Two cybersecurity-focused members of Congress agreed Thursday that reductions to the Cybersecurity and Infrastructure Security Agency have done too much damage to an agency essential to defending civilian networks against foreign adversaries.

Rep. Don Bacon, R-Neb., and Rep. James Walkinshaw, D-Va., spoke during a panel at the National Cyber Innovation Forum. Despite representing different parties, and serving on different congressional committees, the two lawmakers offered closely aligned assessments of CISA’s role and the consequences of recent cuts.

Bacon, who is the chairman of the House Armed Services Subcommittee on Cyber, Information Technologies, and Innovation, framed the agency as central to protecting domestic networks. 

“What we really need is a strong CISA that helps protect our domestic networks, our energy grids and things like that,” he said, before adding that “unfortunately” the administration had moved in the opposite direction over the past year. 

He said officials had not appreciated the agency’s defensive value, telling the audience he did not think they recognized the “one-for-one output” CISA provides.

Walkinshaw, who is a member of the House Homeland Security Committee, echoed that view and tied it directly to the threat picture. 

Referring to Chinese-linked intrusion campaigns like Salt Typhoon, he said the United States is contending with adversaries “getting into critical infrastructure overseas and coming after big parts of our critical infrastructure industry here at home.” He said CISA’s information-sharing function and its relationships with utilities and local governments are part of what makes a centralized civilian defense workable.

Both lawmakers placed their concern in the context of a threat environment they described as escalating. Bacon ranked China as the leading cyber adversary to the United States, surpassing Russia, and said intrusions lay groundwork for further actions. “They’re in our energy grid,” he said. “On Day 1 of the war, they want to turn off our energy.” 

The case for a well-resourced CISA, the two lawmakers said, rests on the fact that most of the entities targeted by foreign actors cannot defend themselves on their own. Walkinshaw drew on his work during his time as a county supervisor in Fairfax County, Va., where he worked with Fairfax Water. He said that even as that utility was “one of the most sophisticated, well-funded water authorities in the country,” it struggled to keep pace with the volume and sophistication of attacks. Smaller utilities, towns and businesses, he said, have no realistic path to defending themselves against a nation-state.

Bacon agreed. He said small companies are “the heart of American innovation” but cannot be expected to stand up to adversaries operating with the resources of China, Russia, Iran or North Korea without federal support.

President Donald Trump’s fiscal 2027 budget would cut CISA by $707 million, according to a summary released last month, though a separate budget document points to a smaller reduction of $361 million. Either figure would leave the agency with slightly more than $2 billion in discretionary funding, down from the roughly $3 billion it had at the start of the administration.

It has been a turbulent time for CISA during the second Trump administration, in which the agency lost roughly a third of its personnel, shuttered entire divisions and operated without a Senate-confirmed director. Former officials, industry partners and lawmakers from both parties have described diminished coordination with state and local governments, weakened relationships with the private sector and growing concern about whether the agency retains the capacity to manage a major cyber crisis. 

In the model both lawmakers endorsed, they pushed for CISA to play more of a role after an intrusion, helping affected entities restore their networks while the FBI works to identify the source. Walkinshaw said advanced artificial intelligence expands the attack surface and makes that kind of centralized support more important.

 “The advanced AI technology means that more and smaller, maybe not as well-funded organizations across the globe, can launch sophisticated attacks,” he said, adding that the result is that “the defense” becomes “more complex.”

Looking ahead, Walkinshaw said restoring CISA’s capacity should be within reach of a divided Congress. 

“In terms of bipartisan areas of agreement here in Congress, restoring and expanding those capabilities and those partnerships right now should be a top priority,” he said.

The post Lawmakers from both parties say CISA cuts have gone too far appeared first on CyberScoop.

Salt Typhoon has hit an energy entity in Azerbaijan. Twill Typhoon has targeted Asian entities with an updated RAT.

The post Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns appeared first on SecurityWeek.

The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. 

The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.

The initiative  — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.

Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.

Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.

He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.

One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.

Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.

The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.

In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.

Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.

The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.

The U.S. government shouldn’t rigidly stick to traditional designations about which agency takes the lead on engaging with critical infrastructure sectors, the acting director of the Cybersecurity and Infrastructure Security Agency said Tuesday.

Sector risk management agency designations have long governed which agency is at the forefront of government efforts to protect each of the 16 critical infrastructure sectors, with CISA responsible for eight of them.

