set to expire at the end of this month — with no clear path for either a temporary or long-term extension.

Industry groups and the Trump administration have put a lot of muscle into renewing the 2015 Cybersecurity Information Sharing Act (CISA 2015), which they say is a vital tool in the fight against malicious hackers because of the legal protections it provides for organizations to share cyber threat data with each other and the government.

But in recent weeks, multiple efforts to re-up the law have failed or been brushed aside:

• The House inserted a two-month extension of CISA 2015 into a continuing resolution to avert a government shutdown, but after the House passed the bill, the Senate voted against the continuing resolution last week. Negotiations about continuing to fund the federal government past the end of this month appear to be at a standstill.
• The Senate Homeland Security and Governmental Affairs Committee had scheduled a markup of legislation last week introduced by Chairman Rand Paul, R-Ky., to extend the law with significant changes that drew bipartisan and industry criticism. The panel then abruptly canceled the markup.
• The top Democrat on Paul’s panel, Gary Peters of Michigan, tried to get an unaltered or “clean” 10-year reauthorization of the expiring law passed on the Senate floor with a unanimous consent motion, but Paul objected without explanation, preventing it from advancing.
• House Homeland Security Chairman Andrew Garbarino, R-N.Y., sought earlier this month to offer his legislation to extend and alter CISA 2015 as an amendment to the House version of the annual defense policy bill, or National Defense Authorization Act (NDAA), but the Rules Committee prohibited the amendment from receiving a vote. (A Senate intelligence policy bill had included a 10-year extension, but when senators folded the intelligence authorization bill into that chamber’s version of the NDAA, Paul objected and got it removed.)

All of that leaves an extension of CISA 2015 without a home, and with a key senator, Paul, likely to stand in the way of swift renewal anytime soon. Under the circumstances, “I bet it does” expire, one industry source said of CISA 2015. 

“I’d be pleasantly surprised if it is continued given Paul’s objection,” the source said.

And that could be a big problem for both lawmakers and private-sector organizations.

While it’s unclear exactly how even a temporary lapse in the law might affect cyber information sharing, some have offered dire predictions about how bad it will be. In the legal community, “if you’re giving people a reason not to do something, they won’t do it,” said another industry source. 

If there’s a big breach during a time when the law has expired, the political risks increase, because cyberattack victims are likely to blame the lapse for what happens, said the source, who has extensive cybersecurity policy experience.

Best hopes (until recently)

Advocates had long pinned their hopes that a temporary two-year CISA 2015 renewal would be included in the continuing resolution (CR), given the urgency to avoid a government shutdown and the fact that the law was sent to expire when the fiscal year ends gave Congress a perfect opportunity. The House GOP’s inclusion of that short-term extension language in the CR — and Democrats’ support for it in their own proposal — indicated widespread support for the idea. The CR passed 217-212.

Senate leaders have a tradition of honoring objections on policy matters from the heads of the committees with jurisdiction over those topics when they are up for consideration in other bills. But multiple observers told CyberScoop that they interpreted the inclusion of the CISA 2015 law extension in the House CR as a sign that Senate leaders were prepared to ignore objections from Paul in this case. 

Besides lawmakers and private-sector groups, the Trump administration has been pressing for renewal. Industry and Senate sources say that new National Cyber Director Sean Cairncross has been especially focused on selling lawmakers on the need for action on CISA 2015.

But temporary renewal is now a casualty of the broader fight over a government shutdown, with the Senate voting 44-48 against the CR.

Paul complications

Earlier this month, the House Homeland Security Committee approved Garbarino’s bill to renew CISA 2015 for 10 years by a vote of 25-0. While Democrats questioned whether the legislation should’ve included any changes to the law rather than a “clean” reauthorization, Garbarino’s changes themselves garnered no significant opposition.

That wasn’t the case for the version Paul sponsored and that was scheduled for vote in his committee last week, which would have provided a two-year reauthorization. Industry groups objected to the Paul legislation striking provisions of the 2015 law that provided protections related to cyber threat data sharing with the federal government against disclosure from Freedom of Information Act requests. They opposed a section that would get rid of the law’s section on federal preemption, under which the law supersedes state laws and regulations.

Democrats also raised concerns about several key definitions in the law, including those related to the rules for  how companies can use defensive measures. According to Senate aides who spoke with CyberScoop, these changes could leave small- and medium-sized businesses particularly vulnerable. Combined with the other industry objections, the aides said, Paul’s bill would have functionally ended private sector information sharing with the government.

Industry is wary of major changes to CISA 2015 in general.

“The fact is that over the last 10 years, it’s been an effective way for the private sector to share information, which is a key ingredient in improving cybersecurity, and we should just be very careful while making changes to something that is working pretty well,” said Henry Young, senior director of policy for Business Software Alliance.

A section of the legislation that Paul wrote on free speech protections also created questions.  Five Senate and industry sources told CyberScoop that Paul canceled the markup because Senate Republican panel members planned amendments that would have, with somewhat different approaches, stripped Paul’s changes in favor of a “clean” reauthorization. 

Spokespeople for senators that sources said were behind those amendments, Joni Ernst of Iowa and Bernie Moreno of Ohio, did not respond to requests for comment.

A spokesperson for Paul disputed what the sources told CyberScoop about the reason for the cancellation.

“The characterization of the cancellation of the markup is false,” said the spokesperson, Gabrielle Lipsky. “The Democrats, who are not negotiating in good faith, asked for more time.”

Peters said in a Senate floor speech Friday that it was “disappointing” that Paul canceled the markup, and that “we were blocked from even having a discussion about the policy or draft legislation.”

Constituents in Paul’s home state have lobbied him on the importance of a “clean” reauthorization of CISA 2015; Paul’s public remarks about extension of the law have largely focused on passing a bill that includes additional guarantees on free speech.

