A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.

Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.

The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.

“There are some of my Republican colleagues who have concerns about CISA as the agency, and I remind them, this is not about the agency,” he said. “It’s about … cybersecurity protections and the ability to have liability protections and to be able to share information. I’ve often heard the chair conflate the two, and I have to continually remind him.”

A House bill also would establish a different name.

Paul has objected to Peters’ attempts on the floor to extend CISA 2015. A shorter-term extension of the law was included in the House-passed continuing resolution to keep the government open, but that bill didn’t advance in the Senate, prompting a shutdown.

Peters’ latest bill, like earlier legislation he co-sponsored with Sen. Mike Rounds, R-S.D., would extend CISA 2015 for 10 years. He rejected the idea of trying to get a shorter-term extension until a longer-term extension could be passed.

“One thing that is very clear from all of the stakeholders is that they need long-term certainty when it comes to these protections, that you can’t operate with just a few-week-patch and then another few-week–patch,” Peters said. “That’s no way to run a business. That’s no way to run a sophisticated cybersecurity operation.”

Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements  for members.

The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.

“An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

Peters said he’s heard from organizations becoming increasingly nervous about the expiration, but didn’t want to comment on whether any had stopped sharing because that’s “sensitive information, important information, and our adversaries should know as little about what’s happening as possible.”

Peters said he wouldn’t comment on his deliberations with Paul, or comment on Paul’s motives for objecting to his floor maneuvers. Paul cancelled a planned markup of his own version of CISA 2015 renewal legislation in September that included language on free-speech guarantees under CISA the agency, with a spokesperson saying Democrats had requested more time and were “not negotiating in good faith.”

Peters told reporters that claim was “absolutely false … the problem is not on our end.”

The revised Peters legislation doesn’t touch on the topic of free speech. Democrats and Republicans have blamed one another for the government shutdown.

“Firstly, this authority will be turned back on when Democrats, including the bill sponsor, vote to reopen the government,” said Gabrielle Lipsky, a spokesperson for Paul. “The Senator has made it clear that a longer-term reauthorization will need robust free speech protections included.”

Peters said he had spoken to Senate Majority Leader John Thune, R-S.D., about getting the bill through Senate procedures. He and Rounds have both been speaking with colleagues to gain backing. The Trump administration also has been lobbying senators to support a CISA 2015 reauthorization.

“I’m confident that if this bill gets to the floor for a vote, it will not only pass, it will pass overwhelmingly,” he said. “And that’s what we’re working to do.”

The post Sen. Peters tries another approach to extend expired cyber threat information-sharing law appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency doesn’t have any plans in place for continuing a threat information-sharing program should a 2015 law that laid the groundwork for its creation expire Wednesday, according to a new watchdog report.

The inspector general report points to yet more potential complications for threat data exchanges between industry and the government should the 2015 Cybersecurity Information Sharing Act, known as CISA 2015, lapse. Already, private-sector groups and cyber professionals have been sounding alarms about what would happen if the law’s legal safeguards disappear — something that’s now almost certain to happen after Tuesday’s expiration deadline is set to transpire without action from Congress.

The IG report takes a look at the Automated Indicator Sharing (AIS) program that the Department of Homeland Security established in the year after passage of CISA 2015. The voluntary program was designed to allow the exchange of machine-readable cyber threat indicators (CTIs), like malicious IP addresses, and defensive measures (DMs), defined as activity that protects information systems against cyber threats.

According to the IG, CISA (the agency) has not finalized plans for continued use of the program in the event of the expiration of the 2015 law.

“Without finalizing this plan, CISA could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the Nation’s critical infrastructure from cyber threats,” the report, dated Sept. 26, states.

While creation of the AIS program was one of the most direct outcomes of the passage of CISA 2015, many industry groups do not consider it the most important impact of the law, instead focusing on the legal protections it provides. Still, the IG report details how much activity the AIS program is involved in: 10 million cyber threat indicators shared in 2024.

That figure also points to weaknesses within the program, however, according to the IG. The 10 million indicators is a big jump from the prior calendar year, when the number was 1 million.

“Although the number of CTIs and DMs increased in 2024, CISA continues to rely on a small number of partners to share information,” the report states. “CISA officials attributed recent increases in shared CTIs and DMs to a private-sector partner’s significant contribution. In 2024, this private-sector partner added more than 4 million CTIs and DMs to each of the Federal and public collections — accounting for 89 percent of the public collection and 83 percent of the Federal collection.”

The report doesn’t identify that private-sector partner. An earlier report attributed a steep drop in the sharing of cyber threat indicators to an unnamed federal partner withdrawing from the program.

“CISA’s overreliance on information shared by specific participants may lead to inconsistent results and prevent long-term program growth if top contributing partners stop participating,” the report reads.

There were only 18 federal participants in 2024 in all, and 87 non-federal participants. That’s an increase from last year in both cases, but a fall from the 2020 peak of 304 total participants. Some of those participants, though, are industry-specific information sharing and analysis centers that might include hundreds of organizations.

CISA’s response to the IG’s findings left the program’s future uncertain should the 2015 law expire, according to the report.

