As CISA pulls back, the government's hard-won trust with small businesses and local utilities is slipping, with potentially serious implications for national security, industry executives told Axios.

Why it matters: Small to medium-sized businesses are the backbone of the U.S. economy, and hackers know it.

• A large bank or electric grid operator may have the best security system in the world, but it doesn't matter if their third-party, smaller suppliers are vulnerable to cyberattacks.
• "You can't build a strong chain with a weak link," Henry Young, senior policy director at the Business Software Alliance, told Axios.

Threat level: Supply chain attacks have surged in recent years, with small businesses often serving as unintentional gateways.

• One such example: when ransomware groups exploited vulnerabilities in VMware Horizon software to target local governments. In that situation, the Cybersecurity and Infrastructure Security Agency was able to provide real-time alerts to exposed entities hours before the attacker started targeting them, Matthew Warner, co-founder and CEO at cybersecurity firm Blumira, told Axios.

Driving the news: Many of the employees who oversaw CISA's outreach to small businesses and critical infrastructure organizations have either taken buyouts or been laid off, according to news reports.

• And liability protections for companies sharing threat data with the federal government lapsed this month, leaving small utilities and manufacturers that don't have in-house legal teams on their own to understand how best to share such information.

The big picture: Over the last several years, CISA had expanded its regional footprint and built trust with small organizations that often lacked formal cybersecurity resources.

• The agency provides free incident response, conducts risk assessments, and helps local governments and critical manufacturers determine which new threats to prioritize.
• That support is in danger of disappearing, with few clear alternatives, said Bill Moore, CEO and founder of critical infrastructure security firm Xona.
• "It closes the options to a large degree," Moore said, noting many will have to either fly blind or spend thousands of dollars on new cybersecurity tools.

Between the lines: CISA built up trust with smaller entities over time, but that trust can evaporate when the employees who handled those relationships depart, Tony Monell, vice president of public sector at Black Kite, told Axios.

• "That institutional knowledge leaves and, as a result, it will take a lot to backfill that person," Monell said.

Reality check: CISA's outreach with small utilities and businesses was still a work in progress, executives added. But there aren't many government backstops that could fill the agency's role.

• The FBI, for example, typically focuses on law enforcement and post-breach investigations, not proactive cyber defense.
• And while sector-specific information-sharing analysis centers offer threat alerts, they don't typically provide hands-on help like incident response or penetration testing.

In a statement, Marci McCarthy, CISA's director of public affairs, said that "despite the Democrat-led shutdown, CISA continues to defend critical infrastructure, deliver actionable intelligence, and support small and medium sized businesses across the nation — even as nation-state adversaries and cyber criminals look to exploit uncertainty."

• "In the face of some legislators failing to do the job the American people have entrusted them with, CISA will continue doing ours — protecting the homeland," she added.

What to watch: Whether Sean Plankey is confirmed to lead CISA — and whether he'll bring back the agency's staff and resources for smaller organizations.

F5 warned shareholders yesterday that it expects its revenue growth to take a hit over the next two quarters as many of its customers pause or slow down their buying decisions while responding to a recent major cyberattack.

Why it matters: The comments are the first from F5 about how much the nation-state attack — which was disclosed about two weeks ago — is likely to affect the company's bottom line.

Driving the news: F5 CEO François Locoh-Donou said during the company's fourth-quarter earnings call that it is increasing its internal cybersecurity investments as it responds to the highly sophisticated hack.

• "We are disappointed that this has happened and very aware as a team and as a company of the burden that this has placed in our customers, who have had to work long hours to upgrade" affected products, Locoh-Donou told investors on the call.

Catch up quick: Bloomberg reported the attackers are likely linked to the Chinese government and had been lurking in the company's systems since 2023.

Zoom in: So far, F5 has identified and notified an unspecified number of customers who have had their data stolen as a result of the hacks, Locoh-Donou said.

• The company has also worked with thousands of customers in recent weeks to deploy security fixes with minimal operational disruptions, he added.
• F5 will enhance its bug bounty program and is working with outside firms to review the security of its code for vulnerabilities, he said.
• The company has also transitioned Michael Montoya, the company's security chief, to a new role as its chief technology operations officer to help further embed security into every aspect of the company's operations.

Yes, but: Locoh-Donou told shareholders that most affected customers have said their stolen data was not sensitive and "they're not concerned about it."

Threat level: Locoh-Donou said the company is "acutely aware" that nation-state hackers have been increasingly targeting networking security firms like F5 in recent years.