“We make this request respecting your determination to protect Americans’ privacy and freedom of speech from censorship and intimidation by federal government employees, and we share those concerns,” a number of Kentucky business groups wrote to Paul in a Sept. 17 letter advocating for a “clean” extension. “We would welcome the opportunity to work with you to increase privacy and censorship protections in other legislation.” 

Peters asked for unanimous consent Friday for the Senate to advance a 10-year reauthorization. Paul said only, “I object,” thus blocking the renewal effort from Peters.

“Congress must pass an extension of these cybersecurity protections and prevent a lapse that would completely undercut our cybersecurity defenses and expose critical sectors to preventable attacks,” Peters said in a statement to CyberScoop. “These liability protections ensure trusted, rapid information sharing between the private sector and government to quickly detect, prevent, and respond to cybersecurity threats. I’m continuing to work toward a bipartisan, bicameral deal that will renew these protections for the long-term, but we cannot afford to let these critical cybersecurity protections expire at the end of the month.”

Other avenues

A common hope among advocates was that after a short-term extension became law as part of the CR, a longer-term extension would be included in the NDAA, which often passes toward the end of each calendar year or the start of the next.

But hopes for that diminished after actions in both the House and Senate. In the Senate, the Intelligence Committee had included a 10-year renewal in its annual intelligence authorization bill. That legislation was then included in the Senate version of the NDAA, but sources on and off the Hill told CyberScoop that Paul objected to inclusion of the CISA 2015 extension, so it was removed.

And the Rules Committee decided on Sept. 9 that Garbarino’s CISA 2015 renewal amendment wasn’t germane, thus preventing him from offering it during debate on the House floor about the NDAA. One day later, the House passed its version of the NDAA, 231-196.

The next steps for CISA 2015 reauthorization are unclear. Paul’s office did not respond to a question about his future plans for renewing CISA 2015.

Options for a short-term renewal are limited for now to whatever congressional leaders do to try to revive or replace a CR, but the timeline for doing so before CISA 2015 expires is exceptionally tight. Options for a long-term renewal might include an amendments package for the Senate version of the NDAA, since the full Senate has yet to take up its bill.

CISA 2015 “must not lapse on September 30, 2025. Allowing it to expire will create a significantly more hostile security environment for the U.S.,” Matthew Eggers, vice president of cybersecurity policy in the cyber, intelligence, and security division at the U.S. Chamber of Commerce, told CyberScoop in a written statement. “The Chamber advocates for a multi-year reauthorization of this vital law. Short-term extensions are counterproductive. Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation. House and Senate leaders and the Trump administration have expressed strong support for reauthorizing CISA 2015.”

The post Cyber threat information law hurtles toward expiration, with poor prospects for renewal appeared first on CyberScoop.

The Trump administration is signaling to industry and allies that it is considering a broader set of actions related to quantum computing, both to improve the nation’s capacity to defend against future quantum-enabled hacks and ensure the United States promotes and maintains global dominance around a key national security technology.

The discussions include potentially taking significant executive action, such as one or more executive orders, a national plan similar to the AI Action Plan issued earlier this year, and a possible mandate for federal agencies to move up their timelines for migrating to post-quantum protections, multiple sources told CyberScoop.

None of the sources CyberScoop spoke with could provide a definitive timeline for an official rollout, but multiple executives in the quantum computing industry and former national security officials said the White House has signaled serious interest in taking bolder action to promote and shape the development of the technology. Some felt official announcements could come as soon as this week, while others cautioned the process could stretch into the coming months.

While quantum computers capable of breaking through classical encryption currently remain a theoretical threat, both government and industry have spent years planning for the day when the threats become real.

A major element of that plan has been slowly switching out older encryption algorithms in IT infrastructure for newer “post quantum” algorithms over the span of more than a decade.

One quantum executive, citing direct conversations with the government, said “everyone in the quantum industry from a policy standpoint” has been told some variation of the message “that the White House wants to do for quantum what they did for AI in July.”

A key component of one or perhaps multiple executive orders is language that would accelerate the deadline for federal agencies’ post-quantum migrations from 2035 to 2030.

The executive, speaking on condition of anonymity to avoid jeopardizing their relationship with the government, said the effort is being led by the White House’s Office of Science and Technology Policy (OSTP) and the Department of Commerce.

Commerce Deputy Secretary Paul Dabbar, a former Department of Energy official during President Donald Trump’s first term who co-founded and led his own quantum networking technology company during the Biden years, is “driving a lot of this,” the source said.

It’s not just industry that has received the message. A former official at the Department of Homeland Security who works with the Trump administration confirmed they had also been advised of upcoming action, and that officials at OSTP and the Office of Management and Budget have been particularly aggressive about moving forward.

“I did hear there was some forthcoming guidance for agencies, given the push with AI, but more specifically the need for government departments to be much more aggressive about what they’re doing, since the codebreaking capability of quantum is pretty significant for federal agencies,” said the official, who requested anonymity to discuss sensitive conversations with the federal government.

Multiple other former government officials and administration allies told CyberScoop that they have heard that the administration was preparing to take some kind of action around quantum computing in the near future.

An OMB official declined a request for comment from CyberScoop this week on the administration’s plans. The Department of Commerce did not respond to a similar request.

But White House officials have already teased bold action on quantum is in the works. In July, after the administration released its AI Action Plan, OSTP Director Michael Kratsios told an audience at a conference that “the president wrote me a letter the first week or two that I was in office that essentially gave me a charge for what I was supposed to do for the next three years.”

“He named three technologies in that letter: It was AI, quantum, and nuclear,” Kratsios said. “We had our big nuclear day a month-and-a-half ago. We had AI yesterday, so you can only assume — stay tuned.”

Pranav Gokhale, chief technology officer at Infleqtion, another quantum computing company, told CyberScoop he has heard similar rumors about an impending executive order focused at least in part on speeding up post-quantum migration efforts by federal agencies.