“Program officials stated that although CISA continues to be committed to sharing CTIs and DMs in an automated, unclassified machine-readable format such as AIS, the decision on whether to maintain the capability will be based on available resources and leadership’s priorities,” the report states. “CISA officials said if the Act were to expire, they would analyze the value of AIS, including the average operational cost of $1 million per month and a likely reduction in CTI and DM volume, to determine whether resources could be redirected from other agency priorities to support AIS.”

CISA referred requests for comment to the agency’s response contained within the report.

“It is important for readers of this report to understand that automated threat intelligence and information sharing with our global partners and stakeholders remains a priority for CISA, and that there are no immediate or near-term plans to discontinue the Automated Information Sharing [sic] service, regardless of the status of the Cybersecurity Act of 2015,” reads the response from Madhu Gottumukkala, the acting director of CISA. “Subject to available appropriations, CISA remains authorized to operate Automated Information Sharing irrespective of the possible sunset of the Cybersecurity Information Sharing Act of 2015 on September 30, 2025, and CISA will continue to modernize and evolve Automated Information Sharing to meet the needs of its partners and stakeholders.”

The post Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law appeared first on CyberScoop.

A critical, longstanding piece of America’s cybersecurity infrastructure is perilously close to vanishing overnight. 

On Tuesday, the Cybersecurity Information Sharing Act (CISA) expires — and with it, the legal protections that enable countless organizations to share threat intelligence with the federal government. Without swift congressional action, we risk dismantling years of progress in collaborative cyber defense at the precise moment we need it most.

As we approach CISA’s 10-year anniversary, we’re confronted with the reality that today’s threat landscape is virtually unrecognizable from a decade ago. In 2015, we worried about data breaches and website defacements. 

Today, we face AI-powered attacks, the proliferation of cybercrime-as-a-service, supply chain compromises that ripple across entire sectors, undetected cyberattacks that pre-positions adversaries, and sophisticated ransomware ecosystems where criminals and nation-states share resources to scale their cyber operations. 

The recent Salt Typhoon intrusions into U.S. telecommunications infrastructure underscore a harsh reality: our adversaries have evolved faster than our defenses.

The damaging cost of inaction

CISA’s expiration wouldn’t just be a bureaucratic hiccup — it would trigger a cascade of consequences across our digital infrastructure. The act’s safe harbor provisions and liability protections form the legal backbone that allows private companies to share cyber threat indicators with government agencies, without fear of lawsuits. Remove these protections, and organizations will retreat into information silos, leaving us blind to emerging threats.

Consider what could happen if these protections disappear: a financial institution that detects suspicious activity linked to a nation-state campaign could face legal exposure for sharing that intelligence. A single hospital’s medical records compromised during a cyberattack could put an entire health care system at risk. The telecommunications companies that need to coordinate during incidents like Salt Typhoon could lose their legal framework for collaboration. 

This isn’t speculation — it’s the pre-2015 reality we’d return to.

Beyond band-aids: modernizing for tomorrow’s threats

While the proposed WIMWIG Act aims to extend CISA through 2035, simply reauthorizing outdated frameworks won’t thoroughly address modern security challenges. We’re still operating in a reactive cybersecurity paradigm that tells organizations what already happened, rather than helping them understand what’s currently happening based on signals and criminal behaviors. 

Current information sharing focuses heavily on Indicators of Compromise (IoCs) — specific IP addresses, domains, and file hashes that attackers use. But in an era of AI and automation, threat actors constantly pivot their infrastructure, making these IoCs stale within days, hours, or even minutes.

The truth is, while threat intelligence serves larger organizations with mature security operations, most organizations struggle to leverage it effectively. We need intelligence that doesn’t just catalog past attacks but that provides predictive insights. 

This is why the real opportunity lies in shifting from reactive IoC sharing to proactive behavioral analytics and telemetry. Instead of sharing that an attacker used a specific IP address — which they’ll constantly spin up new infrastructure — we need to share how they moved through networks, what techniques they employed, and what behaviors preceded the attack. Three failed login attempts might mean nothing in isolation, but when combined with lateral movement patterns and privilege escalation behaviors, they reveal an active intrusion.

This shift becomes even more critical as we enter the age of non-human identities. Cloud services, operational technology, and AI systems are creating environments where machine identities outnumber human ones 10:1. 

Understanding the complex relationships and interactions across these hybrid environments requires contextual intelligence that transforms raw telemetry into actionable insights about ongoing threats and likely identities that will be targeted.

A path forward

Congress faces a choice: settle for short-term extensions that kick the can down the road or seize this moment to modernize our cyber defense systems. Some may view CISA’s potential expiration as a retreat from collective cyber defense, but it could instead represent an opportunity to build something stronger — a modern framework that demonstrates America’s commitment to defending against cyber threats at every level. 

Meaningful reauthorization must include: 

• Enhanced liability protections that cover behavioral anomalies, not just traditional IoCs. Organizations need legal clarity in order to share the rich, contextual intelligence that actually prevents attacks.
• Mandated reciprocity in intelligence flows. Too often, private sector sharing has been a one-way street. Federal agencies must provide consistent, enriched, and actionable intelligence back to industry partners, fostering true collaboration rather than mere collection.
• Incorporation of AI and automation capabilities that can process behavioral patterns at scale, enabling real-time threat detection across our increasingly complex digital ecosystem.
• Improved oversight mechanisms that ensure the program evolves with the threat landscape rather than remaining frozen in 2015-era security methodologies.

