A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.

Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.

The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.

“There are some of my Republican colleagues who have concerns about CISA as the agency, and I remind them, this is not about the agency,” he said. “It’s about … cybersecurity protections and the ability to have liability protections and to be able to share information. I’ve often heard the chair conflate the two, and I have to continually remind him.”

A House bill also would establish a different name.

Paul has objected to Peters’ attempts on the floor to extend CISA 2015. A shorter-term extension of the law was included in the House-passed continuing resolution to keep the government open, but that bill didn’t advance in the Senate, prompting a shutdown.

Peters’ latest bill, like earlier legislation he co-sponsored with Sen. Mike Rounds, R-S.D., would extend CISA 2015 for 10 years. He rejected the idea of trying to get a shorter-term extension until a longer-term extension could be passed.

“One thing that is very clear from all of the stakeholders is that they need long-term certainty when it comes to these protections, that you can’t operate with just a few-week-patch and then another few-week–patch,” Peters said. “That’s no way to run a business. That’s no way to run a sophisticated cybersecurity operation.”

Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements  for members.

The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.

“An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”

Peters said he’s heard from organizations becoming increasingly nervous about the expiration, but didn’t want to comment on whether any had stopped sharing because that’s “sensitive information, important information, and our adversaries should know as little about what’s happening as possible.”

Peters said he wouldn’t comment on his deliberations with Paul, or comment on Paul’s motives for objecting to his floor maneuvers. Paul cancelled a planned markup of his own version of CISA 2015 renewal legislation in September that included language on free-speech guarantees under CISA the agency, with a spokesperson saying Democrats had requested more time and were “not negotiating in good faith.”

Peters told reporters that claim was “absolutely false … the problem is not on our end.”

The revised Peters legislation doesn’t touch on the topic of free speech. Democrats and Republicans have blamed one another for the government shutdown.

“Firstly, this authority will be turned back on when Democrats, including the bill sponsor, vote to reopen the government,” said Gabrielle Lipsky, a spokesperson for Paul. “The Senator has made it clear that a longer-term reauthorization will need robust free speech protections included.”

Peters said he had spoken to Senate Majority Leader John Thune, R-S.D., about getting the bill through Senate procedures. He and Rounds have both been speaking with colleagues to gain backing. The Trump administration also has been lobbying senators to support a CISA 2015 reauthorization.

“I’m confident that if this bill gets to the floor for a vote, it will not only pass, it will pass overwhelmingly,” he said. “And that’s what we’re working to do.”

The post Sen. Peters tries another approach to extend expired cyber threat information-sharing law appeared first on CyberScoop.

Department of Government Efficiency practices at three federal agencies “violate statutory requirements, creating unprecedented privacy and cybersecurity risks,” according to a report that Senate Homeland Security and Governmental Affairs Committee Democrats published Thursday.

The report — drawn from a mix of media reports, legal filings, whistleblower disclosures to the committee and staff visits to the agencies — concludes that the Elon Musk-created DOGE is “operating outside federal law, with unchecked access to Americans’ personal data.” It focuses on DOGE activity at the General Services Administration (GSA), Office of Personnel Management (OPM) and Social Security Administration (SSA).

One previously unreported whistleblower claim is that at the SSA, a June internal risk assessment found that the chance of a data breach with “catastrophic adverse effect” stood between 35% and 65% after DOGE uploaded a computer database file known as Numident, containing personal sensitive information without additional protections against unauthorized access. The potential implications included “widespread PII [personally identifiable information] disclosure or loss of data” and “catastrophic damage to or loss of agency facilities and infrastructure with fatalities to individuals,” according to the assessment.

“DOGE isn’t making government more efficient — it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals,” Michigan Sen. Gary Peters, the top Democrat on the committee, said in a news release. “They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk. We cannot allow this shadow operation to continue operating unchecked while millions of people face the threat of identity theft, economic disruption, and permanent harm. The Trump Administration and agency leadership must immediately put a stop to these reckless actions that risk causing unprecedented chaos in Americans’ daily lives.”

The report recommends stripping all DOGE access to sensitive personal information until agencies certify that the initiative is in compliance with federal security and privacy laws such as the Federal Information Security Management Act, and recommends that DOGE employees complete the same kind of cybersecurity training as other federal employees.

It describes the three agencies blocking access to specific offices or otherwise obstructing access. For example, it says that DOGE installed a Starlink network at GSA, but wouldn’t let staff view it. Starlink is the Musk-owned satellite internet service, and the report concludes that Starlink might have allowed DOGE staffers to circumvent agency IT oversight. Data sent over the network “could be an easy target for foreign adversaries,” the report states.

