The Cybersecurity and Infrastructure Security Agency doesn’t have any plans in place for continuing a threat information-sharing program should a 2015 law that laid the groundwork for its creation expire Wednesday, according to a new watchdog report.

The inspector general report points to yet more potential complications for threat data exchanges between industry and the government should the 2015 Cybersecurity Information Sharing Act, known as CISA 2015, lapse. Already, private-sector groups and cyber professionals have been sounding alarms about what would happen if the law’s legal safeguards disappear — something that’s now almost certain to happen after Tuesday’s expiration deadline is set to transpire without action from Congress.

The IG report takes a look at the Automated Indicator Sharing (AIS) program that the Department of Homeland Security established in the year after passage of CISA 2015. The voluntary program was designed to allow the exchange of machine-readable cyber threat indicators (CTIs), like malicious IP addresses, and defensive measures (DMs), defined as activity that protects information systems against cyber threats.

According to the IG, CISA (the agency) has not finalized plans for continued use of the program in the event of the expiration of the 2015 law.

“Without finalizing this plan, CISA could be hindered in how it shares information on cyber threats, which would reduce its ability to protect the Nation’s critical infrastructure from cyber threats,” the report, dated Sept. 26, states.

While creation of the AIS program was one of the most direct outcomes of the passage of CISA 2015, many industry groups do not consider it the most important impact of the law, instead focusing on the legal protections it provides. Still, the IG report details how much activity the AIS program is involved in: 10 million cyber threat indicators shared in 2024.

That figure also points to weaknesses within the program, however, according to the IG. The 10 million indicators is a big jump from the prior calendar year, when the number was 1 million.

“Although the number of CTIs and DMs increased in 2024, CISA continues to rely on a small number of partners to share information,” the report states. “CISA officials attributed recent increases in shared CTIs and DMs to a private-sector partner’s significant contribution. In 2024, this private-sector partner added more than 4 million CTIs and DMs to each of the Federal and public collections — accounting for 89 percent of the public collection and 83 percent of the Federal collection.”

The report doesn’t identify that private-sector partner. An earlier report attributed a steep drop in the sharing of cyber threat indicators to an unnamed federal partner withdrawing from the program.

“CISA’s overreliance on information shared by specific participants may lead to inconsistent results and prevent long-term program growth if top contributing partners stop participating,” the report reads.

There were only 18 federal participants in 2024 in all, and 87 non-federal participants. That’s an increase from last year in both cases, but a fall from the 2020 peak of 304 total participants. Some of those participants, though, are industry-specific information sharing and analysis centers that might include hundreds of organizations.

CISA’s response to the IG’s findings left the program’s future uncertain should the 2015 law expire, according to the report.

“Program officials stated that although CISA continues to be committed to sharing CTIs and DMs in an automated, unclassified machine-readable format such as AIS, the decision on whether to maintain the capability will be based on available resources and leadership’s priorities,” the report states. “CISA officials said if the Act were to expire, they would analyze the value of AIS, including the average operational cost of $1 million per month and a likely reduction in CTI and DM volume, to determine whether resources could be redirected from other agency priorities to support AIS.”

CISA referred requests for comment to the agency’s response contained within the report.

“It is important for readers of this report to understand that automated threat intelligence and information sharing with our global partners and stakeholders remains a priority for CISA, and that there are no immediate or near-term plans to discontinue the Automated Information Sharing [sic] service, regardless of the status of the Cybersecurity Act of 2015,” reads the response from Madhu Gottumukkala, the acting director of CISA. “Subject to available appropriations, CISA remains authorized to operate Automated Information Sharing irrespective of the possible sunset of the Cybersecurity Information Sharing Act of 2015 on September 30, 2025, and CISA will continue to modernize and evolve Automated Information Sharing to meet the needs of its partners and stakeholders.”

The post Watchdog: Cyber threat information-sharing program’s future uncertain with expected expiration of 2015 law appeared first on CyberScoop.

Compiling an “ingredients list” for software can help organizations reduce cyber risks, avoid fines and save time, among other benefits, a Cybersecurity and Infrastructure Security Agency-led guide published Wednesday advises.

The CISA document, produced with the National Security Agency and cyber agencies from 14 other countries, aims to produce a shared vision on advancing the concept known as software bill of materials, or SBOM. It’s a nearly universally praised idea whose implementation has been playing catch-up with the embrace of its theoretical value.

In the guide, the agencies tout SBOMs as a way to adopt secure-by-design principles, where software makers implement security as part of the design process rather than as something to be tacked on afterward.

“The ever-evolving cyber threats facing government and industry underscore the critical importance of securing software supply chain and its components,” Madhu Gottumukkala, acting director of CISA, said in a news release accompanying the guide’s publication. “Widespread adoption of SBOM is an indispensable milestone in advancing secure-by-design software, fortifying resilience, and measurably reducing risk and cost.

“This guide exemplifies and underscores the power of international collaboration to deliver tangible outcomes that strengthen security and build trust,” he said. “Together, we are driving efforts to advance software supply chain security and drive unparalleled transparency, fundamentally improving decision-making in software creation and utilization.”

Publication of the guide follows closely on CISA’s updated federal agency guidelines for SBOMs, a set of rules that got mixed reviews when it came out last month.