The urgency is real

With bipartisan reauthorization efforts facing tight timelines, the window to get this right is closing fast. If CISA 2015 lapses, it shouldn’t be due to political gridlock but because we’ve chosen to seize this opportunity to build a cyber defense framework worthy of the challenges ahead.

Every day of delay gives our adversaries a greater advantage. Every moment of uncertainty weakens our collective cyber defense. Congress must act decisively, not just to preserve what we have, but to build the proactive, behavior-based intelligence-sharing ecosystem our national security demands.

In just a day, we’ll either have a modernized framework for collaborative cyber defense, or we’ll watch a decade of progress crumble. The choice before Congress isn’t just about renewal — it’s about transformation. Let’s ensure any outcome strengthens, not weakens, our nation’s cyber resilience. 

The time for action is now — we must defend and protect forward.

Kevin E. Greene is the chief cybersecurity technologist for public sector at BeyondTrust. He previously held tech roles at OpenText, the MITRE Corporation and in the cybersecurity division of the Department of Homeland Security’s Science and Technology Directorate.

The post Expired protections, exposed networks: The stakes of CISA’s sunset appeared first on CyberScoop.

Pessimism is mounting about the chances that Congress will reauthorize a cyber threat information-sharing law before it’s set to expire at the end of this month — with no clear path for either a temporary or long-term extension.

Industry groups and the Trump administration have put a lot of muscle into renewing the 2015 Cybersecurity Information Sharing Act (CISA 2015), which they say is a vital tool in the fight against malicious hackers because of the legal protections it provides for organizations to share cyber threat data with each other and the government.

But in recent weeks, multiple efforts to re-up the law have failed or been brushed aside:

• The House inserted a two-month extension of CISA 2015 into a continuing resolution to avert a government shutdown, but after the House passed the bill, the Senate voted against the continuing resolution last week. Negotiations about continuing to fund the federal government past the end of this month appear to be at a standstill.
• The Senate Homeland Security and Governmental Affairs Committee had scheduled a markup of legislation last week introduced by Chairman Rand Paul, R-Ky., to extend the law with significant changes that drew bipartisan and industry criticism. The panel then abruptly canceled the markup.
• The top Democrat on Paul’s panel, Gary Peters of Michigan, tried to get an unaltered or “clean” 10-year reauthorization of the expiring law passed on the Senate floor with a unanimous consent motion, but Paul objected without explanation, preventing it from advancing.
• House Homeland Security Chairman Andrew Garbarino, R-N.Y., sought earlier this month to offer his legislation to extend and alter CISA 2015 as an amendment to the House version of the annual defense policy bill, or National Defense Authorization Act (NDAA), but the Rules Committee prohibited the amendment from receiving a vote. (A Senate intelligence policy bill had included a 10-year extension, but when senators folded the intelligence authorization bill into that chamber’s version of the NDAA, Paul objected and got it removed.)

All of that leaves an extension of CISA 2015 without a home, and with a key senator, Paul, likely to stand in the way of swift renewal anytime soon. Under the circumstances, “I bet it does” expire, one industry source said of CISA 2015. 

“I’d be pleasantly surprised if it is continued given Paul’s objection,” the source said.

And that could be a big problem for both lawmakers and private-sector organizations.

While it’s unclear exactly how even a temporary lapse in the law might affect cyber information sharing, some have offered dire predictions about how bad it will be. In the legal community, “if you’re giving people a reason not to do something, they won’t do it,” said another industry source. 

If there’s a big breach during a time when the law has expired, the political risks increase, because cyberattack victims are likely to blame the lapse for what happens, said the source, who has extensive cybersecurity policy experience.

Best hopes (until recently)

Advocates had long pinned their hopes that a temporary two-year CISA 2015 renewal would be included in the continuing resolution (CR), given the urgency to avoid a government shutdown and the fact that the law was sent to expire when the fiscal year ends gave Congress a perfect opportunity. The House GOP’s inclusion of that short-term extension language in the CR — and Democrats’ support for it in their own proposal — indicated widespread support for the idea. The CR passed 217-212.

Senate leaders have a tradition of honoring objections on policy matters from the heads of the committees with jurisdiction over those topics when they are up for consideration in other bills. But multiple observers told CyberScoop that they interpreted the inclusion of the CISA 2015 law extension in the House CR as a sign that Senate leaders were prepared to ignore objections from Paul in this case. 

Besides lawmakers and private-sector groups, the Trump administration has been pressing for renewal. Industry and Senate sources say that new National Cyber Director Sean Cairncross has been especially focused on selling lawmakers on the need for action on CISA 2015.

But temporary renewal is now a casualty of the broader fight over a government shutdown, with the Senate voting 44-48 against the CR.

Paul complications

Earlier this month, the House Homeland Security Committee approved Garbarino’s bill to renew CISA 2015 for 10 years by a vote of 25-0. While Democrats questioned whether the legislation should’ve included any changes to the law rather than a “clean” reauthorization, Garbarino’s changes themselves garnered no significant opposition.