The report also expands upon an alleged attempt at SSA to create a “master database” that would pool data from multiple federal agencies. According to whistleblower disclosures, former SSA DOGE employee John Koval inquired about uploading agency data into a cloud environment to share with the Department of Homeland Security. He was “rebuffed,” the report states, but later worked at DHS and the Justice Department, where SSA data surfaced in some projects, raising further privacy concerns. 

It revisits concerns about DOGE staffer Edward “Big Balls” Coristine having access to sensitive agency data despite reports that he had been fired from an internship at a cybersecurity company for leaking company information to a competitor, and arrives at further conclusions about the risk posed by the ability of Coristine and others “to move highly sensitive SSA data into an unmonitored cloud environment.”

“It is highly likely that foreign adversaries, such as Russia, China, and Iran, who regularly attempt cyber attacks on the U.S. government and critical infrastructure, are already aware of this new DOGE cloud environment,” the report states.

Two of the agencies that were the subject of the report took issue with its conclusions.

“OPM takes its responsibility to safeguard federal personnel records seriously,” said a spokeswoman for the office, McLaurine Pinover. “This report recycles unfounded claims about so-called ‘DOGE teams’ that simply have never existed at OPM. Federal employees at OPM conduct their work in line with longstanding law, security, and compliance requirements.

“Instead of rehashing baseless allegations, Senate Democrats should focus their efforts on the real challenges facing the federal workforce,” she continued. “OPM remains committed to transparency, accountability, and delivering for the American people.”

The SSA pointed to Commissioner Frank Bisignano’s letter to Congress responding to questions about Numident security concerns. 

“Based on the agency’s thorough review, the Numident data and database — stored in a longstanding secure environment used by SSA — have not been accessed, leaked, hacked, or shared in any unauthorized fashion,” a SSA spokesperson wrote, adding, “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen — SSA’s standard practice.”

The SSA spokesperson emphasized there are no DOGE employees at SSA, only agency employees. 

The GSA did not immediately respond to Scoop News Group requests for comment on the Democratic report.

Miranda Nazzaro contributed reporting to this story.

The post Dem report concludes Department of Government Efficiency violates cybersecurity, privacy rules appeared first on CyberScoop.

Pessimism is mounting about the chances that Congress will reauthorize a cyber threat information-sharing law before it’s set to expire at the end of this month — with no clear path for either a temporary or long-term extension.

Industry groups and the Trump administration have put a lot of muscle into renewing the 2015 Cybersecurity Information Sharing Act (CISA 2015), which they say is a vital tool in the fight against malicious hackers because of the legal protections it provides for organizations to share cyber threat data with each other and the government.

But in recent weeks, multiple efforts to re-up the law have failed or been brushed aside:

• The House inserted a two-month extension of CISA 2015 into a continuing resolution to avert a government shutdown, but after the House passed the bill, the Senate voted against the continuing resolution last week. Negotiations about continuing to fund the federal government past the end of this month appear to be at a standstill.
• The Senate Homeland Security and Governmental Affairs Committee had scheduled a markup of legislation last week introduced by Chairman Rand Paul, R-Ky., to extend the law with significant changes that drew bipartisan and industry criticism. The panel then abruptly canceled the markup.
• The top Democrat on Paul’s panel, Gary Peters of Michigan, tried to get an unaltered or “clean” 10-year reauthorization of the expiring law passed on the Senate floor with a unanimous consent motion, but Paul objected without explanation, preventing it from advancing.
• House Homeland Security Chairman Andrew Garbarino, R-N.Y., sought earlier this month to offer his legislation to extend and alter CISA 2015 as an amendment to the House version of the annual defense policy bill, or National Defense Authorization Act (NDAA), but the Rules Committee prohibited the amendment from receiving a vote. (A Senate intelligence policy bill had included a 10-year extension, but when senators folded the intelligence authorization bill into that chamber’s version of the NDAA, Paul objected and got it removed.)

All of that leaves an extension of CISA 2015 without a home, and with a key senator, Paul, likely to stand in the way of swift renewal anytime soon. Under the circumstances, “I bet it does” expire, one industry source said of CISA 2015. 

“I’d be pleasantly surprised if it is continued given Paul’s objection,” the source said.

And that could be a big problem for both lawmakers and private-sector organizations.

While it’s unclear exactly how even a temporary lapse in the law might affect cyber information sharing, some have offered dire predictions about how bad it will be. In the legal community, “if you’re giving people a reason not to do something, they won’t do it,” said another industry source. 

If there’s a big breach during a time when the law has expired, the political risks increase, because cyberattack victims are likely to blame the lapse for what happens, said the source, who has extensive cybersecurity policy experience.

