Government threat-sharing endangered amid major cyberattack

• Some key information-sharing protocols have looked different or gone dark in the last week, an industry source familiar with the matter told Axios.
• So far, it's unclear if the silence is due to the government shutdown or post-layoff restructuring.

Driving the news: F5, a major U.S. tech vendor, said last week it was actively investigating a nation-state breach into its BIG-IP product suite and had patched a vulnerability that hackers used to break in.

• As of Thursday, more than 600,000 F5 devices were vulnerable to potential intrusions, according to Palo Alto Networks.
• Bloomberg reports that suspected Chinese hackers likely had access to F5's systems from late 2023 until they were discovered in August.
• F5 counts more than 80% of the Fortune Global 500 and several government agencies as customers.

The big picture: CISA's capacity is shrinking along with its headcount.

• The agency said in an email sent to employees and obtained by Axios that it's restructuring its Stakeholder Engagement Division, which oversees partnerships with the private sector, as part of shutdown-related layoffs. The agency will hold a town hall Thursday for employees in the division, per the email.
• The industry source, who requested anonymity to speak freely, told Axios they haven't received any new information-sharing emails from the division since the government shutdown began.
• After such incidents in the past, the division sent regular updates and hosted calls with top officials.

What they're saying: "The communications functions that this division provides are a nonnegotiable national security mechanism, arming defenders with the information needed to protect our energy grid, water systems, hospitals and banks from cyberattacks," Robert Huber, chief security officer at Tenable, told Axios.

• Huber added that this information is just as important as the intelligence analysis CISA also provides.
• Bob Kolasky, a former CISA official and senior vice president of critical infrastructure at Exiger, noted that CISA's Stakeholder Engagement Division heads up threat coordination for eight of the 16 critical infrastructure sectors.

Yes, but: By all accounts, F5 appears to be distributing that critical information to customers and other critical infrastructure organizations, the industry source said.

• Nick Andersen, the top cyber official at CISA, told reporters last week that the agency was hosting coordinating calls with state and local government organizations, as well as other federal agencies that work with critical infrastructure operators.

• A CISA spokesperson did not respond to a request for comment.

State of play: Kolasky said that, for now, his company has all the information it needs to respond to the F5 breach and that restructuring the division doesn't mean government threat information sharing will completely halt.

• But there has been a lack of consistency in how public-private partnerships have been moving, he added.
• "What I hope is happening is when there's actionable information, it's getting in the hands of critical infrastructure owners and operators," Kolasky said. "It's essential to national security that there's a consistent process for doing that."

Friction point: While CISA is pulling back, companies are also growing more nervous about sharing threat information with the federal government after decade-old liability protections lapsed this month.

• "You're adding more friction to that," Heather Kuhn, senior privacy counsel at BigID, told Axios. "It makes companies more hesitant, it's probably going to inject legal teams into the middle of that conversation because they need to protect themselves."

What to watch: Whether CISA's outreach bounces back at all after the shutdown is over.

Go deeper: Congress puts up last-minute roadblocks for cyber threat info-sharing