That wasn’t the case for the version Paul sponsored and that was scheduled for vote in his committee last week, which would have provided a two-year reauthorization. Industry groups objected to the Paul legislation striking provisions of the 2015 law that provided protections related to cyber threat data sharing with the federal government against disclosure from Freedom of Information Act requests. They opposed a section that would get rid of the law’s section on federal preemption, under which the law supersedes state laws and regulations.

Democrats also raised concerns about several key definitions in the law, including those related to the rules for  how companies can use defensive measures. According to Senate aides who spoke with CyberScoop, these changes could leave small- and medium-sized businesses particularly vulnerable. Combined with the other industry objections, the aides said, Paul’s bill would have functionally ended private sector information sharing with the government.

Industry is wary of major changes to CISA 2015 in general.

“The fact is that over the last 10 years, it’s been an effective way for the private sector to share information, which is a key ingredient in improving cybersecurity, and we should just be very careful while making changes to something that is working pretty well,” said Henry Young, senior director of policy for Business Software Alliance.

A section of the legislation that Paul wrote on free speech protections also created questions.  Five Senate and industry sources told CyberScoop that Paul canceled the markup because Senate Republican panel members planned amendments that would have, with somewhat different approaches, stripped Paul’s changes in favor of a “clean” reauthorization. 

Spokespeople for senators that sources said were behind those amendments, Joni Ernst of Iowa and Bernie Moreno of Ohio, did not respond to requests for comment.

A spokesperson for Paul disputed what the sources told CyberScoop about the reason for the cancellation.

“The characterization of the cancellation of the markup is false,” said the spokesperson, Gabrielle Lipsky. “The Democrats, who are not negotiating in good faith, asked for more time.”

Peters said in a Senate floor speech Friday that it was “disappointing” that Paul canceled the markup, and that “we were blocked from even having a discussion about the policy or draft legislation.”

Constituents in Paul’s home state have lobbied him on the importance of a “clean” reauthorization of CISA 2015; Paul’s public remarks about extension of the law have largely focused on passing a bill that includes additional guarantees on free speech.

“We make this request respecting your determination to protect Americans’ privacy and freedom of speech from censorship and intimidation by federal government employees, and we share those concerns,” a number of Kentucky business groups wrote to Paul in a Sept. 17 letter advocating for a “clean” extension. “We would welcome the opportunity to work with you to increase privacy and censorship protections in other legislation.” 

Peters asked for unanimous consent Friday for the Senate to advance a 10-year reauthorization. Paul said only, “I object,” thus blocking the renewal effort from Peters.

“Congress must pass an extension of these cybersecurity protections and prevent a lapse that would completely undercut our cybersecurity defenses and expose critical sectors to preventable attacks,” Peters said in a statement to CyberScoop. “These liability protections ensure trusted, rapid information sharing between the private sector and government to quickly detect, prevent, and respond to cybersecurity threats. I’m continuing to work toward a bipartisan, bicameral deal that will renew these protections for the long-term, but we cannot afford to let these critical cybersecurity protections expire at the end of the month.”

Other avenues

A common hope among advocates was that after a short-term extension became law as part of the CR, a longer-term extension would be included in the NDAA, which often passes toward the end of each calendar year or the start of the next.

But hopes for that diminished after actions in both the House and Senate. In the Senate, the Intelligence Committee had included a 10-year renewal in its annual intelligence authorization bill. That legislation was then included in the Senate version of the NDAA, but sources on and off the Hill told CyberScoop that Paul objected to inclusion of the CISA 2015 extension, so it was removed.

And the Rules Committee decided on Sept. 9 that Garbarino’s CISA 2015 renewal amendment wasn’t germane, thus preventing him from offering it during debate on the House floor about the NDAA. One day later, the House passed its version of the NDAA, 231-196.

The next steps for CISA 2015 reauthorization are unclear. Paul’s office did not respond to a question about his future plans for renewing CISA 2015.

Options for a short-term renewal are limited for now to whatever congressional leaders do to try to revive or replace a CR, but the timeline for doing so before CISA 2015 expires is exceptionally tight. Options for a long-term renewal might include an amendments package for the Senate version of the NDAA, since the full Senate has yet to take up its bill.

CISA 2015 “must not lapse on September 30, 2025. Allowing it to expire will create a significantly more hostile security environment for the U.S.,” Matthew Eggers, vice president of cybersecurity policy in the cyber, intelligence, and security division at the U.S. Chamber of Commerce, told CyberScoop in a written statement. “The Chamber advocates for a multi-year reauthorization of this vital law. Short-term extensions are counterproductive. Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation. House and Senate leaders and the Trump administration have expressed strong support for reauthorizing CISA 2015.”

The post Cyber threat information law hurtles toward expiration, with poor prospects for renewal appeared first on CyberScoop.

The United States needs a “new, coordinated strategy” to counter its cyber adversaries and “shift the burden of risk in cyberspace from Americans to them,” National Cyber Director Sean Cairncross said Tuesday.

“Collectively, we’ve made great progress in identifying, responding to and remediating threats, but we still lack strategic coherence and direction,” he said at the Billington Cybersecurity Summit. “A lot has been done, but it has not been sufficient. We’ve admired the problem for too long, and now it’s time to do something about it.”

