All eyes are on the government's short-term federal funding deal as efforts to renew a decade-old cyber threat information-sharing program have hit major roadblocks.

Why it matters: The law underpins cyber threat coordination between the federal government and the private sector by providing liability protections for companies sharing threat intelligence with the government.

• Lawmakers and cybersecurity companies fear a last-minute legislative push to completely overhaul the program will delay reauthorization and cause it to expire on Sept. 30.

Driving the news: Senate Homeland Security Chair Rand Paul (R-Ky.) is drafting a bill that would renew the Cybersecurity Information Sharing Act of 2015 for two years. The bill is slated for consideration in the committee on Thursday.

• According to draft language first reported by Politico and also obtained by Axios, the bill would remove liability protections for companies if their security incidents are found to have violated their own user agreements and privacy policies.
• The draft also removes the explicit protections that exempt shared threat intelligence from FOIA laws.
• Companies would also be required to notify customers within 30 days if their personal data was included in these shared threat indicators.

State of play: With exactly two weeks until the law expires, Paul has yet to formally introduce his bill. His office did not respond to a request for comment.

Zoom in: Industry stakeholders are in an uproar over the last-minute changes — especially after House Republicans and a bipartisan pair of senators already introduced bills that would renew the program with few changes.

• Paul's "edits just show a complete misunderstanding of the basic principle of information sharing," one industry source, who requested anonymity to speak freely about their complaints, told Axios.
• Another industry source, granted anonymity for similar reasons, told Axios that Paul's office had yet to show Senate Republican leadership, or other committee members, a full bill as of last week.
• Senate Majority Leader John Thune's office did not respond to a request for comment.

The big picture: Industry stakeholders and many lawmakers were pushing for a clean reauthorization of the program.

• Their argument is that the government has limited visibility into private networks on its own, and companies are reticent to share details about what hackers are targeting if they face potential lawsuits or regulatory investigations.
• Nick Andersen, the new top cyber official at the Cybersecurity and Infrastructure Security Agency (CISA), called the program a "fantastic authority" that underpins the agency's ability to collect threat intelligence from the private sector in remarks Thursday at the Billington CyberSecurity Summit in D.C.

Between the lines: Paul has been highly critical of the agency and even called for its elimination last year.

• The two industry sources told Axios they believe the senator's draft seems to be about his concerns with the agency — not the information-sharing law that shares the same acronym.

The intrigue: The draft, which is believed to be just part of a longer bill, includes sections that also look to rein in the Department of Homeland Security's foreign disinformation work. It calls for:

• Banning federal employees from taking "any action" to censor protected speech, including by labeling it disinformation or false.
• Officially terminating the Disinformation Governance Board, a Biden-era DHS entity that was short-lived and much-loathed by Republicans.
• Banning agencies from awarding grants "related to programming on misinformation or disinformation."

What they're saying: House Homeland Security Chair Andrew Garbarino (R-N.Y.) said in a statement that the "voluntary exchange of information between the private and public sectors under CISA 2015 has been successful largely due to the liability, privacy, and civil liberties protections this statute provides."

• Sen. Gary Peters (D-Mich.), ranking member of the homeland security committee, criticized Paul's revisions, saying the law "has a proven track record of success from the last 10 years, and if it's allowed to expire, we will lose a cornerstone of national cybersecurity strategy that will leave us vulnerable to security breaches."
• An aide in the Senate Homeland Security Committee said Peters is continuing to talk with Paul to get a bipartisan, bicameral agreement.

What to watch: The White House has included a clean reauthorization of the program in the upcoming short-term federal funding deal.

• The hitch: Many lawmakers are calling for a "clean" deal, and it's unclear if anomalies like reauthorizing the CISA program will qualify for inclusion.

School's out of session in a Texas school district this week after a ransomware attack knocked some of its systems offline.

Why it matters: School cancellations due to cyberattacks have become more common, but rarely for nearly an entire week.

State of play: The Uvalde Consolidated Independent School District — 80 miles west of San Antonio — canceled classes this week as it investigates a ransomware attack.

