The drama at the Cybersecurity and Infrastructure Security Agency is not helpful when it needs to focus on defending networks and infrastructure.
The post Acting CISA Director Pushed to Remove Agency CIO appeared first on TechRepublic.
The drama at the Cybersecurity and Infrastructure Security Agency is not helpful when it needs to focus on defending networks and infrastructure.
The post Acting CISA Director Pushed to Remove Agency CIO appeared first on TechRepublic.
RSAC just made a power move. With Jen Easterly stepping in as CEO, the cybersecurity industry’s front porch gets real leadership, real credibility, and real intent—writes Alan.
The post RSAC Stands Tall Appointing a True Leader, Jen Easterly as CEO appeared first on Security Boulevard.
CISA and international partners issued new guidance on securing AI in operational technology, warning of OT risks and urging stronger governance and safeguards.
The post CISA Issues New AI Security Guidance for Critical Infrastructure appeared first on TechRepublic.
CISA and international partners issued new guidance on securing AI in operational technology, warning of OT risks and urging stronger governance and safeguards.
The post CISA Issues New AI Security Guidance for Critical Infrastructure appeared first on TechRepublic.
The Emergency Directives were retired because they achieved objectives or targeted vulnerabilities included in the KEV catalog.
The post CISA Closes 10 Emergency Directives as Vulnerability Catalog Takes Over appeared first on SecurityWeek.
With 24 new vulnerabilities known to be exploited by ransomware groups, the list now includes 1,484 software and hardware flaws.
The post CISA KEV Catalog Expanded 20% in 2025, Topping 1,480 Entries appeared first on SecurityWeek.
In recent months, the United States has entered a dangerous phase of digital vulnerability just as adversaries accelerate their use of artificial intelligence. Anthropic recently disclosed that a nation state-linked threat actor attempted to use its commercial AI models to enhance cyber espionage operations, one of the first publicly documented attempts to operationalize AI for real-world intelligence gathering and offensive cyber activity. The company ultimately blocked the activity, but it demonstrated how quickly hostile actors are adapting and how easily these tools can be repurposed for malicious use.
At the same time, the U.S. is grappling with a significant loss of cyber expertise across agencies, including nearly 1,000 seasoned experts from the Cybersecurity and Infrastructure Security Agency. Attrition and budget reductions over recent years have hollowed out capabilities the nation relies on for critical infrastructure protection and threat coordination. Key intelligence units that once monitored Russian and other foreign cyber operations have been disbanded. CISA is now planning a major hiring surge to rebuild its workforce, which has vacancy rates hovering around 40%, but the gap between where the agency stands and what the threat environment demands remains significant.
Combined, these developments paint a troubling picture. AI is enabling threat actors to become more aggressive, efficient and effective, yet the U.S. appears to be weakening the very cyber defenses necessary to counter them. Make no mistake: A one-third loss of our top cyber forces since the start of the current administration, combined with a proposed 17% CISA budget cut, equates to strategic self-sabotage.
Cyber policy experts warn that the U.S. is entering a digital arms race just as it’s hollowing out its defensive ranks. We’re facing the battle with fewer soldiers and less ammunition. Many are speaking out, including security experts such as Bruce Schneier, a Harvard fellow and renowned cryptographer; Heather Adkins, Google’s founding director of information security; and Gadi Evron, a cyber intelligence leader and early pioneer in botnet defense. They have all warned that AI is becoming an asymmetric weapon empowering adversaries far faster than it equips defenders. The tools that once required months of expert development can now be generated by large language models in minutes. Malware creation, vulnerability discovery and exploitation are being automated at an unprecedented scale.
Meanwhile, defenders are being asked to do more with less. CISA’s work, from protecting critical infrastructure and federal networks to supporting state and local election systems, is foundational to national security. Reducing the agency’s budget or its workforce doesn’t just create gaps; it signals to adversaries that the U.S. is willing to accept greater risk in the digital domain.
This risk extends far beyond government networks. Our power grids, water treatment plants, financial systems, hospitals and communications infrastructure are all connected to and dependent on the same digital backbone. And while it’s true that most critical infrastructure in the U.S. is privately owned and regulated and that the federal government and industry have spent more than a decade trying to harden these systems, those efforts have not eliminated the underlying vulnerabilities and the cascade effect compromise can have.