The Biden administration produced its first cybersecurity strategy in 2023, with its Office of the National Cyber Director leading the writing of that document. It was part of a broader Biden administration approach to shift the cyber burden from individuals to more powerful institutions like the private sector. 

“The Trump administration will drive a new coordinated strategy that will advance U.S. interests and thwart our adversaries in cyberspace,” Cairncross said in a speech that marked his first public remarks since his confirmation in August. “America has the best talent, the most innovative private sector, the brightest research universities, broad academic resources and powerful government capabilities.

“We have all the tools, and now we have the political will in place to address these challenges,” he said. “We must work together, using all of our nation’s cyber capabilities, to shape adversary behavior and, most importantly, shift the burden of risk in cyberspace from Americans to them.”

The United States needs to “create an enduring advantage” over China, he said. China and other U.S. cyber adversaries that Cairncross called “brittle authoritarian regimes” simultaneously have to expend resources tracking dissidents and maintaining control, but also have the advantage of being able to “integrate instruments of power more seamlessly than we can.”

Cairncross said of cyberspace that “for too long, our adversaries have operated in this environment with near impunity. For too long, we have foregone the chances to set conditions for sustained security and stability. Our action or inaction today holds tremendous implications for our future.”

In separate remarks at another event Tuesday, Cairncross said he also wants to help international allies, particularly nations in the Five Eyes intelligence alliance, combat China’s efforts. 

“There’s many partners around the world who are looking for help as China attempts to export a surveillance state across planet Earth, country by country, continent by continent,” he said at an event hosted by Politico. “We have to engage to help fight that.” 

At the Politico event, he also said he expects the office to be more streamlined with the National Security Council and Cybersecurity and Infrastructure Security Agency, adding that the White House has been focused on what Cairncross referred to as eliminating the “turf wars and bureaucratic nonsense” of prior administrations.   

“The United States hasn’t had an overarching cyber policy strategy that’s set in coordination from offense all the way through to end-user defense, to state, local and tribal governments, working together in putting tactical operations and policies in place that support and feed into that strategy,” he said. “That is what we are going to do.”

In the shorter term, Cairncross mentioned three priorities. One is passage of legislation to reauthorize a law expiring this month that provides legal protections to companies for sharing cyber threat data with the government and within the private sector, the Cybersecurity Information Sharing Act of 2015.

Another is for “the federal government to get our own house in order,” he said.

“Our federal systems need rapid modernization,” Cairncross said, and the Trump administration is working on policies to “update our technologies and ensure that we’re prepared for a post-quantum future.”

And third, industry needs to focus on securing its products and protecting privacy at the outset, during the design process — and the administration will work to streamline cybersecurity regulations on industry’s behalf, he said.

Cairncross said it was a priority of the first Trump administration, and would continue to be in the second, to develop the cybersecurity workforce. Under Trump, however, the administration has pushed to dramatically slash personnel and funding for CISA.

Greg Otto contributed to this report. 

The post National cyber director: U.S. strategy needs to shift cyber risk from Americans to its adversaries appeared first on CyberScoop.

A House panel advanced legislation Wednesday that would reauthorize a major cyber threat information sharing law and a big-dollar state and local cyber grant program before they’re set to expire at the end of this month.

Trump administration officials and nominees, as well as cybersecurity organizations and experts, have voiced support for renewing them both as they near their respective lapses. Expiration of the information sharing law in particular has led industry groups and others to warn about dangerous ramifications about the collapse of cyber threat data exchanges.

At the House Homeland Security Committee markup, the panel also approved bills addressing pipeline cybersecurity and terrorists’ use of generative artificial intelligence.

The 2015 Cybersecurity and Information Sharing Act has provided legal protections to the private sector to share threat data with the federal government and between companies and organizations. The Widespread Information Management for the Welfare of Infrastructure and Government Act, which the panel approved 25-0, would reauthorize it for another 10 years, with updates.

“Reauthorizing this law and ensuring the relevance of this framework before it expires is essential for retaining our cyber resilience,” said Rep. Andrew Garbarino, N.Y., the chair of the committee and lead sponsor of the re-up legislation. The original legislation, he said, “changed the cybersecurity landscape forever, and for the better.”

The bill encourages the use of secure AI to improve technical capabilities, updates legal definitions to capture newer hacking tactics and seeks to preserve and strengthen existing privacy protections, he said.

The top Democrat on the committee, Bennie Thompson of Mississippi, said the committee should have approved a simpler reauthorization to give lawmakers and affected parties more time to take a look at the legislation’s changes to the 2015 law, but he supported moving the bill forward.

Garbarino said he had a good conversation Tuesday evening with his Senate counterpart, Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., about the path forward on the legislation.

Paul and other GOP lawmakers have said they want renewal of the 2015 law to include language prohibiting the Cybersecurity and Infrastructure Security Agency — which plays a large role in carrying out the law — from censoring speech, despite past responses from agency officials that they have not censored anyone. Garbarino’s bill doesn’t contain any provisions about that.

The panel voted 22-1 to approve the Protecting Information by Local Leaders for Agency Resilience Act, which would extend the State and Local Cybersecurity Grant Program for another 10 years. The program has doled out $1 billion.