Best hopes (until recently)

Advocates had long pinned their hopes that a temporary two-year CISA 2015 renewal would be included in the continuing resolution (CR), given the urgency to avoid a government shutdown and the fact that the law was sent to expire when the fiscal year ends gave Congress a perfect opportunity. The House GOP’s inclusion of that short-term extension language in the CR — and Democrats’ support for it in their own proposal — indicated widespread support for the idea. The CR passed 217-212.

Senate leaders have a tradition of honoring objections on policy matters from the heads of the committees with jurisdiction over those topics when they are up for consideration in other bills. But multiple observers told CyberScoop that they interpreted the inclusion of the CISA 2015 law extension in the House CR as a sign that Senate leaders were prepared to ignore objections from Paul in this case. 

Besides lawmakers and private-sector groups, the Trump administration has been pressing for renewal. Industry and Senate sources say that new National Cyber Director Sean Cairncross has been especially focused on selling lawmakers on the need for action on CISA 2015.

But temporary renewal is now a casualty of the broader fight over a government shutdown, with the Senate voting 44-48 against the CR.

Paul complications

Earlier this month, the House Homeland Security Committee approved Garbarino’s bill to renew CISA 2015 for 10 years by a vote of 25-0. While Democrats questioned whether the legislation should’ve included any changes to the law rather than a “clean” reauthorization, Garbarino’s changes themselves garnered no significant opposition.

That wasn’t the case for the version Paul sponsored and that was scheduled for vote in his committee last week, which would have provided a two-year reauthorization. Industry groups objected to the Paul legislation striking provisions of the 2015 law that provided protections related to cyber threat data sharing with the federal government against disclosure from Freedom of Information Act requests. They opposed a section that would get rid of the law’s section on federal preemption, under which the law supersedes state laws and regulations.

Democrats also raised concerns about several key definitions in the law, including those related to the rules for  how companies can use defensive measures. According to Senate aides who spoke with CyberScoop, these changes could leave small- and medium-sized businesses particularly vulnerable. Combined with the other industry objections, the aides said, Paul’s bill would have functionally ended private sector information sharing with the government.

Industry is wary of major changes to CISA 2015 in general.

“The fact is that over the last 10 years, it’s been an effective way for the private sector to share information, which is a key ingredient in improving cybersecurity, and we should just be very careful while making changes to something that is working pretty well,” said Henry Young, senior director of policy for Business Software Alliance.

A section of the legislation that Paul wrote on free speech protections also created questions.  Five Senate and industry sources told CyberScoop that Paul canceled the markup because Senate Republican panel members planned amendments that would have, with somewhat different approaches, stripped Paul’s changes in favor of a “clean” reauthorization. 

Spokespeople for senators that sources said were behind those amendments, Joni Ernst of Iowa and Bernie Moreno of Ohio, did not respond to requests for comment.

A spokesperson for Paul disputed what the sources told CyberScoop about the reason for the cancellation.

“The characterization of the cancellation of the markup is false,” said the spokesperson, Gabrielle Lipsky. “The Democrats, who are not negotiating in good faith, asked for more time.”

Peters said in a Senate floor speech Friday that it was “disappointing” that Paul canceled the markup, and that “we were blocked from even having a discussion about the policy or draft legislation.”

Constituents in Paul’s home state have lobbied him on the importance of a “clean” reauthorization of CISA 2015; Paul’s public remarks about extension of the law have largely focused on passing a bill that includes additional guarantees on free speech.

“We make this request respecting your determination to protect Americans’ privacy and freedom of speech from censorship and intimidation by federal government employees, and we share those concerns,” a number of Kentucky business groups wrote to Paul in a Sept. 17 letter advocating for a “clean” extension. “We would welcome the opportunity to work with you to increase privacy and censorship protections in other legislation.” 

Peters asked for unanimous consent Friday for the Senate to advance a 10-year reauthorization. Paul said only, “I object,” thus blocking the renewal effort from Peters.

“Congress must pass an extension of these cybersecurity protections and prevent a lapse that would completely undercut our cybersecurity defenses and expose critical sectors to preventable attacks,” Peters said in a statement to CyberScoop. “These liability protections ensure trusted, rapid information sharing between the private sector and government to quickly detect, prevent, and respond to cybersecurity threats. I’m continuing to work toward a bipartisan, bicameral deal that will renew these protections for the long-term, but we cannot afford to let these critical cybersecurity protections expire at the end of the month.”

Other avenues

A common hope among advocates was that after a short-term extension became law as part of the CR, a longer-term extension would be included in the NDAA, which often passes toward the end of each calendar year or the start of the next.

But hopes for that diminished after actions in both the House and Senate. In the Senate, the Intelligence Committee had included a 10-year renewal in its annual intelligence authorization bill. That legislation was then included in the Senate version of the NDAA, but sources on and off the Hill told CyberScoop that Paul objected to inclusion of the CISA 2015 extension, so it was removed.