Many of the improvements have focused on legacy perimeter defenses, voluntary standards or incremental upgrades to aging operational technology. But the attack surface has expanded faster than regulations or investments can keep pace. Water systems, in particular, carry a disproportionate risk. Utilities operated at the local level often lack dedicated security staff, rely on remote access software and operate equipment that was never designed for an environment of persistent, AI-assisted cyber threats. According to CISA, hospitals lose their ability to provide basic patient care, sanitation and medical procedures within just two hours. Unlike electricity, where backup generators commonly provide redundancy to ensure continuous operations, there is no equivalent resilience for water treatment or distribution.
Researchers like Joshua Corman, who leads the UnDisruptable27 initiative at the Institute for Security and Technology, have warned about the cascading consequences when cyber or physical incidents compromise critical functions. Corman said U.S. critical infrastructure was never built to withstand deliberate, persistent attacks and the nation continues to underestimate how quickly a disruption in one lifeline sector cascades into others. Water and wastewater systems, emergency medical care, food supply chains and power are tightly interdependent; losing even one can trigger rapid, compounding failures.
So while critical infrastructure is more secure in some respects, it is also more interconnected, more digitized and more exposed than ever. Hardening alone cannot offset the impact of weakened federal cyber capacity. The systems that sustain our world are online, remotely managed and increasingly targeted by adversaries who now have faster, cheaper, AI-driven tools at their disposal.
Today, nation-state actors can weaponize code at superhuman speed, but the erosion of federal cyber capacity is not merely a domestic concern. The impact can be felt throughout the global fabric of the internet and its interconnected systems. They depend on American digital resilience. Water infrastructure, power grids, telecommunications, financial networks and even the integrity of democratic elections hinge on having a properly resourced, expert-led cyber defense.
Allies rely on American intelligence and coordination, and multiple federal agencies contribute to that ecosystem. The Office of the Director of National Intelligence leads the classified intelligence-sharing mission across the “Five Eyes” and other international partners. But CISA plays a critical role in global cyber defense.
CISA is the primary U.S. agency responsible for sharing unclassified, actionable threat information with foreign computer emergency readiness teams (CERT), multinational companies, critical infrastructure operators and technology vendors who sit outside the intelligence community. Its Joint Cyber Defense Collaborative routinely coordinates with international partners to issue joint advisories, publish analytic reports on nation-state activity and align defensive playbooks across borders. These are often the first public warnings about nation-state activity. When CISA’s capacity shrinks, these real-time channels of global coordination weaken.
That’s why the disbanding of specialized units focused on Russian operations has strained relationships and emboldened our adversaries. The loss is not only in classified analysis, but in the day-to-day operational coordination, warnings and technical guidance that CISA provides to governments and private-sector operators worldwide. In an era of growing geopolitical instability, the shadow cast by U.S. cyber policy reaches far beyond our borders and shared defense efforts are essential. Cyber risks and threat actors will continue to evolve with the weaponization of AI, and we simply cannot afford to let any part of the ecosystem erode.
Although we are under tremendous pressure to reinforce our digital infrastructure, we cannot address this challenge by pointing fingers. This is not a partisan issue; it is a universal one.
Fortunately, we can still reverse course, but only if we act decisively. Every day we delay, we trade preparedness for fragility. Appealing to Washington alone won’t be enough. The private sector operates and secures most of the systems that keep the U.S. running. Corporate leaders, from utilities to finance to technology, have as much at stake as the intelligence community. They have a voice, and it’s time to use it. Everyone who values security and stability must take part in reversing this decline.
Cybersecurity and corporate leaders must stand together and make it clear that weakening the nation’s digital defenses weakens the entire global economy. That means demanding Congress restore cyber funding, publicly supporting stronger baseline security requirements for critical infrastructure, participating in joint advisories with CISA and international CERTs, and committing to shared defense initiatives through industry coalitions, such as the Cyber Threat Alliance or one of the industry-focused Information Sharing and Analysis Centers (ISACs). The prosperity we enjoy depends on peace and stability in cyberspace, and that stability depends on a united front that encompasses both public and private as well as domestic and international interests.