“Many local governments have a long way to go to be prepared for cyberattacks from adversaries like the Chinese Communist Party,” said the bill’s sponsor, Rep. Andy Ogles, R-Tenn. He said that while “I usually want Washington to do less,” the federal government might have to foot the bill later anyway if it doesn’t help state and local governments shore up their defenses.

It would provide 60% of funds to state, local and tribal governments that are eligible, or 70% for those applying together. It would direct a federal outreach effort to smaller communities, and stress defense for both information technology and operational technology, Ogles said. Appropriators would still need to dedicate funding to the program, even if President Donald Trump signs it into law.

A coalition of tech and cybersecurity groups wrote to congressional leaders Tuesday urging them to extend the program, listing examples of how the grant program has defended against specific cyberattacks across the nation. “Without continued funding, hard-won progress will stall, and communities across the country will be left vulnerable — handing our adversaries a dangerous advantage,” their letter reads.

Paul hasn’t publicly indicated his plans for the expiring grant program. The two bills would provide new names for the things they are authorizing: WIMWIG replacing 2015 CISA, and PILLAR replacing the grant program.

The House Homeland Security Committee also voted 21-0 to advance the Generative AI Terrorism Risk Assessment Act, which would require the Department of Homeland Security to conduct annual assessments on how terrorist groups use artificial intelligence to carry out terrorist activity, such as seeking to radicalize potential recruits.

“Known terrorist organizations like ISIS or Al Qaeda or others have gone so far as to have AI workshops to train members on its use,” said the bill’s sponsor, Rep. August Pfluger, R-Texas.

And the committee voted 22-0 to approve the Pipeline Security Act that would codify the Transportation Security Administration’s pipeline security office into law and specify its responsibilities, including on cybersecurity. TSA wrote cybersecurity regulations in response to the 2021 Colonial Pipeline hack.

“We don’t just risk our national security, we risk supply chain disruptions that will create a ripple effect throughout our communities” if we fail to protect our pipelines, said the bill’s sponsor, Rep. Julie Johnson, D-Texas.

The post House panel approves cyber information sharing, grant legislation as expiration deadlines loom appeared first on CyberScoop.

Expiration of a 2015 law at the end of September could dramatically reduce cyber threat information sharing within industry, as well as between companies and the federal government, almost to the point of eliminating it, some experts and industry officials warn.

The Cybersecurity Information Sharing Act, also known as CISA 2015, is due to end next month unless Congress extends it. Leaders of both of the House and Senate panels with the responsibility for reauthorizing it say they intend to act on legislation next month, but the law still stands to expire soon without a quick bicameral deal.

The original 2015 law provided legal safeguards for organizations to share threat data with other organizations and the federal government.

“We can expect, roughly, potentially, if this expires, maybe an 80 to 90% reduction in cyber threat information flows, like raw flows,” Emily Park, a Democratic staffer on the Senate Homeland Security and Governmental Affairs Committee, said at an event last month. “But that doesn’t say anything about the break in trust that will occur as well, because at its core, CISA 2015, as an authority, is about trust, and being able to trust the businesses and organizations around you, and being able to trust the federal government that it will use the information you share with it.”

That estimate — 80 to 90% — is on the high side of warnings issued by policymakers and others, and some reject the notion that the sky is catastrophically falling should it lapse. Additionally, some of the organizations warning about the fallout from the law’s lapse benefit from its provisions. But there’s near-unanimity that expiration of the law could largely shift decisions about cyber threat info sharing from organizations’ chief information security officers to the legal department.

“If you think about it from the company’s perspective, what a lapse would do would be to cause the ability to share information — to move the decision from the CISO to the general counsel’s office,”  said Amy Shuart, vice president of technology and innovation at Business Roundtable, which considered the issue important enough to fly in CISOs from member companies to meet with lawmakers this summer and persuade them to act. “And any good general counsel is going to say, ‘I used to have authority here that protects us from antitrust. We don’t have it anymore. Now I’ve got concerns.’ So we do anticipate that if this was to lapse, the vast majority of private sector information sharing would shut down just due to legal risk.”

A common expectation among watchers is that Congress is likely to pass a short-term extension that would be attached to an annual spending bill known as a continuing resolution before the end of the current fiscal year, which also is tied to the end of September. But that still gives lawmakers a short window, and even if a short-term extension passes, Hill appropriators are likely to be impatient about a long-term extension and unwilling to aid any extension past the end of December.

Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., said last month that he intends to hold a markup of CISA 2015 extension legislation in September. A critic of the Cybersecurity and Infrastructure Security Agency over allegations that it pushed social media outlets to censor election security and COVID-19 data — allegations that then-CISA leaders denied — Paul said he wants to include language in any extension prohibiting the agency known as CISA from censorship.

The new leader of the House Homeland Security Committee, Andrew Garbarino, R-N.Y., also has said reauthorization is a priority, but wants to make other changes to the law as well.

“Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said in a statement to CyberScoop. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”

Separate from the 2015 law, the Justice and Homeland Security departments have issued and updated legal guidance pertaining to cyber threat information sharing that sector-specific information sharing and analysis centers say undergird exchanges from company to company.

But a Supreme Court decision last year about federal regulatory authority could cast a shadow over that guidance should CISA 2015 expire, warned Michael Daniel, leader of the Cyber Threat Alliance. Furthermore, a failure from Congress to act could send a message to courts.