And the Rules Committee decided on Sept. 9 that Garbarino’s CISA 2015 renewal amendment wasn’t germane, thus preventing him from offering it during debate on the House floor about the NDAA. One day later, the House passed its version of the NDAA, 231-196.

The next steps for CISA 2015 reauthorization are unclear. Paul’s office did not respond to a question about his future plans for renewing CISA 2015.

Options for a short-term renewal are limited for now to whatever congressional leaders do to try to revive or replace a CR, but the timeline for doing so before CISA 2015 expires is exceptionally tight. Options for a long-term renewal might include an amendments package for the Senate version of the NDAA, since the full Senate has yet to take up its bill.

CISA 2015 “must not lapse on September 30, 2025. Allowing it to expire will create a significantly more hostile security environment for the U.S.,” Matthew Eggers, vice president of cybersecurity policy in the cyber, intelligence, and security division at the U.S. Chamber of Commerce, told CyberScoop in a written statement. “The Chamber advocates for a multi-year reauthorization of this vital law. Short-term extensions are counterproductive. Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation. House and Senate leaders and the Trump administration have expressed strong support for reauthorizing CISA 2015.”

The post Cyber threat information law hurtles toward expiration, with poor prospects for renewal appeared first on CyberScoop.

A House panel advanced legislation Wednesday that would reauthorize a major cyber threat information sharing law and a big-dollar state and local cyber grant program before they’re set to expire at the end of this month.

Trump administration officials and nominees, as well as cybersecurity organizations and experts, have voiced support for renewing them both as they near their respective lapses. Expiration of the information sharing law in particular has led industry groups and others to warn about dangerous ramifications about the collapse of cyber threat data exchanges.

At the House Homeland Security Committee markup, the panel also approved bills addressing pipeline cybersecurity and terrorists’ use of generative artificial intelligence.

The 2015 Cybersecurity and Information Sharing Act has provided legal protections to the private sector to share threat data with the federal government and between companies and organizations. The Widespread Information Management for the Welfare of Infrastructure and Government Act, which the panel approved 25-0, would reauthorize it for another 10 years, with updates.

“Reauthorizing this law and ensuring the relevance of this framework before it expires is essential for retaining our cyber resilience,” said Rep. Andrew Garbarino, N.Y., the chair of the committee and lead sponsor of the re-up legislation. The original legislation, he said, “changed the cybersecurity landscape forever, and for the better.”

The bill encourages the use of secure AI to improve technical capabilities, updates legal definitions to capture newer hacking tactics and seeks to preserve and strengthen existing privacy protections, he said.

The top Democrat on the committee, Bennie Thompson of Mississippi, said the committee should have approved a simpler reauthorization to give lawmakers and affected parties more time to take a look at the legislation’s changes to the 2015 law, but he supported moving the bill forward.

Garbarino said he had a good conversation Tuesday evening with his Senate counterpart, Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., about the path forward on the legislation.

Paul and other GOP lawmakers have said they want renewal of the 2015 law to include language prohibiting the Cybersecurity and Infrastructure Security Agency — which plays a large role in carrying out the law — from censoring speech, despite past responses from agency officials that they have not censored anyone. Garbarino’s bill doesn’t contain any provisions about that.

The panel voted 22-1 to approve the Protecting Information by Local Leaders for Agency Resilience Act, which would extend the State and Local Cybersecurity Grant Program for another 10 years. The program has doled out $1 billion.

“Many local governments have a long way to go to be prepared for cyberattacks from adversaries like the Chinese Communist Party,” said the bill’s sponsor, Rep. Andy Ogles, R-Tenn. He said that while “I usually want Washington to do less,” the federal government might have to foot the bill later anyway if it doesn’t help state and local governments shore up their defenses.

It would provide 60% of funds to state, local and tribal governments that are eligible, or 70% for those applying together. It would direct a federal outreach effort to smaller communities, and stress defense for both information technology and operational technology, Ogles said. Appropriators would still need to dedicate funding to the program, even if President Donald Trump signs it into law.

A coalition of tech and cybersecurity groups wrote to congressional leaders Tuesday urging them to extend the program, listing examples of how the grant program has defended against specific cyberattacks across the nation. “Without continued funding, hard-won progress will stall, and communities across the country will be left vulnerable — handing our adversaries a dangerous advantage,” their letter reads.

Paul hasn’t publicly indicated his plans for the expiring grant program. The two bills would provide new names for the things they are authorizing: WIMWIG replacing 2015 CISA, and PILLAR replacing the grant program.

The House Homeland Security Committee also voted 21-0 to advance the Generative AI Terrorism Risk Assessment Act, which would require the Department of Homeland Security to conduct annual assessments on how terrorist groups use artificial intelligence to carry out terrorist activity, such as seeking to radicalize potential recruits.

