In 2021, Congress gave state and local governments $1 billion for cyber improvements.
The program has been transformative, but it expires next year. My new @TheRecord_Media story explores what it's accomplished and what will happen if it isn't renewed: therecord.media/federal-money-…
I talked to folks from @NASCIO, @NACoTweets, @CTDEMHS, and @MontanaDES about the grant program.
They all said it's been a vital lifeline for cash-strapped, hack-plagued government agencies.
It "has been a game-changer," said CT emergency management director William Turner.
There have been some state-local tensions (most of the money is earmarked for local governments, but states can decide how to provide it), and meeting the federal requirements hasn't been easy, but people who work with the program say the results have been impressive.
New from me: Inside @CISAgov as Trump prepares to take power.
Employees are worried that he'll end key projects, drive away star talent, and generally weaken the agency's role in protecting the government and the nation from hackers.
CISA staffers expect Trump to spurn efforts to raise the tech industry's security baseline.
"Compliance efforts like secure-by-design may not have the support that they currently benefit from," one employee said.
Also at risk: Election security aid and incident reporting rules.
As a U.S. cyber official put it to me of Trump's team, "They do not think it's the role of the US government to make [the] private sector act in a certain way."
The White House just held a press call to discuss the latest on China's "Salt Typhoon" hacking campaign against telecommunications companies.
New detail: "At least eight" U.S. telcos have been hacked, deputy national security adviser for cyber Anne Neuberger said.
The Salt Typhoon activity "has been underway for some time," a senior administration official said -- "likely one to two years." China has hacked telcos in "a couple of dozen" countries during that time.
"At this time, we don't believe any classified communications have been compromised," Neuberger said.
Senior CISA and FBI officials just held a background call to brief reporters on the status of their investigation into Chinese hacking of U.S. and foreign telecom companies.
It sounds like telecoms are a long way from being able to evict the Chinese hackers from their networks.
"The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign," a senior FBI official said.
Investigation began late spring/early summer and has involved meetings with "scores" of U.S. telcos.
Stolen records include:
* Lots of metadata about calls and texts (but no content)
* Call and text content from a targeted group of govt/political figures
* Data (but not intercepts) from the law enforcement wiretap portal
"As we head into tomorrow," @CISAJen says on a press call happening now, "I can say with great confidence that our election infrastructure has never been more secure and that the election community has never been better prepared to deliver safe, secure, free, and fair elections."
Easterly: "From the national level, during the early-voting period, we have observed small-scale incidents resulting in no significant impacts to election infrastructure."
Easterly: "These include low-level distributed denial-of-service activity, criminal destruction of ballot drop boxes, some severe weather in the central United States, and continued threats targeting election officials."
Six years after @CyberSolarium urged Congress to make software vendors legally liable for product failures, very little has been done.
My new story for @TheRecord_Media explores the legal, technical, and political challenges facing software liability: therecord.media/cybersecurity-…
Problem #1: Software vendors have been protected from virtually any form of legal accountability for decades, dating back to when policymakers were afraid of stifling the nascent industry.
Licenses disclaim liability.
It's "a golden-child industry," one legal expert told me.
Problem #2: There are a lot of complex legal and technological issues to sort out, including what makes a product reasonably secure, what kind of harm is actionable, how to address open-source software and insurance companies, and how to set civil suit burdens.