“A lack of congressional action to positively reauthorize private entities to monitor their networks, deploy defensive measures, and share information ‘notwithstanding any other provision of law’ introduces uncertainty about sharing information that could trigger certain criminal laws, such as the Computer Fraud and Abuse Act or the Stored Communications Act, or could violate antitrust laws when participating in collective cyber defense,” he recently wrote. “In short, the resulting uncertainty would reduce the amount of sharing that occurs, reintroduce friction into the system, and inhibit the ability to identify, detect, track, prepare for, or respond to cyber threats.”

Daniel told CyberScoop some of those discussions about expiration fallout are hypothetical at this point, but legal experts have told him they are realistic. 

Trump administration officials and nominees have said they support reauthorization of the 2015 law. There are links to its recent artificial intelligence action plan, which calls for establishment of an AI-ISAC.

“One of the things that we’ve heard the administration say loud and clear about their approach with the [AI] action plan is that they were thinking about what they could do within their existing authorities,” Shuart said. “CISA 2015 is an important existing authority for the action plan to be successful.”

Still, the future of the 2015 law is uncertain.

‘There’s a lot of people kind of searching around for how to do this. I really couldn’t say I know that there’s a consensus,” said Larry Clinton, president of the Internet Security Alliance. “I know that there are people working in multiple different committees — Homeland Security, Armed Services, Appropriations, Intel — who are trying to figure out how to do this. And that’s a good thing, because we want all that support. It’s also a troubling thing because we wind up with too many cooks in the kitchen, and it’s harder to get things done without a consensus on the specifics of what needs to be done, given the tight timeline.”

The post Here’s what could happen if CISA 2015 expires next month appeared first on CyberScoop.

Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.

The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.

Two people — House Homeland Security Chairman Andrew Garbarino, R-N.Y., and Adam Meyers, senior vice president of counter adversary operations at CrowdStrike — specifically used the word “pivotal” to describe this moment for Cairncross and his office, while others said as much in other ways.

“It’s a new organization, and with any new organization, you’ve got to build up the muscle memory of how ONCD fits into the interagency process and what it means to set a unified national cybersecurity agenda, the language the director was using in his nomination hearing,” Nicholas Leiserson, a former assistant national cyber director under President Joe Biden who worked on the legislation to create the office as a Hill staffer, told CyberScoop. “We need to make sure that ONCD is the center of the policymaking apparatus. … That is going to be critical to his success.”

Brian Harrell, a former infrastructure protection official at the Deparment of Homeland Security and the Cybersecurity and Infrastructure Security Agency in Trump’s first term, said that with personnel reductions at CISA and change elsewhere, Cairncross has a big opportunity.

“ONCD must be seen as the air traffic controller on all things cyber moving forward,” he said via email. “Given the agency rebuild happening at CISA, and new leadership at FBI and NSA cyber, now is the time to build influence and patch struggling relationships. Add to this, a private sector that is unsure where to turn to during a crisis … Sean must be seen as a convener and facilitator to get the President the right information to make key decisions.”

On the policy front, Leiserson, now senior vice president for policy at the Institute for Security and Technology, said Cairncross has a great opportunity to work through the thicket of federal cybersecurity regulations and disentangle them in a harmonization effort that began under Biden and has bipartisan support. Some seasoned staffers who worked on the issue then remain in the federal government, Leiserson said.

Garbarino also brought up harmonization in a written statement as an issue he wants to see Cairncross address, along with leading the charge renewing the 2015 threat data sharing law known as the Cybersecurity Information Sharing Act, set to expire next month. Jason Oxman, president of the Information Technology Industry Council, said in a press release congratulating Cairncross that renewal of that law was “essential to help ONCD achieve its cybersecurity mission.”

USTelecom President and CEO Jonathan Spalter said enhancing the government’s relationship with the private sector, a subject Cairncross brought up in his confirmation hearing, was also vital. Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm, said of Cairncross in a statement to CyberScoop: “I know that under his leadership, public-private partnership will continue to strengthen and secure our future.”

Those policy challenges, as well as the challenges of strengthening the national cyber director’s standing within the federal government and fortifying the public-private partnership, go hand-in-hand with the threats Cairncross will have to confront.

“The mission of the Office of the National Cyber Director has never been more critical: advancing a unified, strategic, and forward-leaning approach to the cyber threats facing our increasingly digital society,” Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and a former member of the Cyberspace Solarium Commission that recommended that Congress create the office, said in a written statement.

Leiserson said threats like the Chinese hackers known as Salt Typhoon penetrating telecommunications networks surely would be at the forefront of Cairncross’s concerns — a threat Cairncross brought up at his confirmation hearing. Harrell mentioned the looming possibility of a Chinese attack on Taiwan.

Oxman raised the threats to U.S. critical infrastructure and the supply chain. CrowdStrike’s Meyers, in a statement to CyberScoop, said the pivotal moment of Cairncross’s confirmation comes as “threat actors weaponize AI and the threat landscape continues to evolve at machine speed.”

Cairncross comes into the job with far less cybersecurity experience than many who have held federal cyber leadership posts. And he comes in with other potential disadvantages, too. At his nomination hearing, Sen. Elissa Slotkin, D-Mich., pointed to deep budget cuts at CISA, telling Cairncross that “you will oversee the single biggest cut in federal cybersecurity dollars.”