Part of the urgency reflects a desire to be aggressive in the face of uncertainty: no one knows quite when we will develop quantum computers capable of breaking encryption. There’s a running joke among experts and observers that quantum codebreaking is perpetually “five to 10 years away” from becoming reality.

Most experts — including cryptologists at the National Institute of Standards and Technology and the National Security Agency, which set encryption standards for the federal government and intelligence community — believe it is only a matter of time before such a breakthrough occurs. If that happens sooner than anticipated, the U.S. could be left unprepared.

Some national security officials pointed out that if governments in China, Russia or another country were to make a significant breakthrough on quantum codebreaking, there would be a powerful incentive to keep it secret for as long as possible to maintain an intelligence advantage.

Gokhale also said from the conversations he’s had, some in government and industry are pushing to make the safe and secure transition of cryptocurrencies to newer quantum-resistant encryption a priority, an issue that could be addressed by an executive order.

Discussions around prioritizing the migration of cryptocurrencies were confirmed by the first quantum executive that spoke with CyberScoop, though they said it’s less clear whether those ideas will ultimately make it into any White House executive order or formal plan. 

Bitcoin in particular may need a bespoke strategy to safely migrate, Gokhale said, citing a research study put out last year by the U.K.’s University of Kent that looked at the technical costs of upgrading Bitcoin assets to newer quantum-resistant encryption.

Given that cryptocurrencies are already lucrative targets for cybercriminals and foreign hackers from countries like North Korea, the industry is likely to be among the early targets of a quantum-enabled hack, and left more vulnerable by a slower rollout.

“The conclusion is that the Bitcoin upgrade to quantum-safe protocols needs to be started as soon as possible in order to guarantee its ongoing operations,” the Kent authors wrote.

Madison Alder contributed reporting to this story.

The post Trump administration planning expansion of U.S. quantum strategy appeared first on CyberScoop.

FBI cyber division cuts under President Donald Trump will reduce personnel there by half, a top Democratic senator warned Tuesday, while FBI Director Kash Patel countered that arrests and convictions have risen under the Trump administration.

A contentious Senate Judiciary Committee hearing dominated by clashes over political violence, Patel’s leadership and accusations about the politicization of the bureau nonetheless saw senators probing the FBI’s performance on cybersecurity.

“My office received information that cuts to the bureau’s cyber division will cut personnel by half despite the ever-increasing threat posed by adverse foreign actors,” said Illinois Sen. Dick Durbin, the top Democrat on the panel. The Trump administration has proposed a $500 million cut for the FBI in fiscal 2026.

Sen. Alex Padilla, D-Calif., said that as the FBI has shifted personnel toward immigration and politically motivated investigations like the Tesla task force, it has undercut other missions. “It has an impact on other priorities, like nation-state threats and ransomware investigations,” he said.

Padilla was one of several Senate Democrats, like Cory Booker of New Jersey and Mazie Hirono of Hawaii, who said the FBI’s cyber mission was suffering because its personnel were being directed elsewhere.

Patel told Hirono that the FBI’s cyber branch was one of the bureau’s “most impressive” units, and that it had made 409 arrests, a 42% increase compared to the same period last year, and garnered 169 convictions.

As Padilla questioned him about the FBI’s mission to protect against election interference and the Justice Department ending the Foreign Influence Task Force, Patel answered that the FBI did not “in any way divert or reallocate resources from that critical mission set.” He said it was still working on it through its cyber programs, which had seen a “40, 50, 60%” increase in arrests in cyber threat cases involving critical infrastructure and interference with elections.

Patel said he hadn’t shifted any resources away from any critical missions like terrorism toward things like Tesla vandalism or sending federal personnel to cities like Washington, D.C. “They never left their primary job,” he said. “It is a surge in law enforcement.”

Hirono asked Patel to say who had replaced top officials who had exited the cyber division, but he said only that they were “supremely qualified individuals” and wouldn’t give their names “so you can attack them.” Hirono replied, “you don’t know” when he wouldn’t say who they were.

More broadly, Patel said the FBI was taking the fight to Chinese threat groups like Salt Typhoon and Volt Typhoon, and going after ransomware and malware attackers.

Sen. Amy Klobuchar, D-Minn., said she was concerned about a rise in artificial intelligence-generated election interference, including materials directed at her. Patel said the FBI was looking into it, but that the culprits appeared to be “loose groups overseas, without any central cluster.”

The post Senators, FBI Director Patel clash over cyber division personnel, arrests appeared first on CyberScoop.

A top official at the Cybersecurity and Infrastructure Security Agency on Thursday rejected concerns that personnel and program cuts at CISA have hindered its work.

Nick Andersen, who just began serving as executive assistant director of cybersecurity at CISA this month, said he’s seen the agency function at a high level from both the outside and inside.

“There’s been an awful lot of reporting recently about CISA and the potential for degraded operational capabilities, and I’m telling you, nothing can be further from the truth,” he said at the Billington Cybersecurity Summit. “It is just a fantastic opportunity to see the high-level output and throughput that this team has.

“There is not a single instance where I can think of that somebody reaches out — whether it’s in our remit or not, we are connecting them with the right level of resources, and we are helping them to make themselves right, whether it’s incidents that we see affecting a state/local partner, small- or medium-sized businesses or the largest critical infrastructure owner/operators,” he continued.

The Trump administration has cut or plans to cut more than 1,000 personnel at the agency, a third of its total full-time employees, and has sought nearly half a billion dollars in funding reductions.

CISA’s shuttering of an array of programs has drawn widespread criticism from many in industry as well as from state and local governments who have partnered with the agency, not to mention concerns from Capitol Hill.

But Andersen said CISA has full support from President Donald Trump, who clashed with agency leadership in his first term, and Department of Homeland Security Secretary Kristi Noem.