“Known terrorist organizations like ISIS or Al Qaeda or others have gone so far as to have AI workshops to train members on its use,” said the bill’s sponsor, Rep. August Pfluger, R-Texas.

And the committee voted 22-0 to approve the Pipeline Security Act that would codify the Transportation Security Administration’s pipeline security office into law and specify its responsibilities, including on cybersecurity. TSA wrote cybersecurity regulations in response to the 2021 Colonial Pipeline hack.

“We don’t just risk our national security, we risk supply chain disruptions that will create a ripple effect throughout our communities” if we fail to protect our pipelines, said the bill’s sponsor, Rep. Julie Johnson, D-Texas.

The post House panel approves cyber information sharing, grant legislation as expiration deadlines loom appeared first on CyberScoop.

Expiration of a 2015 law at the end of September could dramatically reduce cyber threat information sharing within industry, as well as between companies and the federal government, almost to the point of eliminating it, some experts and industry officials warn.

The Cybersecurity Information Sharing Act, also known as CISA 2015, is due to end next month unless Congress extends it. Leaders of both of the House and Senate panels with the responsibility for reauthorizing it say they intend to act on legislation next month, but the law still stands to expire soon without a quick bicameral deal.

The original 2015 law provided legal safeguards for organizations to share threat data with other organizations and the federal government.

“We can expect, roughly, potentially, if this expires, maybe an 80 to 90% reduction in cyber threat information flows, like raw flows,” Emily Park, a Democratic staffer on the Senate Homeland Security and Governmental Affairs Committee, said at an event last month. “But that doesn’t say anything about the break in trust that will occur as well, because at its core, CISA 2015, as an authority, is about trust, and being able to trust the businesses and organizations around you, and being able to trust the federal government that it will use the information you share with it.”

That estimate — 80 to 90% — is on the high side of warnings issued by policymakers and others, and some reject the notion that the sky is catastrophically falling should it lapse. Additionally, some of the organizations warning about the fallout from the law’s lapse benefit from its provisions. But there’s near-unanimity that expiration of the law could largely shift decisions about cyber threat info sharing from organizations’ chief information security officers to the legal department.

“If you think about it from the company’s perspective, what a lapse would do would be to cause the ability to share information — to move the decision from the CISO to the general counsel’s office,”  said Amy Shuart, vice president of technology and innovation at Business Roundtable, which considered the issue important enough to fly in CISOs from member companies to meet with lawmakers this summer and persuade them to act. “And any good general counsel is going to say, ‘I used to have authority here that protects us from antitrust. We don’t have it anymore. Now I’ve got concerns.’ So we do anticipate that if this was to lapse, the vast majority of private sector information sharing would shut down just due to legal risk.”

A common expectation among watchers is that Congress is likely to pass a short-term extension that would be attached to an annual spending bill known as a continuing resolution before the end of the current fiscal year, which also is tied to the end of September. But that still gives lawmakers a short window, and even if a short-term extension passes, Hill appropriators are likely to be impatient about a long-term extension and unwilling to aid any extension past the end of December.

Senate Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., said last month that he intends to hold a markup of CISA 2015 extension legislation in September. A critic of the Cybersecurity and Infrastructure Security Agency over allegations that it pushed social media outlets to censor election security and COVID-19 data — allegations that then-CISA leaders denied — Paul said he wants to include language in any extension prohibiting the agency known as CISA from censorship.

The new leader of the House Homeland Security Committee, Andrew Garbarino, R-N.Y., also has said reauthorization is a priority, but wants to make other changes to the law as well.

“Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said in a statement to CyberScoop. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”

Separate from the 2015 law, the Justice and Homeland Security departments have issued and updated legal guidance pertaining to cyber threat information sharing that sector-specific information sharing and analysis centers say undergird exchanges from company to company.

But a Supreme Court decision last year about federal regulatory authority could cast a shadow over that guidance should CISA 2015 expire, warned Michael Daniel, leader of the Cyber Threat Alliance. Furthermore, a failure from Congress to act could send a message to courts.

“A lack of congressional action to positively reauthorize private entities to monitor their networks, deploy defensive measures, and share information ‘notwithstanding any other provision of law’ introduces uncertainty about sharing information that could trigger certain criminal laws, such as the Computer Fraud and Abuse Act or the Stored Communications Act, or could violate antitrust laws when participating in collective cyber defense,” he recently wrote. “In short, the resulting uncertainty would reduce the amount of sharing that occurs, reintroduce friction into the system, and inhibit the ability to identify, detect, track, prepare for, or respond to cyber threats.”