Wednesday’s guide aims toward a unified approach to implementing SBOMs.

“Divergent implementations could hinder widespread adoption and sustainable implementation of SBOM. An aligned and coordinated approach to SBOM will improve effectiveness while reducing costs and complexities,” the guide reads. “When used widely across sectors, regions, and countries, supply chain illumination drives better ‘ingredients’ for everyone to use and helps ensure that known risks are addressed early. SBOM adoption is an integral condition for software to be secure by design.”

According to the guide, SBOMs help with vulnerability management by allowing organizations to be able to better track vulnerabilities when they arise, making it faster and more efficient to fix flaws. It helps organizations comply with industry-specific policies or government regulations and make decisions about their software purchases as such, thereby pushing vendors to give greater attention to cyber risk. It can help organizations manage software licenses, with violations of open-source licenses something that can trigger fines or reputational damage.

The guide advertises SBOMs as something for software makers, buyers and operators to adopt, as well as government cybersecurity agencies.

Australia, Canada, the Czech Republic, France, Germany, India, Italy, Japan, the Netherlands, New Zealand, Poland, Singapore and South Korea were the other countries involved in producing the guide.

The post CISA guide seeks a unified approach to software ‘ingredients lists’ appeared first on CyberScoop.

Nicholas Andersen is taking over a top leadership role at the Cybersecurity and Infrastructure Security Agency, CISA announced Tuesday.

He will become executive assistant director of cybersecurity at the agency in a role that’s seen swift turnover in the past year. It’s a position that has, in the past, led CISA efforts on protecting federal civilian agency networks and protecting critical infrastructure against cyber threats.

Andersen is a veteran of the first Trump administration, where from 2019 to 2021 he served in the Department of Energy’s Cybersecurity, Energy Security and Emergency Response division as both the principal deputy assistant secretary and performed the duties of assistant secretary.

Andersen most recently worked as president and chief operating officer at Invictus International Consulting, a firm that bills itself as “a full-spectrum cyber company that fuses data science and intelligence to deliver advanced technological and analytical solutions required for our national defense.”

He fills a role previously announced for Karen Evans early in Trump’s second term, before she departed shortly after for a nomination as undersecretary for management at the Department of Homeland Security and then shifting over to the Federal Emergency Management Agency. Chris Butera has been serving in the role as acting executive assistant director since, and will now assume the role of acting deputy executive assistant director.

Eric Goldstein was previously in Andersen’s role for nearly four years under President Joe Biden before leaving in the summer of 2024. Jeff Greene replaced him until Trump took office.

“I am honored to have the opportunity to join CISA and the trust placed in me by President Donald Trump and Secretary Kristi Noem,” Andersen said in a news release. “Having led organizations in both the public and private sectors, I deeply appreciate the vital role a robust cyber defense agency plays in securing our nation’s critical infrastructure. My career has been dedicated to defending America, and I look forward to continuing that mission at CISA.”

Acting CISA Director Madhu Gottumukkala said Andersen’s “broad experience across business, government, and technology uniquely positions him to strengthen our engagement with critical infrastructure partners, helping them better assess risk and elevate their security posture. I look forward to working with him as we advance our mission and safeguard the resilience of our nation during this pivotal time.”

Andersen’s first day was Tuesday.

The post CISA taps Nicholas Andersen for executive assistant director of cybersecurity appeared first on CyberScoop.

A notorious Chinese hacking campaign against telecommunications companies has now reached into a variety of additional sectors across the globe, including government, transportation, lodging and military targets, according to an alert U.S. and world cybersecurity agencies published Wednesday.

The alert is an effort to give technical details to potential victims of the campaign from the People’s Republic of China-backed group commonly known as Salt Typhoon, the alleged culprit behind what has been called the most serious telecom breach in U.S. history. Those intrusions may have begun years ago and that first came to light last fall, accompanied by revelations that the hackers targeted U.S. presidential candidates.

“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a news release.

In comments to The Wall Street Journal and Washington Post on Wednesday, the FBI said the scope of the Salt Typhoon campaign includes hitting more than 80 countries and 200 American organizations, beyond the previous nine identified telecom company victims.

The alert also names Chinese companies identified as being part of the campaign. Its recommendations include patching known vulnerabilities that have been actively exploited and securing “edge” devices that the hackers have used to get into networks, such as routers. 

Government agencies participating in the alert hailed from Australia, Canada, Czech Republic, Finland, Germany, Italy, the Netherlands, New Zealand, Poland, Spain and the United Kingdom. U.S. agencies besides the FBI and CISA that collaborated on it included the National Security Agency and the Department of Defense’s Cyber Crime Center.

“The advisory outlines how Chinese state-sponsored actors are exploiting vulnerabilities in routers used by telecommunications providers and other infrastructure operators,” according to the news release. “These actors often take steps to evade detection and maintain persistent access, particularly across telecommunications, transportation, lodging, and military networks.”

Telecommunications networks are a valuable target for hackers because they can serve as a hub into other communications. But targeting the other sectors mentioned in the alert can round out the intel profile for the attackers, said John Hultquist, chief analyst at Google Threat Intelligence Group​​.

“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” he said in a written statement. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”

The post Salt Typhoon hacking campaign goes beyond previously disclosed targets, world cyber agencies say appeared first on CyberScoop.