The White House moved to restart an urgent stalled priority by renominating well-regarded Coast Guard and Energy Department cyber veteran Sean Plankey as CISA director. Experts say the step offers some relief but does not go far enough to resolve the broader congressional inaction still straining the nation’s cyber defenses.
Some have faulted the White House for a lack of engagement in cyber issues and their advancement through Congress, while others say congressional dysfunction is the larger problem. Referring to the Trump administration’s broader approach to cyber policy, Jim Lewis, SVP and director of the technology and public policy program at the Center for Strategic and International Studies (CSIS), tells CSO, “Cyber isn’t a priority for these guys.”
But Ari Schwartz, managing director of cybersecurity services at Venable, views Congress as the greater culprit. “It is very difficult to get bills passed in Congress, and it turns out it’s very difficult to get some of these nominees through as well, even when they have bipartisan support. That signals we cannot get stuff done and is extremely problematic,” he tells CSO.
Problems stemming from inaction across these areas could begin to emerge as soon as next month and compound thereafter if no further action is taken. Some experts are hopeful Congress or the administration will step in to address the lapses, although they warn solutions will not emerge quickly.
CISA leadership: Swift confirmation needed to limit damage
The end of the year for Congress on Dec. 31 allowed the nomination of Plankey to lapse, requiring a new nomination process. Experts say the longer Plankey waits for confirmation, the more adrift CISA and US cyber policy will be.
Amid budget cuts driven by Elon Musk’s Department of Government Efficiency, which sharply reduced CISA’s staffing and institutional capacity, the ongoing lack of leadership at CISA accelerated the loss of invaluable expertise and created a three-level cybersecurity failure — internal, domestic, and international — for the US, according to Megan Stifel, chief strategy officer at the Institute for Security and Technology.
“Not having confirmed leadership undermines CISA’s ability to meet its statutory obligations,” Stifel tells CSO. She adds that the lack of confirmed leadership complicates interagency coordination and weakens US credibility on critical infrastructure security abroad.
Even with Plankey’s renomination, the damage caused by the prolonged leadership vacuum at the agency will still take time to rectify, according to CSIS’s Lewis. “They already hollowed out CISA, right? One CISA person who just left the agency told me that 40% of the career staff was gone. There’s not going to be a team to hand off to. They’ll need to do a lot of rebuilding.”
For the chairman of the House Homeland Security Committee, Andrew Garbarino (R-NY), Plankey’s renomination came none too soon. Speaking at an event hosted by the McCrary Institute on Dec. 16, Garbarino said he was disappointed that Plankey’s nomination had languished but that he would be confirmed “hopefully soon.”
Confirmation holds on both sides of the aisle in the Senate played a significant part in the failure to confirm Plankey. Sen. Rick Scott (R-FL) blocked Plankey’s nomination due to a Coast Guard issue. At the same time, Sen. Ron Wyden (D-OR) held up Plankey’s nomination to force CISA to release an unclassified report on telephone network security.
CISA promised in July that it would release the report, but has yet to do so. Keith Chu, a spokesperson for Wyden, tells CSO the senator will continue to object to confirming any CISA director until the telecommunications security report is released.
CISA 2015 reauthorization: Likely, but late and suboptimal
A major cybersecurity bill called the Cybersecurity Information Sharing Act of 2015 (CISA 2015), which expired on Sept. 30, was temporarily revived on Nov. 13 and given a two-month lease on life through Jan. 30, 2026. The law provides critical legal liability protections that enable cyber threat information sharing among organizations and the federal government.
The short-term extension seemed to ensure a longer-term renewal of the legislation, as lawmakers, the administration, and industry broadly agree that failure to extend the legal liability protection under CISA 2015 is unacceptable.
“It’s very important,” US Representative Garbarino said at the McCrary event. “It is imperative that it gets passed, and it gets extended. I don’t know how it gets done on its own. I feel like we have to attach it to another must-pass piece as legislation, whether that’s government funding, but we need it passed.”
In an emailed statement, CISA Director of Public Affairs Marci McCarthy tells CSO, “Reauthorizing the Cybersecurity Information Sharing Act of 2015 is vital to sustaining this progress — enabling industry and government to share information, respond to incidents, and mitigate cyber risks with speed and precision.”
White House National Cyber Director Sean Cairncross has said, “I just want to be abundantly clear that we are for, and the White House is for, a 10-year clean reauthorization of CISA 2015.”
With this tight level of agreement and support, odds are good that Congress will eventually reauthorize the legislation, although it is likely to be less than the 10-year renewal period advocates of the bill’s reauthorization seek.
“Our colleagues in the Senate have different ideas,” Garbarino said. “Some of them want to do a 10-year clean reauthorization. I don’t know if I can get that passed in the House with concerns from the Freedom Caucus chairman,” Andy Harris (R-MD), who has urged a go-slow approach to CISA 2015.
Even if Garbarino gets CISA 2015 through the House, some experts say a clean reauthorization would likely still be opposed by Senate Homeland Security Committee Chair Rand Paul (R-KY), who blocked the Senate from passing a bill to extend the law.
State and local cyber grants: Effectively dead for now
A murky picture emerges for another piece of unfinished business in Congress: a state and local cybersecurity grant program (SLCGP) administered by CISA. Most of the remaining funds in the $1 billion program were hollowed out via Elon Musk’s Department of Government Efficiency in early 2025.
In November, the House of Representatives passed the PILLAR Act, which extended the program until 2033, but did not specifically allocate a dollar amount for future grants. Chairman Garbarino thinks there’s a good chance that the SLCGP could get funded.
“I have a great partner on appropriations, Chairman Amodei,” he said at the McCrary event, referring to Mark Amodei (R-NV), who is Chairman of the House Appropriations Homeland Security Subcommittee. “We’re trying to find a vehicle to attach it to and get it done.”
Some experienced Washington hands, such as CSIS’s Lewis, are skeptical. “I don’t think they’re [the state and local grants] ever coming back,” he tells CSO.
When will Washington move forward?
It’s unclear whether or when the remaining unresolved issues might move forward.
“I think the Congress is probably going to do the right thing, but it will take longer because you don’t have executive branch leadership,” Lewis says. “Then they still have to [understand where] the White House is coming from, which is no money, no new authorities, and smaller agencies, before they can get anything in place. If we’re lucky, we’ll see it before the summer break, but it’s going to be a slow process.”
It is also possible that an upcoming White House cybersecurity strategy might touch on some of these programs.
Some experts say the bipartisan nature of cybersecurity gives them hope. “Cybersecurity and, particularly, protecting critical infrastructure and defending US networks, remain a bipartisan issue,” Schwartz says. “That makes me feel better about the possibility of getting to a point where we are moving forward again.”
No Responses