• The attack has "severely" affected the district systems that control the phones, AC controls, camera monitoring, visitor management and more, according to a Facebook post on Saturday.
• The school district originally said classes were canceled through Thursday, but subsequent Facebook posts suggested the closures may last the whole week. A spokesperson was not immediately available to clarify.

What they're saying: "A comprehensive investigation is underway to uncover the source of the malware and assess whether any sensitive information has been compromised," Anne Marie Espinoza, chief of communications and human capital officer for the school district, said in the post. "Completing these investigations is essential before we can start recovering our systems."

• The school district has enlisted the help of the FBI, its cyber insurance provider and other agencies to investigate the attack.
• The FBI said in an email to Axios that it's aware of the incident and is assisting local law enforcement.

Between the lines: School closures are becoming an increasingly common part of ransomware recovery for school districts — especially at the start of a new academic year.

• Last September, Highline Public Schools outside of Seattle canceled classes due to a cyberattack.

What to watch: The scope of the attack appears to be broad so far, but investigators should have more details soon as they start to kick the hackers out of their networks.

• The ransomware gang behind the attack will likely reveal itself in the coming weeks on the dark web if the school doesn't pay a ransom.

The Qilin ransomware gang is officially selling data stolen during an attack earlier this month on the Orleans Parish Sheriff's Office, according to a dark web listing seen by Axios.

Why it matters: Gangs dump the stolen data online whenever a victim doesn't pay the ransom — and Qilin's move also threatens to put confidential business and citizen information at risk.

Threat level: Compared to other ransomware attacks, the data that Qilin is touting from the New Orleans sheriff's office isn't that detrimental.

• Screenshots suggest the hackers stole confidentiality agreements signed by contractors, public police reports, private bank statements, and a letter about an ongoing financial audit.
• The sheriff's office did not respond to a request for comment.

Yes, but: The hackers are claiming they stole 842 gigabytes of information, and it's unclear what else is in the stolen trove.

Catch up quick: The sheriff's office has been responding to a ransomware attack on its networks since Sept. 4, knocking the city's online court docket system offline for days.

• Hackers also disrupted systems that handle bond transactions, jail releases, and communications with law enforcement partners.

💭 Thought bubble from Axios New Orleans reporter Carlie Wells: This is the latest black eye for Sheriff Susan Hutson, who is up for reelection this fall and behind in the polls.

• She's been under intense scrutiny since 10 inmates escaped from the jail she oversees. One is still on the run more than three months later.

The big picture: Qilin is a popular ransomware-as-a-service group that leases out its file-encrypting, data-stealing malware to freelance hackers who carry out their own attacks.

• The gang is known for targeting high-value victims, including several state and local government entities.

@ D.C.

👀 A top CISA official said the agency is firmly committed to supporting and enhancing the Common Vulnerabilities and Exposures (CVE) program, which nearly lost funding and shut down earlier this year. (Cybersecurity Dive)

📲 President Trump suggested that the U.S. and China had reached a deal on the sale of TikTok and that the plan would be hashed out during a meeting with Chinese leader Xi Jinping on Friday. (Axios)

💸 A DHS watchdog says the department failed to effectively implement a retention incentive program for cyber talent and improperly allocated funds for the program. (FedScoop)

@ Industry

🧳 The chief digital and technology officer at Marks & Spencer is stepping down months after a crippling cyberattack. (Reuters)

📈 U.S.-based entities are now the biggest investors in commercial spyware after a sharp rise in investments last year, according to a new Atlantic Council report. (Wired)

💰 Cloud cybersecurity provider Netskope increased the target price for its U.S. IPO to $17-$19 per share and is now aiming to raise as much as $908.2 million in its offering. (Axios Pro)

@ Hackers and hacks

🛍️ Ransomware hackers stole the private details of possibly millions of customers of Balenciaga, Gucci and Alexander McQueen in a recent attack. (BBC)

🤖 North Korean hackers used ChatGPT to forge a South Korean military ID document to make a phishing attempt appear more believable. (Bloomberg)

🍃 Enjoy these outdoor moments of zen from the weekend!