“When we look at our sector risk management agency construct, that’s important for a lot of reasons, It’s less important to abide by that strictly and say ‘CISA is the Sector Risk Management Agency for telecommunications,’” CISA’s Nick Andersen said at an event hosted by Auburn University’s McCrary Institute.

Rather, when responding to cyber incidents or undertaking other engagements with the private sector, the question should be who has the best relationship with a certain sector.

“We may have some owner-operators within a certain critical infrastructure sector that maybe the person they’re best positioned to receive resources from is us, or maybe it’s [Department of] Energy, or maybe it’s EPA, or maybe it’s FBI or NSA, or so forth and so on,” he said. “We just have to be comfortable with taking off those blinders and saying, ‘I don’t necessarily need to be in charge all the time no matter who I am. I just need to make sure that this owner-operator has the best partner teed up to lead that engagement.’”

The goal is to avoid another “Guam situation,” where “everybody was racing to Guam the last couple of years like kids chasing a soccer ball,” Andersen said. Guam was the site of critical infrastructure attacks on U.S. military bases that Microsoft pinned on the Chinese hacking group Volt Typhoon in 2023.

An attack on the telecommunications sector from another “Typhoon” group, Salt Typhoon, prompted questions about whether CISA’s hands are too full with all of its sector risk management agency responsibilities. House Homeland Security Chairman Andrew Garbarino, R-N.Y., raised concerns last year about how CISA handled its sector risk management agency role for the telecommunications sector after the Salt Typhoon campaign was uncovered.

The post CISA official advises agencies not to get too hung up on who takes lead in critical infrastructure sectors appeared first on CyberScoop.

Two years ago, it was revealed that Chinese hackers had compromised at least ten U.S. telecoms, giving them broad access to phone data affecting nearly all Americans. Since then, public officials charged with responding to the campaign and bolstering the nation’s cyber defenses have reported a common problem.

Many of their constituents struggle to understand why the hacks – carried out by a group called Salt Typhoon – should rank among their top concerns, or how it impacts their day to day lives.

Some state and federal officials worry that this lack of interest is depriving policymakers the public pressure needed to build momentum for stronger action to improve the nation’s telecommunications cybersecurity.

Mike Geraghty, the CISO and director of the New Jersey Cybersecurity and Communications Cell, said New Jersey is the nation’s most densely populated state, with a high concentration of critical infrastructure and a major telecommunications footprint. For that reason, a campaign like Salt Typhoon should, in theory, be of strong interest to Garden State residents.

“However, if you talk to a person on the street in New Jersey, they’’ll say who cares that the Chinese are looking at – you know – what numbers I call?” he said Wednesday at the Billington State and Local Cybersecurity Summit. “It has a big role to play in my job, but trying to get people to understand what that means for New Jersey is really difficult.”

Congress hasn’t passed comprehensive privacy legislation in decades. Meanwhile, cyberattacks that expose sensitive data are widespread, and U.S. companies routinely collect and sell customers’ personal information. Some officials speculate that, taken together, these trends have left Americans numb to data theft and data-for-profit–so additional breaches feel like just another drop in the bucket.

Mischa Beckett, deputy chief information security officer and director of cyber threat intelligence at GDIT, said Salt Typhoon’s focus on telecom data can feel like an abstract threat to many Americans. By contrast, other Chinese hacking campaigns like Volt Typhoon suggest potential damage to water plants and electric grids that are easier to grasp.

“It’s maybe a little bit easier to write off a loss of data..and move on, as unfortunate but no big deal,” said Beckett. “I think that case is much harder to make when we’re talking about pre-positioning and critical infrastructure, things that touch all of our lives every day.”

Last year, a former intelligence official at the Office of the Director of National Intelligence told CyberScoop that a lack of outrage from the public following the Salt Typhoon attacks was dampening momentum for broader regulation or reforms to telecom cybersecurity.

“We can’t accept this level of espionage on our networks,” said Laura Galante who led the Cyber Threat Intelligence Integration Center under the Biden administration. “If you had 50 Chinese [Ministry of State Security] spies or contractors sitting inside a major [telecom company’s] building, they would be walked out and it would be a full-scale effort. That’s in broad strokes what has happened, but the access was digital.”

The post Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules appeared first on CyberScoop.