“We have exceedingly strong relationships with” other government agencies and the private sector, Andersen touted. “The level of commitment within this team is second to none, and we’re just going to continue to hone and focus [on] that operational mission of what CISA should be delivering on. We’re going to continue to sort of separate out the fluff, but we are going to take every single dollar, every single resource, every single manpower hour to deliver an even sharper focus on those core capabilities in keeping with what President Trump identified as our administration priorities.”

Those priorities, Andersen said, include fortifying federal networks. “Raising the collective bar across the dot gov is a big one,” he said.

It also includes strengthening relationships with critical infrastructure owners and operators. “We want to be able to work very closely with our critical infrastructure partners on focused resilience efforts, be able to raise the bar in a sprint between now and 2027 as we prepare for the potential of China making good on its promise … to take Taiwan,” he said, so that “our critical infrastructure is not going to be held hostage.”

And it includes strengthening partnerships with other federal agencies as well as state and local governments, Andersen said.

The post CISA work not ‘degraded’ by Trump administration cuts, top agency official says appeared first on CyberScoop.

The top cyber official at the National Security Council said Tuesday that he’s dismayed by the lag in security technology embedded in critical infrastructure, saying it pales in comparison to the tech in modern smartphones.

“I worry a lot about critical infrastructure cybersecurity,” Alexei Bulazel said at the Billington Cybersecurity Summit. “I also think about the technology that’s deployed in critical infrastructure contexts. This is not the best-in-class software or hardware.”

Bulazel mentioned the energy sector in particular, given the potential for hackers to turn off the power in the United States. It’s a sector that relies in large measure on supervisory control and data acquisition (SCADA) systems to monitor and control industrial processes.

“I think about the phones in our pockets — Android, iPhone, doesn’t matter — really amazing feats of engineering,” he said. “Imagine if our critical infrastructure, if the SCADA system that ran the power or the water or whatever, was as secure as the phone in your pocket. I think a lot of these threats are mitigated; only the absolute apex predator, top-tier actors can get in.”

As a “White House policymaker,” Bulazel said, many of the questions he deals with go away if the technical mark is raised in critical infrastructure. It’s one of the reasons the Trump administration — despite frequently discussing the need to go on offense in cyberspace — is focused on defensive strategies like secure-by-design, he said.

“We are unapologetically unafraid to do offensive cyber,” he said. “It’s an important tool in the toolbox. It’s not the only tool.”

The Trump administration is trying to shift away from “victims” and more to “villains,” Bulazel said. His comments echoed earlier remarks Tuesday from National Cyber Director Sean Cairncross about shifting the cyber risk burden to adversaries.

It’s important to deter hackers, who aren’t like floods or lightning strikes in that they are intentional and deliberate, he said: “This is because a motivated bad actor is trying to give you a bad day.”

The post Critical infrastructure security tech needs to be as good as our smartphones, top NSC cyber official says appeared first on CyberScoop.

The United States needs a “new, coordinated strategy” to counter its cyber adversaries and “shift the burden of risk in cyberspace from Americans to them,” National Cyber Director Sean Cairncross said Tuesday.

“Collectively, we’ve made great progress in identifying, responding to and remediating threats, but we still lack strategic coherence and direction,” he said at the Billington Cybersecurity Summit. “A lot has been done, but it has not been sufficient. We’ve admired the problem for too long, and now it’s time to do something about it.”

The Biden administration produced its first cybersecurity strategy in 2023, with its Office of the National Cyber Director leading the writing of that document. It was part of a broader Biden administration approach to shift the cyber burden from individuals to more powerful institutions like the private sector. 

“The Trump administration will drive a new coordinated strategy that will advance U.S. interests and thwart our adversaries in cyberspace,” Cairncross said in a speech that marked his first public remarks since his confirmation in August. “America has the best talent, the most innovative private sector, the brightest research universities, broad academic resources and powerful government capabilities.

“We have all the tools, and now we have the political will in place to address these challenges,” he said. “We must work together, using all of our nation’s cyber capabilities, to shape adversary behavior and, most importantly, shift the burden of risk in cyberspace from Americans to them.”

The United States needs to “create an enduring advantage” over China, he said. China and other U.S. cyber adversaries that Cairncross called “brittle authoritarian regimes” simultaneously have to expend resources tracking dissidents and maintaining control, but also have the advantage of being able to “integrate instruments of power more seamlessly than we can.”

Cairncross said of cyberspace that “for too long, our adversaries have operated in this environment with near impunity. For too long, we have foregone the chances to set conditions for sustained security and stability. Our action or inaction today holds tremendous implications for our future.”

In separate remarks at another event Tuesday, Cairncross said he also wants to help international allies, particularly nations in the Five Eyes intelligence alliance, combat China’s efforts. 

“There’s many partners around the world who are looking for help as China attempts to export a surveillance state across planet Earth, country by country, continent by continent,” he said at an event hosted by Politico. “We have to engage to help fight that.” 

At the Politico event, he also said he expects the office to be more streamlined with the National Security Council and Cybersecurity and Infrastructure Security Agency, adding that the White House has been focused on what Cairncross referred to as eliminating the “turf wars and bureaucratic nonsense” of prior administrations.   

“The United States hasn’t had an overarching cyber policy strategy that’s set in coordination from offense all the way through to end-user defense, to state, local and tribal governments, working together in putting tactical operations and policies in place that support and feed into that strategy,” he said. “That is what we are going to do.”

In the shorter term, Cairncross mentioned three priorities. One is passage of legislation to reauthorize a law expiring this month that provides legal protections to companies for sharing cyber threat data with the government and within the private sector, the Cybersecurity Information Sharing Act of 2015.

Another is for “the federal government to get our own house in order,” he said.

“Our federal systems need rapid modernization,” Cairncross said, and the Trump administration is working on policies to “update our technologies and ensure that we’re prepared for a post-quantum future.”