• "We are committed to learning from this incident, sharing our insights with our peers, and driving collaborative innovation to collectively strengthen the protection of critical infrastructure across the industry," he said.

The White House is pushing Congress to pass a clean, 10-year reauthorization of a program that affords liability protections to companies that share cyber threat intelligence with the federal government.

Why it matters: It's been nearly a month since the protections lapsed, leaving companies and the federal government without a complete picture of how adversaries are targeting networks.

• Lawmakers have been going back and forth on whether to extend the protections for a full decade or for just one to two years as they debate potential changes.

Driving the news: National Cyber Director Sean Cairncross said at the Meridian Summit on Friday that the White House has been pushing for a "10-year, clean reauthorization" of the Cybersecurity Information Sharing Act of 2015.

• Cairncross' statement marks the first public remarks from a White House official on the month-long debate.
• "It's important for national security," Cairncross said. "It's vital for our threat assessment and response, and we want to see it done."

Between the lines: The White House's stance lines up with that of Sen. Gary Peters (D-Mich.), ranking member of the Senate Homeland Security Committee, whose bipartisan bill calls for a clean, 10-year reauthorization.

• Sen. Rand Paul (R-Ky.), chair of the committee, has been pushing for massive changes to the program and a two-year renewal.
• House Homeland Security Chair Andrew Garbarino (R-N.Y.) has also been pushing for a short-term renewal to continue negotiations.

What to watch: Paul told Punchbowl News last week he plans to block any attempt by Senate leaders to send a clean reauthorization bill to the floor without his consent.

OpenAI's new browser, Atlas, is triggering fresh privacy and security alarms — and no one's quite sure how to navigate them.

Why it matters: Browsers are the gateway to the internet, and they're known to gobble up some of users' most sensitive information, like their passwords and credit card information.

Between the lines: Unlike traditional browsers, Atlas also builds "memories" from searches that could help the browser deduce if someone is planning a trip, needs to reorder house supplies that week, or should look up recipes at a specific time.

• The ChatGPT agent is also able to autonomously complete tasks on websites at a user's request and runs queries through ChatGPT rather than Google.

What they're saying: "The browser wars aren't about tabs and search anymore," Steve Wilson, founder and co-chair of the OWASP Gen AI Security Project and chief AI officer at cybersecurity company Exabeam, told Axios.

• "They're about whether we can keep our new digital co-workers from going rogue."

Zoom in: The list of novel security and privacy threats is growing as experts dig into Atlas' capabilities.

• Lena Cohen, a staff technologist at the Electronic Frontier Foundation, told the Washington Post that in her testing, Atlas memorized queries about "sexual and reproductive health services via Planned Parenthood Direct" — and even the name of a real doctor. (Such searches have been used to prosecute people in states where abortion access is restricted.)
• Researchers at SquareX said Thursday that they were able to trick Atlas into visiting a malicious site disguised as the Binance login page.

Reality check: OpenAI says Atlas is not supposed to retain sensitive information such as government IDs, banking details, passwords, addresses, medical records and financial data.

Read the rest.

@ D.C.

🌐 72 countries signed the United Nations' first cybercrime agreement despite pushback from human rights organizations and privacy advocates. (The Register)

📦 Shutdown-related layoffs have hit nearly all 95 employees in CISA's Stakeholder Engagement Division, leaving just the employees who coordinate the agency's sector risk management work. (Cybersecurity Dive)

⚠️ A highly anticipated annual report from a group of influential cyber policy minds warned for the first time that the U.S. government has gone backward on improving its cybersecurity posture. (CyberScoop)

@ Industry

🤖 Palo Alto Networks unveiled new AI agents on its platform that can autonomously investigate and resolve cybersecurity issues. (CNBC)

👀 Meta laid off more than 100 people in its risk review organization, which largely oversees any user privacy risks with the company's products. (New York Times)

🧾 Employees are increasingly using AI tools to create fake receipts in their expense reports. (Financial Times)

@ Hackers and hacks

👨🏻‍⚖️ A director at L3Harris Technologies, which sells computer vulnerabilities, has been charged with stealing trade secrets with the intention of selling them to a Russia-based buyer. (Bloomberg)

🇰🇵 North Korean hackers compromised three European defense companies using fake job recruitment lures, according to researchers at ESET. (BleepingComputer)

🇨🇳 The Universe Browser, a browser that promises to "avoid privacy leaks," has been routing all of its internet traffic through servers in China. (Wired)

📰 Spotted on campus at UC Berkeley last week: A front-page story in the student newspaper about a recent breach at California's flagship university.

• 💪🏻 Check out the full story here — and remember to support local student journalists!