Daniel told CyberScoop some of those discussions about expiration fallout are hypothetical at this point, but legal experts have told him they are realistic. 

Trump administration officials and nominees have said they support reauthorization of the 2015 law. There are links to its recent artificial intelligence action plan, which calls for establishment of an AI-ISAC.

“One of the things that we’ve heard the administration say loud and clear about their approach with the [AI] action plan is that they were thinking about what they could do within their existing authorities,” Shuart said. “CISA 2015 is an important existing authority for the action plan to be successful.”

Still, the future of the 2015 law is uncertain.

‘There’s a lot of people kind of searching around for how to do this. I really couldn’t say I know that there’s a consensus,” said Larry Clinton, president of the Internet Security Alliance. “I know that there are people working in multiple different committees — Homeland Security, Armed Services, Appropriations, Intel — who are trying to figure out how to do this. And that’s a good thing, because we want all that support. It’s also a troubling thing because we wind up with too many cooks in the kitchen, and it’s harder to get things done without a consensus on the specifics of what needs to be done, given the tight timeline.”

The post Here’s what could happen if CISA 2015 expires next month appeared first on CyberScoop.

The Senate voted to confirm Sean Cairncross as national cyber director Saturday, giving the Trump administration one of its top cyber officials after a more than five-month process.

The vote was 59-35.

President Donald Trump nominated Cairncross on Feb. 12. The Senate Homeland Security and Governmental Affairs Committee held a hearing on his nomination in early June, then voted to advance him that same month.

“I want to thank President Trump for this opportunity. It is an incredible honor to serve our country and this President as the National Cyber Director,” Cairncross said in a written statement. “As the cyber strategic environment continues to evolve, we must ensure our policy efforts and capabilities deliver results for our national security and the American people. The United States must dominate the cyber domain through strong collaboration across departments and agencies, as well as private industry. Under President Trump’s leadership, we will enter a new era of effective cybersecurity policy.”

At his hearing, Cairncross said he’d be focused on policy coordination. He fielded questions from senators about his lack of cyber experience, the biggest cyber threats, cuts to federal cybersecurity personnel and more.

Cairncross has held leadership positions inside and outside of government where there’s been a tenuous connection to cybersecurity. He served as CEO of the Millennium Challenge Corporation, a foreign aid agency, in the first Trump administration, along with roles in the White House. He’s also a former top official at the Republican National Committee.

Despite that, Cairncross has the vocal support of a number cyber experts and past government cyber officials

The Senate vote on Cairncross slots one more cyber leader into the Trump administration.  Alexei Bulazel has taken the job of top cyber official with the White House’s National Security Council, and Brett Leatherman is in the top cyber position at the FBI.

Trump has nominated Sean Plankey to serve as director of the Cybersecurity and Infrastructure Security Agency, and the Senate Homeland Security and Governmental Affairs Committee voted 9-6 last week to move his vote to the floor, although Sen. Ron Wyden, D-Ore., has placed a hold on the nomination pending the release of a telecommunications cybersecurity report.

Trump has displaced the joint head of U.S. Cyber Command and the National Security Agency, and hasn’t settled yet on who will take over.

There’s a backlog of Trump nominees that Cairncross got caught up in prior to the floor vote Saturday.

Updated, 8/3/25: to include statement from Cainrcross.

The post Senate confirms national cyber director pick Sean Cairncross appeared first on CyberScoop.

A bipartisan pair of senators are introducing legislation Thursday that would direct a White House office to develop a strategy for reckoning with the cybersecurity ramifications of quantum computers, and require agencies to begin pilot programs on quantum-safe encryption.

Sens. Gary Peters, D-Mich., and Marsha Blackburn, R-Tenn., say the National Quantum Cybersecurity Migration Strategy Act is meant to get ahead of rapidly advancing quantum computers that could bypass modern encryption standards and leave important data unprotected.

“It’s critical that the federal government be prepared for any threat posed by quantum computing technology, especially when it concerns our national security,” said Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee. “My bill would help keep Americans safe by ensuring we have a quantum cybersecurity migration strategy to stay ahead of our adversaries and protect Americans’ personal data.”  

Blackburn added that “the National Quantum Cybersecurity Migration Strategy Act would ensure the federal government creates a road map to protect sensitive data and national security from emerging data security threats fueled by quantum computing.”

It’s a follow-up to two quantum computing laws passed in recent years: one devoted to developing U.S. quantum research and another devoted to pushing agencies to acquire IT systems with post-quantum cryptography. 

The latest legislation, which CyberScoop is first to report, would lean on the expertise of the Subcommittee on the Economic and Security Implications of Quantum Science (ESIX) — which is a part of the National Science and Technology Council that coordinates federal government technology policy — to develop the strategy. 