The U.S. once led the world in building the secure foundations of the internet. We can lead again, but only if we treat cybersecurity as an essential part of our national security.
Jaya Baloo is the co-founder, chief operating officer and chief information security officer of AISLE.
The post America can’t afford to hollow out its cyber defenses first appeared on Federal News Network.
© Getty Images/iStockphoto/your_photo
For decades, the federal government has relied on sector-specific regulations to safeguard critical infrastructure. As an example, organizations including the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) set standards for the energy sector, while the Transportation Security Administration issues pipeline directives and the Environmental Protection Agency makes water utility rules.
While these frameworks were designed to protect individual sectors, the digital transformation of operational technology and information technology has made such compartmentalization increasingly risky.
Today, the boundaries between sectors are blurring – and the gaps between their governance frameworks are becoming attackers’ entry points.
The problem is the lack of harmony.
Agencies are enforcing strong but disconnected standards, and compliance often becomes an end in and of itself, rather than a pathway to resilience.
With the rollout of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the release of the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, the United States has an opportunity to modernize oversight, making it more adaptive, consistent and outcome based.
Doing so will require a cultural shift within federal governance: from measuring compliance to ensuring capability.
Overlapping mandates, uneven protection
Every critical infrastructure sector has its own set of cybersecurity expectations, but those rules vary widely in scope, maturity and enforcement. The Energy Department may enforce rigorous incident response requirements for electric utilities, while TSA might focus its directives on pipeline resilience. Meanwhile, small water utilities, overseen by the EPA, often lack the resources to fully comply with evolving standards.
This uneven terrain creates what I call “regulatory dissonance.” One facility may be hardened according to its regulator’s rulebook, while another connected through shared vendors or data exchanges operates under entirely different assumptions. The gaps between these systems can create cascading risk.
The 2021 Colonial Pipeline incident illustrated how oversight boundaries can become national vulnerabilities. While the energy sector had long operated under NERC CIP standards, pipelines fell under less mature guidance until TSA introduced emergency directives after the fact. CIRCIA was conceived to close such gaps by requiring consistent incident reporting across sectors. Yet compliance alone won’t suffice if agencies continue to interpret and implement these mandates in isolation.
Governance as the common language
Modernizing oversight requires more than new rules; it requires shared governance principles that transcend sectors. NIST’s Cybersecurity Framework 2.0 introduces a crucial element in this direction: the new “Govern” function, which emphasizes defining roles, responsibilities and decision-making authority within organizations. This framework encourages agencies and their partners to move from reactive enforcement toward continuous, risk-informed governance.
For federal regulators, this presents an opportunity to align oversight frameworks through a “federated accountability” model. In practice, that means developing consistent taxonomies for cyber risk, harmonized maturity scoring systems and interoperable reporting protocols.
Agencies could begin by mapping common controls across frameworks, aligning TSA directives, EPA requirements and DOE mandates to a shared baseline that mirrors NIST Cybersecurity Framework principles. This kind of crosswalk not only streamlines oversight, but also strengthens public-private collaboration by giving industry partners a clear, consistent compliance roadmap.
Equally important is data transparency. If the Cybersecurity and Infrastructure Security Agency , DOE and EPA share a common reporting structure, insights from one sector can rapidly inform others. A pipeline incident revealing supply chain vulnerabilities could immediately prompt water or energy operators to review similar controls. Oversight becomes a feedback loop rather than a series of disconnected audits.
Engineering resilience into policy
One of the most promising lessons from the technology world comes from the “secure-by-design” movement: Resilience cannot be retrofitted. Security must be built into the design of both systems and the policies that govern them.
In recent years, agencies have encouraged vendors to adopt secure development lifecycles and prioritize vulnerability management. But that same thinking can, and should, be applied to regulation itself. “Secure-by-design oversight” means engineering resilience into the way standards are created, applied and measured.
That could include:
Such modernization would not only enhance accountability but also reduce the compliance burden on operators who currently navigate multiple, sometimes conflicting, reporting channels.