And third, industry needs to focus on securing its products and protecting privacy at the outset, during the design process — and the administration will work to streamline cybersecurity regulations on industry’s behalf, he said.

Cairncross said it was a priority of the first Trump administration, and would continue to be in the second, to develop the cybersecurity workforce. Under Trump, however, the administration has pushed to dramatically slash personnel and funding for CISA.

Greg Otto contributed to this report. 

The post National cyber director: U.S. strategy needs to shift cyber risk from Americans to its adversaries appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.

Artificial intelligence could be a key tool for helping organizations keep track of an ever-expanding catalog of identified software flaws, a top official at the Cybersecurity and Infrastructure Security Agency said Thursday.

CISA sponsors the Common Vulnerabilities and Exposures (CVE) program, which publishes standardized data about known cyber vulnerabilities. The number of vulnerabilities the CVE program published last year rose to 40,000, said Chris Butera, acting deputy executive assistant director of cybersecurity at CISA.

“For any organization to try to track and hash against 40,000 different vulnerabilities within their IT ecosystem, it’s a very complex challenge,” he said at Thursday’s GDIT Emerge event, produced by Scoop News Group. “We can do a lot more with automation, and that’s where maybe AI can help us in the automation pieces.”

CISA’s goals for the CVE program are “more automation, innovation and increasing the quality of the data going into the program,” he said. Earlier this year CISA narrowly averted a lapse in a key contract to administer it.

Butera’s remarks were among several at the event where industry and policymakers opined on how AI can aid cyber defenders, as opposed to fears about how AI might aid hackers looking to exploit the technology.

Daniel Richard, associate deputy director of digital innovation at the Central Intelligence Agency, said that he’s “actually quite bullish and optimistic in how AI can be leveraged in the cyber space.”

It’s especially important as the window shrinks between the discovery of previously unknown vulnerabilities called zero-days and when hackers begin exploiting them.

“There is a lot of opportunity as we gather more telemetry data, more metrics, to be able to leverage AI to identify anomalies much more quickly to be able to react to those threats in a much more proactive way,” he said.

Manny Medrano, director of the office of cybersecurity monitoring and operations at the State Department, said a good role might be treating AI as a “virtual assistant.” But humans have to remain in charge in the end. “You make the final decision,” he said.

It also can play an important role for defenders in sifting through mountains of data, said David Carroll, vice president of cyber capability, engineering and strategy at GDIT.

The post AI can help track an ever-growing body of vulnerabilities, CISA official says appeared first on CyberScoop.

Compiling an “ingredients list” for software can help organizations reduce cyber risks, avoid fines and save time, among other benefits, a Cybersecurity and Infrastructure Security Agency-led guide published Wednesday advises.

The CISA document, produced with the National Security Agency and cyber agencies from 14 other countries, aims to produce a shared vision on advancing the concept known as software bill of materials, or SBOM. It’s a nearly universally praised idea whose implementation has been playing catch-up with the embrace of its theoretical value.

In the guide, the agencies tout SBOMs as a way to adopt secure-by-design principles, where software makers implement security as part of the design process rather than as something to be tacked on afterward.

“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components,” Madhu Gottumukkala, acting director of CISA, said in a news release accompanying the guide’s publication. “Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost.

“This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust,” he said. “Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”

Publication of the guide follows closely on CISA’s updated federal agency guidelines for SBOMs, a set of rules that got mixed reviews when it came out last month.

Wednesday’s guide aims toward a unified approach to implementing SBOMs.

“Divergent implementations could hinder widespread adoption and sustainable implementation of SBOM. An aligned and coordinated approach to SBOM will improve effectiveness while reducing costs and complexities,” the guide reads. “When used widely across sectors, regions, and countries, supply chain illumination drives better ‘ingredients’ for everyone to use and helps ensure that known risks are addressed early. SBOM adoption is an integral condition for software to be secure by design.”

According to the guide, SBOMs help with vulnerability management by allowing organizations to be able to better track vulnerabilities when they arise, making it faster and more efficient to fix flaws. It helps organizations comply with industry-specific policies or government regulations and make decisions about their software purchases as such, thereby pushing vendors to give greater attention to cyber risk. It can help organizations manage software licenses, with violations of open-source licenses something that can trigger fines or reputational damage.

The guide advertises SBOMs as something for software makers, buyers and operators to adopt, as well as government cybersecurity agencies.

Australia, Canada, the Czech Republic, France, Germany, India, Italy, Japan, the Netherlands, New Zealand, Poland, Singapore and South Korea were the other countries involved in producing the guide.

The post CISA guide seeks a unified approach to software ‘ingredients lists’ appeared first on CyberScoop.

A House panel advanced legislation Wednesday that would reauthorize a major cyber threat information sharing law and a big-dollar state and local cyber grant program before they’re set to expire at the end of this month.

Trump administration officials and nominees, as well as cybersecurity organizations and experts, have voiced support for renewing them both as they near their respective lapses. Expiration of the information sharing law in particular has led industry groups and others to warn about dangerous ramifications about the collapse of cyber threat data exchanges.

At the House Homeland Security Committee markup, the panel also approved bills addressing pipeline cybersecurity and terrorists’ use of generative artificial intelligence.

The 2015 Cybersecurity and Information Sharing Act has provided legal protections to the private sector to share threat data with the federal government and between companies and organizations. The Widespread Information Management for the Welfare of Infrastructure and Government Act, which the panel approved 25-0, would reauthorize it for another 10 years, with updates.

“Reauthorizing this law and ensuring the relevance of this framework before it expires is essential for retaining our cyber resilience,” said Rep. Andrew Garbarino, N.Y., the chair of the committee and lead sponsor of the re-up legislation. The original legislation, he said, “changed the cybersecurity landscape forever, and for the better.”

The bill encourages the use of secure AI to improve technical capabilities, updates legal definitions to capture newer hacking tactics and seeks to preserve and strengthen existing privacy protections, he said.