The strategy would recommend standards for federal agencies to define “a cryptographically relevant quantum computer,” to include characteristics such as “the particular point at which such computers are capable of attacking real world cryptographic systems that classical computers are unable to attack.”

The strategy would include an assessment of the need to migrate to post-quantum cryptography for each agency, and measurements for evaluating that migration.

ESIX would also establish a post-quantum pilot program that would require each sector risk management agency responsible for protecting the 16 federally designated critical infrastructure sectors to upgrade at least one high-impact system to post-quantum cryptography by the start of 2027.

“Because stolen data can be stored and decrypted later, experts warn that action must be taken now to secure systems with stronger, quantum-proof protections,” a forthcoming news release on the bill states. “This bill responds to that urgency by requiring federal agencies to begin migrating critical systems before it’s too late.”

Quantum industry leaders at a May hearing urged Congress to expand support for U.S. quantum initiatives. Experts and U.S. government officials are particularly worried about falling behind China on quantum computing.

Peters and Blackburn are introducing their bill the day after the Senate Homeland Security and Governmental Affairs Committee took action on its first slate of bills in 2025.

The post Senate legislation would direct federal agencies to fortify against quantum computing cyber threats appeared first on CyberScoop.

Sean Plankey’s path to leading the Cybersecurity and Infrastructure Security Agency might have one obstacle set to be cleared for removal.

With the Senate Homeland Security and Governmental Affairs Committee scheduled to hold a vote on his nomination for CISA director Wednesday, the next and final step for Plankey pending approval from the panel would be getting a full Senate vote — something Sen. Ron Wyden, D-Ore., has vowed to block until the agency publicly releases a report on telecommunications network vulnerabilities.

CISA said Tuesday that it would, in fact, release that report.

“CISA intends to release the U.S. Telecommunications Insecurity Report (2022) that was developed but never released under the Biden administration in 2022, with proper clearance,” Marci McCarthy, director of public affairs at the agency, said in an emailed statement. “CISA has worked with telecommunications providers before, during, and after Salt Typhoon — sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure.”

The agency didn’t say when it would release the report, or what “proper clearance” entailed.

CISA’s statement came shortly after Senate passage of legislation — without objections from any senator — that would require the release of the report within 30 days of enactment. The House would still have to pass the bill to send it to President Donald Trump for a signature.

In a floor speech Monday, Wyden said “Congress and the American people deserve to read this report. It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.

“CISA’s multi-year cover-up of the phone companies’ negligent cybersecurity enabled foreign hackers to perpetrate one of the most serious cases of espionage — ever — against our country,” he continued. “Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks.”

A spokesperson for Wyden said Tuesday that no one from the office has heard from CISA on its plans for the report “that I know of.”

The government’s response to Salt Typhoon, and the industry’s handling of its vulnerabilities, have drawn some outside criticism. Government agencies have rejected some of those complaints while acknowledging others.

The Senate Homeland Security and Governmental Affairs Committee held a hearing on the nomination of Plankey last week, where he talked about his priorities for the agency but also drew fire from a Democratic senator over his views on election manipulation in past and future races.

The post CISA says it will release telecom security report sought by Sen. Wyden to lift hold on Plankey nomination appeared first on CyberScoop.

It’s time for SpaceX to take strong action against scammers abusing the company’s Starlink internet service, Sen. Maggie Hassan said in a letter to CEO Elon Musk on Monday.

The New Hampshire Democrat cited evidence accumulating over the past two years that some Southeast Asian fraudsters scamming billions of dollars from U.S. citizens have leaned on Starlink due to its independence from national telecommunications networks, decentralized structure and the ability to use it on the go.

Media outlets and government officials have turned up Starlink equipment at scam compounds that are largely centered in Southeast Asia, and a United Nations Office on Drugs and Crime report last fall highlighted the trend. 

“While SpaceX has stated that it investigates and deactivates Starlink devices in various contexts, it seemingly has not publicly acknowledged the use of Starlink for scams originating in Southeast Asia — or publicly discussed actions the company has taken in response,” Hassan wrote. “Scam networks in Myanmar, Thailand, Cambodia, and Laos, however, have apparently continued to use Starlink despite service rules permitting SpaceX to terminate access for fraudulent activity.”

Scam compounds have been getting increased attention from Southeast Asian governments and nonprofit organizations in recent months, but there are also signs that the crackdowns aren’t keeping up with the industry’s evolution.

A human rights group last week reported data showing that the scammers’ use of Starlink has more than doubled since Thailand began cutting internet cables to cripple their operations.

SpaceX didn’t immediately respond to a request for comment Monday, and has not responded to past media questions about Southeast Asian scammers using Starlink.