Making oversight measurable
As CIRCIA implementation begins in earnest, agencies must ensure that reporting requirements generate actionable insights. That means designing systems that enable real-time analysis and trend detection across sectors, not just retrospective compliance reviews.
The federal government can further strengthen resilience by integrating incident reporting into national situational awareness frameworks, allowing agencies like CISA and DOE to correlate threat intelligence and issue rapid, unified advisories.
Crucially, oversight modernization must also address the human dimension of compliance. Federal contractors, third-party service providers and local operators often sit at the outer edge of regulatory reach but remain central to national resilience. Embedding training, resource-sharing and technical assistance into federal mandates can elevate the entire ecosystem, rather than penalizing those least equipped to comply.
The next step in federal cyber strategy
Effective harmonization hinges on trust and reciprocity between government and industry. The Joint Cyber Defense Collaborative (JCDC) has demonstrated how voluntary partnerships can accelerate threat information sharing, but most collaboration remains one-directional.
To achieve true synchronization, agencies must move toward reciprocal intelligence exchange, aggregating anonymized, cross-sector data into federal analysis centers and pushing synthesized insights back to operators. This not only democratizes access to threat intelligence, but also creates a feedback-driven regulatory ecosystem.
In the AI era, where both defenders and attackers are leveraging machine learning, shared visibility becomes the foundation of collective defense. Federal frameworks should incorporate AI governance principles, ensuring transparency in data usage, algorithmic accountability and protection against model exploitation, while enabling safe, responsible innovation across critical infrastructure.
A unified future for resilience governance
CIRCIA and NIST Cybersecurity Framework 2.0 have laid the groundwork for a new era of harmonized oversight — one that treats resilience as a measurable capability rather than a compliance checkbox.
Achieving that vision will require a mindset shift at every level of governance. Federal regulators must coordinate across agencies, industry partners must participate in shaping standards, and both must view oversight as a dynamic, adaptive process.
When frameworks align, insights flow freely, and regulations evolve as quickly as the threats they are designed to mitigate, compliance transforms from a bureaucratic exercise into a national security asset. Oversight modernization is the blueprint for a more resilient nation.
Dr. Jerome Farquharson is managing director and senior executive advisor at MorganFranklin Cyber.
The post Harmonizing compliance: How oversight modernization can strengthen America’s cyber resilience first appeared on Federal News Network.
© The Associated Press
Cyberthreats aren’t slowing down. Federal agencies face a pivotal moment: How can they modernize fast enough to stay ahead of adversaries while managing legacy systems, tight budgets and workforce challenges?
Our new e-book dives into the strategies shaping the next era of cybersecurity and shared on Day 2 of our Cyber Leaders Exchange 2025, presented by Carahsoft and Palo Alto Networks. From preparing for quantum computing risks to implementing zero trust, securing DNS and building AI expertise, these insights from federal and industry innovators will help chart a path forward.
Featured voices include:
As Brian O’Donnell of Carahsoft said, “Cybersecurity remains a top priority for CIOs and senior leaders across every sector. It’s not just a technical concern — it’s a strategic imperative.”
Don’t wait for tomorrow’s threats to become today’s crisis. Download the full e-book now and discover how agencies are turning complexity into resilience.
The post Expert Edition: How to build cyber resilience for the quantum era first appeared on Federal News Network.
© Federal News Network
EXECUTIVE SUMMARY:
One of the leading cyber security conferences globally, Black Hat USA is where intellect meets innovation. The 2024 event is taking place from August 3rd – 8th, at the Mandalay Bay Convention Center in Las Vegas.
The conference is highly regarded for its emphasis on cutting-edge cyber security research, high-caliber presentations, skill development workshops, peer networking opportunities, and for its Business Hall, which showcases innovative cyber security solutions.
Although two other cyber security conferences in Las Vegas will compete for attention next week, Black Hat is widely considered the main draw. Last year, Black Hat USA hosted roughly 20,000 in-person attendees from 127 different countries.
The Black Hat audience typically includes a mix of cyber security researchers, ethical hackers, cyber security professionals – from system administrators to CISOs – business development professionals, and government security experts.