The top Democrat on the committee, Bennie Thompson of Mississippi, said the committee should have approved a simpler reauthorization to give lawmakers and affected parties more time to take a look at the legislation’s changes to the 2015 law, but he supported moving the bill forward.

Garbarino said he had a good conversation Tuesday evening with his Senate counterpart, Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., about the path forward on the legislation.

Paul and other GOP lawmakers have said they want renewal of the 2015 law to include language prohibiting the Cybersecurity and Infrastructure Security Agency — which plays a large role in carrying out the law — from censoring speech, despite past responses from agency officials that they have not censored anyone. Garbarino’s bill doesn’t contain any provisions about that.

The panel voted 22-1 to approve the Protecting Information by Local Leaders for Agency Resilience Act, which would extend the State and Local Cybersecurity Grant Program for another 10 years. The program has doled out $1 billion.

“Many local governments have a long way to go to be prepared for cyberattacks from adversaries like the Chinese Communist Party,” said the bill’s sponsor, Rep. Andy Ogles, R-Tenn. He said that while “I usually want Washington to do less,” the federal government might have to foot the bill later anyway if it doesn’t help state and local governments shore up their defenses.

It would provide 60% of funds to state, local and tribal governments that are eligible, or 70% for those applying together. It would direct a federal outreach effort to smaller communities, and stress defense for both information technology and operational technology, Ogles said. Appropriators would still need to dedicate funding to the program, even if President Donald Trump signs it into law.

A coalition of tech and cybersecurity groups wrote to congressional leaders Tuesday urging them to extend the program, listing examples of how the grant program has defended against specific cyberattacks across the nation. “Without continued funding, hard-won progress will stall, and communities across the country will be left vulnerable — handing our adversaries a dangerous advantage,” their letter reads.

Paul hasn’t publicly indicated his plans for the expiring grant program. The two bills would provide new names for the things they are authorizing: WIMWIG replacing 2015 CISA, and PILLAR replacing the grant program.

The House Homeland Security Committee also voted 21-0 to advance the Generative AI Terrorism Risk Assessment Act, which would require the Department of Homeland Security to conduct annual assessments on how terrorist groups use artificial intelligence to carry out terrorist activity, such as seeking to radicalize potential recruits.

“Known terrorist organizations like ISIS or Al Qaeda or others have gone so far as to have AI workshops to train members on its use,” said the bill’s sponsor, Rep. August Pfluger, R-Texas.

And the committee voted 22-0 to approve the Pipeline Security Act that would codify the Transportation Security Administration’s pipeline security office into law and specify its responsibilities, including on cybersecurity. TSA wrote cybersecurity regulations in response to the 2021 Colonial Pipeline hack.

“We don’t just risk our national security, we risk supply chain disruptions that will create a ripple effect throughout our communities” if we fail to protect our pipelines, said the bill’s sponsor, Rep. Julie Johnson, D-Texas.

The post House panel approves cyber information sharing, grant legislation as expiration deadlines loom appeared first on CyberScoop.

Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.

But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers.

Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work.

“What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.”

The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to  deliberately destroy an attacker’s systems or networks.  Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers.

Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law.

The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say.

John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference.

The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.”

By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said.

Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital.

Certainly Congress would have to clarify what companies are able to do legally as well, Wales said.

But that’s just the industry side. There’s plenty more to weigh when stepping up offense.

“However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?”

If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace.

One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too.

And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?”

Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”

The post Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense appeared first on CyberScoop.

The top lawmakers on a key House cybersecurity panel are hoping to remove a barrier to entry for cyber jobs in the federal government.

Introduced this week, the Cybersecurity Hiring Modernization Act from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, would prioritize skills-based hiring over educational requirements for cyber jobs at federal agencies. 

Mace and Brown — the chair and ranking member of the House Oversight Cybersecurity, Information Technology, and Government Innovation Subcommittee, respectively — said the legislation would ensure the federal government has access to a “broader pool of qualified applicants” as the country faces “urgent cybersecurity challenges.”

“As cyber threats against our government continue to grow, we need to make sure our federal agencies hire the most qualified candidates, not just those with traditional degrees,” Mace said in a press release Thursday. “This bill cuts red tape, opens doors to skilled Americans without a four-year diploma but with the expertise to get the job done, and strengthens our nation’s cybersecurity workforce.”

Brown said in a statement that expanding the cyber workforce is “imperative” to “meet our nation’s growing need for safe and secure systems.” The bill aims to “remove outdated hiring policies, expand workforce opportunities to a wider pool of talented applicants, and help agencies hire the staff that they need,” she added. 

The bill calls on the Office of Personnel Management to annually publish any education-related changes that are made to minimum qualification requirements for federal cyber roles. OPM would also be charged with aggregating data on educational backgrounds of new hires for those cyber positions.  

Agencies would still be permitted to include minimum education requirements for cyber jobs, but “only if a minimum education qualification is required by law to perform the duties of the position in the State or locality where the duties of the position are to be performed,” per the bill text. Education can be considered if that schooling “directly reflects the competencies necessary to satisfy that qualification and perform the duties of the position.”

Easing education requirements for federal cyber contracting jobs was a priority for Harry Coker, the Biden administration’s national cyber director, and other legislation in recent years has also attempted to address the issue. 

Mace has also tried in the past to scrap minimum education requirements on federal cybersecurity jobs, introducing the Modernizing the Acquisition of Cybersecurity Experts Act in 2023. The bill passed the House but stalled out in the Senate.

The post House lawmakers take aim at education requirements for federal cyber jobs appeared first on CyberScoop.

The United Kingdom has withdrawn its demand that Apple create a backdoor to its encrypted cloud systems following months of diplomatic pressure from the United States, according to a statement from Director of National Intelligence Tulsi Gabbard.

Gabbard announced the decision Monday on X, stating that the U.S. government had worked closely with British partners “to ensure Americans’ private data remains private and our Constitutional rights and civil liberties are protected.”