Hassan wants to know whether SpaceX was aware of the scammers using Starlink and if so, when it first knew it, its policies for investigating and restricting the use of Starlink devices, what it’s done to work with law enforcement agencies on the problem and more. She sits on the Senate Homeland Security and Governmental Affairs Committee.

Much of the cybersecurity-related attention SpaceX has received this year is as a potential target of cyberattacks, particularly after White House security experts warned of the security risks of installing Starlink there and President Donald Trump said he would continue using the service. 

SpaceX has a web page dedicated to Starlink-related scams of another sort.

The post Sen. Hassan wants to hear from SpaceX about scammers abusing Starlink appeared first on CyberScoop.

President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.

“If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.

Should he be confirmed for the role, Plankey is set to arrive at an agency that has had its personnel and budget slashed significantly under Trump, a topic of concern for Democratic senators including the ranking member on the panel vetting him, Gary Peters of Michigan. Peters asked how he’d handle the smaller CISA he’s inherited while still having a range of legal obligations to fulfill.

“One of the ways I’ve found most effective when you come in to lead an organization is to allow the operators to operate,” Plankey said. “If that means we have to reorganize in some form or fashion, that’s what we’ll do, I’ll lead that charge. If that means we need a different level of funding than we currently have now, then I will approach [Department of Homeland Security Secretary Kristi Noem], ask for that funding, ask for that support.”

Under questioning from Sen. Richard Blumenthal, D-Conn., about whether he believed the 2020 election was rigged or stolen, Plankey, like other past Trump nominees, avoided answering “yes” or “no.” 

At first he said he hadn’t reviewed any cybersecurity around the 2020 election. He then said, “My opinion on the election as an American private citizen probably isn’t relevant, but the Electoral College did confirm President Joe Biden.” 

Blumenthal pressed him, saying his office was supposed to be above politics, and asked what Plankey would do if Trump came to him and falsely told him the 2026 or 2028 elections were rigged. 

“That’s like a doctor who’s diagnosing someone over the television because they saw them on the news,” Plankey answered.

Chairman Rand Paul, R-Ky., rebutted Blumenthal, saying “CISA has nothing to do with the elections.” But Sen. Josh Hawley, R-Mo., later asked Plankey about CISA’s “important” role in protecting election infrastructure, and asked how he would make the line “clear” between past CISA disinformation work that Republicans have called censorship and cybersecurity protections.

Plankey answered that Trump has issued guidance on the protection of election security infrastructure like electronic voting machines, and it’s DHS’s job “to ensure that it is assessed prior to an election to make sure there are no adversarial actions or vulnerabilities in it,” something he’d focus on if Noem tasked CISA with the job.

Plankey said he would not engage in censorship — something his predecessors staunchly denied doing — because “cybersecurity is a big enough problem.” His focus would be on defending federal networks and critical infrastructure, he said. To improve federal cybersecurity, he said he favored “wholesale” revamps of federal IT rather than smaller fixes.

The Center for Democracy and Technology said after Plankey’s hearing it was concerned about how CISA would approach election security.

“CISA has refused to say what its plans are for the next election, and election officials across the country are flying blind,” said Tim Harper, senior policy analyst on elections and democracy for the group. “If CISA is abandoning them, election officials deserve to know so they can make plans to protect their cyber and physical infrastructure from nation-state hackers. Keeping them in the dark only helps bad actors.”

Plankey indicated support for the expiring State and Local Cybersecurity Grant Program, as well as the expiring 2015 Cybersecurity and Information Sharing Act, both of which are due to sunset in September.

Paul told reporters after the hearing that he planned to have a markup of a renewal of the 2015 information sharing law before the September deadline, with language added to explicitly prohibit the Cybersecurity and Infrastructure Security Agency from any censorship.

Plankey’s nomination next moves to a committee vote, following an 11-1 vote last month to advance the nomination of Sean Cairncross to become national cyber director. Plankey’s nomination would have another hurdle to overcome before a Senate floor vote, as Sen. Ron Wyden, D-Ore., has placed a hold on the Plankey pick in a bid to force the administration to release an unclassified report on U.S. phone network security.

“The Trump administration might not have been paying attention, so I’ll say it again: I will not lift my hold on Mr. Plankey’s nomination until this report is public. It’s ridiculous that CISA seems more concerned with covering up phone companies’ negligent cybersecurity than it is with protecting Americans from Chinese hackers,” Wyden said in a statement to CyberScoop. “Trump’s administration won’t act to shore up our dangerously insecure telecom system, it hasn’t gotten to the bottom of the Salt Typhoon hack, and it won’t even let Americans see an unclassified report on why it’s so important to put mandatory security rules in place for phone companies.”

The post Plankey vows to boot China from U.S. supply chain, advocate for CISA budget appeared first on CyberScoop.