On the main stage this year, featured speakers include Ann Johnson, the Corporate Vice President and Deputy CISO of Microsoft, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), and Harry Coker Jr., National Cyber Director for the United States Executive Office of the President.
The Black Hat CISO Summit, on Monday, August 5th through Tuesday, August 6th, caters to the needs and interests of CISOs and security executives. This track will address topics ranging from the quantification of cyber risk costs, to supply chain security, to cyber crisis management.
Professionals who are certified through ISC2 can earn 5.5 Continuing Professional Education (CPE) credits for CISO Summit attendance.
If you’re attending the event, plan ahead to make the most of your time. There’s so much to see and do. Looking for a short-list of must-see speaking sessions? Here are a handful of expert-led and highly recommended talks:
Be ready for anything and bring the best version of yourself – you never know who you’ll meet. They could be your next software developer, corporate manager, business partner, MSSP, or cyber security vendor. Meet us at booth #2936. We can’t wait to see you at Black Hat USA 2024!
For more event information, click here. For additional cutting-edge cyber security insights, click here. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.
The post A preview of the upcoming Black Hat conference… appeared first on CyberTalk.
It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes.
To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going and how its budget compares to previous years.
In June 2022, the U.S. announced new spending bills for the fiscal year 2023, including an allocation of $15.6 billion for cybersecurity. The majority of the money — $11.2 billion — will be appropriated for the Department of Defense (DoD), and $2.9 billion will go to the Cybersecurity and Infrastructure Security Agency (CISA).
The money going to the DoD will be used in a variety of ways. For example, Paul Nakasone, commander of the U.S. Cyber Command, has discussed plans to grow five Cyber Mission Force teams. Approximately 133 of these already exist and focus on carrying out defensive cyber operations.
Clearly, the majority of funds in the new budget will go to government agencies. However, the government also plans to invest in the private sector and has discussed the importance of strengthening relationships with companies and private organizations.
One key area here is information sharing; after all, cybersecurity is a team sport. However, the government has faced criticism in the past for expecting detailed data from companies while failing to provide adequate information on their end. Recently, government agencies have spoken more about working towards more open and two-sided information sharing, but only time will tell how successful that strategy will be.
U.S. lawmakers have asked the defense secretary to work more closely with CISA and the private organizations within it, especially in areas related to Russian and Chinese activity. CISA has also received $417 million more in funding than was initially requested by the White House.
Compared to the previous few years, investment in cybersecurity is gradually increasing. 2021 saw $8.64 billion in spending, followed by a slight increase in 2022.
It’s a positive trend that signals the government is taking the issue seriously. But are state and local governments keeping up?
The data shows that the government is also investing in cybersecurity in non-financial capacities at the local and state level. In 2021, for instance, state legislative sessions saw more than 285 pieces of cybersecurity-related legislation introduced, and in 2022 that number increased to 300.
In addition, President Biden introduced the Infrastructure Investment and Jobs Act in 2021, which allocated $1 billion in grants to bolster cybersecurity at the local, state, tribal and territorial levels. The government will distribute this amount over four years until 2025.
It adds up to a promising development for local and state governments, who are finally gaining the resources to protect their communities more effectively. Plus, it demonstrates a growing understanding of the importance of cybersecurity at the federal level and, hopefully, a more informed approach in the future.
While cybersecurity funding is one truly positive sign, there are more reasons to be hopeful — such as the appointment of the USA’s first-ever National Cyber Director, Chris Inglis.
Looking to the future, the U.S. will need to constantly readjust its cyber defense posture and adapt to this ever-changing landscape, especially as cyber crime becomes not only more common but also more challenging and complex. It costs money to do that effectively, so the government must prioritize cyber funding for the foreseeable future.
Of course, individual organizations will need to take responsibility for their own security, too.
IBM can help — with solutions like the Security QRadar XDR, you get a suite of tools and powerful features to help you defend your organization against attacks and keep your teams focused on what’s important. Find out more here.
The post How Much is the U.S. Investing in Cyber (And is it Enough)? appeared first on Security Intelligence.
Login