The reversal marks a significant development in the ongoing global debate over government access to encrypted communications and represents a victory for American officials concerned about protecting U.S. citizens’ digital privacy rights. 

The British government’s original demand came through a technical capability notice issued in January 2025 under the country’s Investigatory Powers Act. The order would have required Apple to provide blanket access to end-to-end encrypted cloud data, including information belonging to users outside the United Kingdom.

Apple responded to the British demand by disabling its Advanced Data Protection feature for U.K. users in February 2025. The feature provides end-to-end encryption for iCloud data storage, making it inaccessible even to Apple itself.

The company expressed disappointment with the requirement, stating it had never built backdoors into its products and never would. Apple subsequently appealed the order’s legality through the Investigatory Powers Tribunal, which denied the British government’s attempts to keep the proceedings secret.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K., given the continuing rise of data breaches and other threats to customer privacy,” Apple said at the time.

American lawmakers had expressed significant concern about the U.K.’s encryption demands. In February, Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., wrote to Gabbard arguing that forcing Apple to create backdoors would “seriously threaten the privacy and security of both the American people and the U.S. government.”

The lawmakers noted that Apple does not create different encryption software for different markets, meaning any backdoor created for British authorities would potentially affect American users. They suggested the U.S. should reconsider its cybersecurity and intelligence-sharing arrangements with the U.K. if Apple were forced to comply with the demands.

The dispute echoes previous conflicts between Apple and government authorities over encryption access. In 2015, Apple engaged in a prolonged legal battle with the U.S. government over providing access to an iPhone belonging to a terrorist who carried out the San Bernardino attack. The FBI ultimately gained access through a third-party vendor after Apple refused to create custom software to bypass the device’s security.

The post UK abandons Apple backdoor demand after US diplomatic pressure appeared first on CyberScoop.

Expiration of a 2015 law at the end of September could dramatically reduce cyber threat information sharing within industry, as well as between companies and the federal government, almost to the point of eliminating it, some experts and industry officials warn.

The Cybersecurity Information Sharing Act, also known as CISA 2015, is due to end next month unless Congress extends it. Leaders of both of the House and Senate panels with the responsibility for reauthorizing it say they intend to act on legislation next month, but the law still stands to expire soon without a quick bicameral deal.

The original 2015 law provided legal safeguards for organizations to share threat data with other organizations and the federal government.

“We can expect, roughly, potentially, if this expires, maybe an 80 to 90% reduction in cyber threat information flows, like raw flows,” Emily Park, a Democratic staffer on the Senate Homeland Security and Governmental Affairs Committee, said at an event last month. “But that doesn’t say anything about the break in trust that will occur as well, because at its core, CISA 2015, as an authority, is about trust, and being able to trust the businesses and organizations around you, and being able to trust the federal government that it will use the information you share with it.”

That estimate — 80 to 90% — is on the high side of warnings issued by policymakers and others, and some reject the notion that the sky is catastrophically falling should it lapse. Additionally, some of the organizations warning about the fallout from the law’s lapse benefit from its provisions. But there’s near-unanimity that expiration of the law could largely shift decisions about cyber threat info sharing from organizations’ chief information security officers to the legal department.

“If you think about it from the company’s perspective, what a lapse would do would be to cause the ability to share information — to move the decision from the CISO to the general counsel’s office,”  said Amy Shuart, vice president of technology and innovation at Business Roundtable, which considered the issue important enough to fly in CISOs from member companies to meet with lawmakers this summer and persuade them to act. “And any good general counsel is going to say, ‘I used to have authority here that protects us from antitrust. We don’t have it anymore. Now I’ve got concerns.’ So we do anticipate that if this was to lapse, the vast majority of private sector information sharing would shut down just due to legal risk.”

A common expectation among watchers is that Congress is likely to pass a short-term extension that would be attached to an annual spending bill known as a continuing resolution before the end of the current fiscal year, which also is tied to the end of September. But that still gives lawmakers a short window, and even if a short-term extension passes, Hill appropriators are likely to be impatient about a long-term extension and unwilling to aid any extension past the end of December.

Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., said last month that he intends to hold a markup of CISA 2015 extension legislation in September. A critic of the Cybersecurity and Infrastructure Security Agency over allegations that it pushed social media outlets to censor election security and COVID-19 data — allegations that then-CISA leaders denied — Paul said he wants to include language in any extension prohibiting the agency known as CISA from censorship.

The new leader of the House Homeland Security Committee, Andrew Garbarino, R-N.Y., also has said reauthorization is a priority, but wants to make other changes to the law as well.

“Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said in a statement to CyberScoop. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”

Separate from the 2015 law, the Justice and Homeland Security departments have issued and updated legal guidance pertaining to cyber threat information sharing that sector-specific information sharing and analysis centers say undergird exchanges from company to company.

But a Supreme Court decision last year about federal regulatory authority could cast a shadow over that guidance should CISA 2015 expire, warned Michael Daniel, leader of the Cyber Threat Alliance. Furthermore, a failure from Congress to act could send a message to courts.

“A lack of congressional action to positively reauthorize private entities to monitor their networks, deploy defensive measures, and share information ‘notwithstanding any other provision of law’ introduces uncertainty about sharing information that could trigger certain criminal laws, such as the Computer Fraud and Abuse Act or the Stored Communications Act, or could violate antitrust laws when participating in collective cyber defense,” he recently wrote. “In short, the resulting uncertainty would reduce the amount of sharing that occurs, reintroduce friction into the system, and inhibit the ability to identify, detect, track, prepare for, or respond to cyber threats.”

Daniel told CyberScoop some of those discussions about expiration fallout are hypothetical at this point, but legal experts have told him they are realistic. 

Trump administration officials and nominees have said they support reauthorization of the 2015 law. There are links to its recent artificial intelligence action plan, which calls for establishment of an AI-ISAC.