But Leiserson said it was encouraging that Trump’s fiscal 2026 budget proposal would keep funding for the Office of the National Cyber Director pretty level.

There are other reasons to be optimistic about the view from federal leaders on the office, too, some pointed out. Cilluffo noted that the 59-35 vote for Cairncross in the Senate suggested some bipartisan support. Leiserson observed that Cairncross was one of the few nominees to escape the nominee backlog in the Senate before lawmakers went on recess.

As for his relative lack of cyber experience, Cairncross has talked about surrounding himself with the right people, Leiserson said.

“You want the unicorns who are incredibly politically astute and who have very deep cyber knowledge,” he said. “These people are hard to come by. We’ve had real cyber experts on the job. Now we’ve got someone who … is going to have an easy time navigating the West Wing. That is a skill set that is vital for running a White House organization, and shouldn’t be discounted.”

The post New National Cyber Director Cairncross faces challenges on policy, bureaucracy, threats appeared first on CyberScoop.

President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.

“If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.

Should he be confirmed for the role, Plankey is set to arrive at an agency that has had its personnel and budget slashed significantly under Trump, a topic of concern for Democratic senators including the ranking member on the panel vetting him, Gary Peters of Michigan. Peters asked how he’d handle the smaller CISA he’s inherited while still having a range of legal obligations to fulfill.

“One of the ways I’ve found most effective when you come in to lead an organization is to allow the operators to operate,” Plankey said. “If that means we have to reorganize in some form or fashion, that’s what we’ll do, I’ll lead that charge. If that means we need a different level of funding than we currently have now, then I will approach [Department of Homeland Security Secretary Kristi Noem], ask for that funding, ask for that support.”

Under questioning from Sen. Richard Blumenthal, D-Conn., about whether he believed the 2020 election was rigged or stolen, Plankey, like other past Trump nominees, avoided answering “yes” or “no.” 

At first he said he hadn’t reviewed any cybersecurity around the 2020 election. He then said, “My opinion on the election as an American private citizen probably isn’t relevant, but the Electoral College did confirm President Joe Biden.” 

Blumenthal pressed him, saying his office was supposed to be above politics, and asked what Plankey would do if Trump came to him and falsely told him the 2026 or 2028 elections were rigged. 

“That’s like a doctor who’s diagnosing someone over the television because they saw them on the news,” Plankey answered.

Chairman Rand Paul, R-Ky., rebutted Blumenthal, saying “CISA has nothing to do with the elections.” But Sen. Josh Hawley, R-Mo., later asked Plankey about CISA’s “important” role in protecting election infrastructure, and asked how he would make the line “clear” between past CISA disinformation work that Republicans have called censorship and cybersecurity protections.

Plankey answered that Trump has issued guidance on the protection of election security infrastructure like electronic voting machines, and it’s DHS’s job “to ensure that it is assessed prior to an election to make sure there are no adversarial actions or vulnerabilities in it,” something he’d focus on if Noem tasked CISA with the job.

Plankey said he would not engage in censorship — something his predecessors staunchly denied doing — because “cybersecurity is a big enough problem.” His focus would be on defending federal networks and critical infrastructure, he said. To improve federal cybersecurity, he said he favored “wholesale” revamps of federal IT rather than smaller fixes.

The Center for Democracy and Technology said after Plankey’s hearing it was concerned about how CISA would approach election security.

“CISA has refused to say what its plans are for the next election, and election officials across the country are flying blind,” said Tim Harper, senior policy analyst on elections and democracy for the group. “If CISA is abandoning them, election officials deserve to know so they can make plans to protect their cyber and physical infrastructure from nation-state hackers. Keeping them in the dark only helps bad actors.”

Plankey indicated support for the expiring State and Local Cybersecurity Grant Program, as well as the expiring 2015 Cybersecurity and Information Sharing Act, both of which are due to sunset in September.

Paul told reporters after the hearing that he planned to have a markup of a renewal of the 2015 information sharing law before the September deadline, with language added to explicitly prohibit the Cybersecurity and Infrastructure Security Agency from any censorship.

Plankey’s nomination next moves to a committee vote, following an 11-1 vote last month to advance the nomination of Sean Cairncross to become national cyber director. Plankey’s nomination would have another hurdle to overcome before a Senate floor vote, as Sen. Ron Wyden, D-Ore., has placed a hold on the Plankey pick in a bid to force the administration to release an unclassified report on U.S. phone network security.

“The Trump administration might not have been paying attention, so I’ll say it again: I will not lift my hold on Mr. Plankey’s nomination until this report is public. It’s ridiculous that CISA seems more concerned with covering up phone companies’ negligent cybersecurity than it is with protecting Americans from Chinese hackers,” Wyden said in a statement to CyberScoop. “Trump’s administration won’t act to shore up our dangerously insecure telecom system, it hasn’t gotten to the bottom of the Salt Typhoon hack, and it won’t even let Americans see an unclassified report on why it’s so important to put mandatory security rules in place for phone companies.”

The post Plankey vows to boot China from U.S. supply chain, advocate for CISA budget appeared first on CyberScoop.