B (13:36)

Absolutely. I mean, there's been a lot of attention lately on that 10 year old law that Congress has not been successfully reauthorizing. On the list of meaningful important pieces of cybersecurity legislation that Congress has ever passed. It's really kind of a two horse race. And the other one is a law that Congress got through in 2022 called the Cyber Incident Reporting for Critical Infrastructure Act. And the gist of it is it was right around the time of a lot of things like solar winds were fresh in people's minds. And some of the bigger incidents that were happening around that time were people concerned that there just wasn't enough government awareness into what was happening and they weren't able to essentially weaponize that information by giving it out to critical infrastructure owners and operators. So the law at its core says if you're a critical infrastructure owner operator, you have to notify CISA within 72 hours if they suffer a major cyber attack. And there's some definitional terms in the law what that means. And then if you make a ransomware payment as one of those owners and operators, you have to let CISA know within 24 hours. That's the gist of it.

A (14:48)

Yeah.

B (14:48)

And Congress had passed that back then, and they've been working on the regulation ever since.

A (14:55)

So there are some points of contention here. What is at play in terms of people not having complete understanding of what this may or may not apply to.

B (15:06)

Yeah. So, I mean, there's been a lot of drafting of the legislation. Sorry. Of the regulation. Under the Biden administration, they put out a proposed rule and it addressed things like, you know, we said the law talks about critical infrastructure owners and operators, but who specifically.

A (15:26)

Right.

B (15:26)

Who is considered a covered entity under this law has been the kind of definitional things that this law has to handle. So some of those definitions industry did not like. They thought they were too broad, they thought they were too burdensome.

A (15:41)

And so now CISA is saying that something they're considering are virtual town halls.

B (15:48)

Exactly. So this was supposed to have been all wrapped up by, I believe, last fall and three years to write a regulation. But I guess it's a complex regulation. Not even. I guess it is, but it's still a little surprising to me that they couldn't get it done in that timeframe. Even knowing that government doesn't operate at the speed of light, three years is an awful lot of time to write a regulation, and they did devote a lot of manpower to doing it. Now, with the Trump administration coming in and saying, we're not going to meet that deadline, we're going to look at May, they said we need to have more discussions with industry about this regulation. They do seem to be inclined to make some changes to it and seem to be friendlier to the industry point of view on this. But we won't know until we see anything final, which we won't see for a while, because these town halls are presumably going to be done before there's a final, final, final regulation. So that these, these will run through March and April, beginning of April, and then. And then maybe we can start thinking about what kind of, what the final regulations might look like.

A (16:58)

Well, in your reporting, you talked to some insiders who were skeptical that this is what's really needed.

B (17:05)

Yeah, there's been a lot of. There's been a lot of calls from industry for engagement. And that doesn't mean listening sessions. Right. They think that they've made their points pretty clear on this, that these, these definitional things are problems, that. That the things they don't like, they've repeatedly said them. So another session where they just give feedback isn't what some in industry are looking for. They want More details on what this regulation, what are the difficulties in implementing it? They want to know things that are more of a, like a two way dialogue about how we're going to get this done and what it's going to look like in the end. And there hasn't been, according to the people I spoke to, there hasn't been a lot of that with cisa. Obviously they're shorter staffed these days than they were. You can question whether they consider the Circea law much of a priority. Maybe they don't. Maybe it's not a huge deal for them to hear administration officials say it. It's still a very big deal to them. But I think those are the kinds of questions people have is, are they really prioritizing this?

A (18:13)

What is your sense for how things are going at CISA just in terms of morale and just in general within that organization?

B (18:23)

Not great. Yeah, yeah, it's something I'm reporting on. It's, it's something I hope to have some more stuff on soon. But, but the general, you know, while there might be some, some spots of potential optimism, there's a lot of dismay about how what CISA has become.

A (18:43)

Well, and concern that if the next round of government shutdowns come, it means what, half of their staff being furloughed?

B (18:51)

I mean, yeah, I actually was just on the phone with the chairman of the House Online Security Committee and we were talking about sort of the future of cisa. And it's a point that's been made before that government service becomes a lot less appealing if you're working without paying or if you're furloughed and you just, and if it just happens every year, it's not a real appealing thing for people who want any kind of stability in their life. You might believe in the mission of government service and you might have the training and you might have the education, you might have the drive to do that. But it does become a huge impediment to wanting to keep doing it or to want to start doing it. If you just don't know with this administration whether they're going to cut your job that week, that day at cisa, you know, we, we see stories all the time about reorganization plans and things that are shifting and moving around. It's a, it's a tough environment to work for the federal government these days. And CISA is one of those agencies that might have it a little rougher, frankly.

A (19:51)

Yeah, it's a great point. I mean, I think about, you know, folks in government positions who would say well, you know, we may not get paid as much as our colleagues in the private sector, but we have stability and you know, the thing, we have good benefits and all those sorts of things. And this is kind of taking a shot at, at that deal, at that arrangement.

B (20:14)

It really is. I mean, I'm reminded of Russell Vaught saying that their goal was to traumatize federal employees. It's not, it's not a real recruitment ad for working in the government, is it?

A (20:26)

Right, right.

B (20:28)

And you know, they want to, they want to shrink the size of government. You know, that's one of their goals. But maybe there are ways to do it that don't involve deliberately harming people.

A (20:40)

Yeah, that would be great. It's really hard to not be cynical these days. But we will do our best, Tim,

B (20:50)

you and I. I've given up. I'm going to stay simple.

A (20:55)

Well then, just me.

B (20:56)

Just me. All right.

A (20:59)

Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining.

B (21:04)

Thanks, Dave.

A (21:19)

What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N-T A.com cyber. Maybe that's an urgent message from your CEO. Or maybe it's a deep feedback fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's D O P E L dot com. And finally, Poland's Ministry of Defense has decided that if a car can record you, it probably should not park next to anything classified. The ministry this week banned Chinese made vehicles and any others equipped with technology capable of recording location images or sound from entering protected military facilities. Officials are also barred from plugging work phones into infotainment systems in China built cars, citing the risk of uncontrolled acquisition and use of data. The ban is not absolute. Warsaw plans to introduce a security vetting process so manufacturers can earn clearance with carve outs for inspections and rescue missions. Poland says the move aligns with NATO practices, though enforcement could get tricky given that some European brands manufacture models in China. The decision fits a broader pattern of restricting Chinese tech over espionage concerns. In short, if your car might be listening, it can wait at the gate. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Kaltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Foreign. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.