“One of the things that we’ve heard the administration say loud and clear about their approach with the [AI] action plan is that they were thinking about what they could do within their existing authorities,” Shuart said. “CISA 2015 is an important existing authority for the action plan to be successful.”

Still, the future of the 2015 law is uncertain.

‘There’s a lot of people kind of searching around for how to do this. I really couldn’t say I know that there’s a consensus,” said Larry Clinton, president of the Internet Security Alliance. “I know that there are people working in multiple different committees — Homeland Security, Armed Services, Appropriations, Intel — who are trying to figure out how to do this. And that’s a good thing, because we want all that support. It’s also a troubling thing because we wind up with too many cooks in the kitchen, and it’s harder to get things done without a consensus on the specifics of what needs to be done, given the tight timeline.”

The post Here’s what could happen if CISA 2015 expires next month appeared first on CyberScoop.

The State Department has demonstrated it does not understand that cyber power is critical to geopolitical power. In the course of reorganizing offices and reducing staff over the past three weeks, the department’s political appointees have gutted President Trump’s ability to work with partners and allies on cybersecurity and technology resilience. Congress will need to intervene to defend its bipartisan effort to bolster cyber diplomacy. 

For years, Washington’s efforts to hold China, Russia, and Iran accountable for malicious cyber activity were hamstrung by an inability to effectively work with allies to quickly identify and punish perpetrators. America’s allies were failing to prevent cyberattacks on critical systems that the U.S. military needed to operate securely overseas. Instead, these attacks cascaded across continents and hit the U.S. homeland. And U.S. adversaries were running circles around the West’s principled stance on privacy and security in cyberspace, instead reshaping telecommunications infrastructure and the internet in their image. 

After watching successive administrations dither, Congress took a stand, passing the Cyber Diplomacy Act in 2022. The law tasked a new State Department Bureau of Cyberspace and Digital Policy (CDP) with promoting reliable and secure internet infrastructure, building the cyber capacity of U.S. partners, and advancing technology and cybersecurity policies globally that bolster U.S. economic and national security interests. 

To accomplish this mission, CDP pulled together existing, disparate economic and international security functions related to cyber and technology into a single, more efficient operation. By all accounts, this consolidation made CDP successful.

When Congress tasked the bureau with managing a unique cyber assistance fund to rapidly respond to incidents overseas, CDP created a mechanism to airdrop expertise into partner countries in as little as two days.

Likewise, when Congress tasked the bureau with securing communications technology, semiconductor supply chains, and other emerging technology, the bureau paired U.S. seed funding with investments from allies and technology companies to box out Chinese firms attempting to dominate telecommunications in the Indo-Pacific. 

On July 1, however, the State Department stepped backwards. Despite its stated goal of creating a “more agile Department” and reducing duplicative offices, Foggy Bottom pulled CDP apart into multiple offices, each of which now holds a piece of the cyber mission. CDP lost its division responsible for responding to cyberattacks to a new bureau on emerging threats. Its strategy team moved to the personal staff of the undersecretary of economic growth. And its internet freedom team went to the undersecretary for public diplomacy. 

CDP will now consist of two slimmed down teams. One will focus on internet governance and technical standards, the other on using U.S. foreign aid to bolster allied cybersecurity. However, after the trifecta of the dissolution of the U.S. Agency for International Development, the foreign aid freezes earlier this year, and Congress’ acquiescence to billions of dollars in cuts to previously allocated foreign aid, it is not clear what funds CDP will have to help U.S. allies. 

Unfortunately, the crippling of State’s cyber diplomacy capabilities is not just the result of the restructuring, but also a significant loss of subject matter expertise. In the course of reducing its overall workforce in mid-July, State fired at least a half dozen people from CDP. The bureau lost two strategists and five of only eight experts working on bilateral and regional affairs. 

CDP had expected to bring in staff from other technology-focused offices as they were dissolved. Instead, quantum, artificial intelligence, and other technology experts were fired. Over the past few months, other CDP staff have accepted the department’s offers of deferred resignation and early retirement. And State reassigned CDP’s acting head, leaving the bureau without a leader. 

At an April hearing about CDP, the House Foreign Affairs Committee’s Europe Subcommittee Chairman Keith Self, R-Texas, affirmed the importance of State’s cyber capabilities. “The U.S. is not facing these real and growing threats alone,” he noted. “Through cooperation with our allies and partners, the U.S. will continue to work to combat malign cyber activities from the PRC, Iran, North Korea and Russia.” 

After a bipartisan show of support for the bureau, the subcommittee staff are drafting components of a State reauthorization bill from Foreign Affairs Committee Chairman Brian Mast, R-Fla., that would bolster CDP’s mandate. If Foggy Bottom keeps undercutting CDP, however, there may be little left to reauthorize. 

Chairman Mast indicated he plans to bring the reauthorization bill to the floor at the end of September. Lawmakers need to weigh in with State Department leadership sooner rather than later, however, to remind Secretary of State Marco Rubio that he himself voted for the Cyber Diplomacy Act when he served in the Senate. He knew then what members know now: Without strong cyber capabilities within the State Department, America’s partners will turn to unreliable associates in China for infrastructure investment and succumb to cyberattacks that place U.S. forces overseas at risk.

It will take years to rebuild State’s capabilities. While Congress should move quickly to re-integrate CDP’s component pieces, reauthorize cyber foreign assistance, and restart secure technology projects, the loss of subject matter experts will take longer to fix. The cyber experts with sought-after skills that State let go are not waiting by the phone to get their old jobs back. They will move on to higher-paying private sector jobs. Only after the department re-commits to its cyber mission and places a Senate-confirmed ambassador at the helm of the bureau will the department have a hope of reconstituting all that it lost over a few weeks in July.

The post By gutting its cyber staff, State Department ignores congressional directives appeared first on CyberScoop.