Plankey nomination advances as CISA says it ‘intends to release’ telecom report sought in Senate hold
The Senate Homeland Security and Governmental Affairs Committee today advanced Sean Plankey on a 9-6 vote to lead the Cybersecurity and Infrastructure Security Agency, while the DHS component made an overture toward lifting the upper chamber hold on the nomination.
Plankey was nominated to lead the DHS agency in March. CISA has been without a confirmed director since Jen Easterly left at the end of the Biden administration.
“If confirmed as the leader of CISA, I’d seek to restore CISA to its congressional authorities and focus on the missions that you, this body, tasked it with, which is securing the federal executive branch and then securing the critical infrastructure of the United States,” Plankey told senators at his confirmation hearing last week, vowing that he would steer CISA away from past work that he considers not related to the agency’s core cybersecurity mission, such as combating disinformation and foreign influence campaigns.
Plankey also said he believed administration leaders would be responsive to his requests for increased CISA funding if he felt that the downsized agency was hamstrung by a lack of resources.
The nominee expressed his support for Congress renewing the Cybersecurity Information Sharing Act of 2015 and the State and Local Cybersecurity Grant Program, which face expiration in September.
“If that was let to expire, in particular in the financial sector — who does some of the largest, the most prevalent amount of information sharing — they would experience difficulties in sharing and community protection of information security,” Plankey said of CISA 2015. “And then other industries would as well.”
In April, Sen. Ron Wyden (D-Ore.) placed a hold on Plankey’s nomination, demanding that CISA release “an important, unclassified report by independent cybersecurity experts” on telecommunications security.
On Monday, Wyden renewed that request in floor remarks, saying he had demanded the report be released to the public for the past three years. “Congress and the American people must read this report,” he said, noting that his staff viewed the report at the agency in 2023 and he doesn’t believe any other lawmakers’ offices have seen it. “It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.”
“CISA’s multi-year cover up of the phone companies’ negligent cybersecurity enabled foreign hackers to perpetrate one of the most serious cases of espionage ever against our country,” the senator said. “Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks.”
Wyden said he appealed to Easterly and then President Joe Biden to release the report, with no success.
“None of these security vulnerabilities have been addressed, either by the government or the private sector,” he said. “The federal government still does not even require U.S. phone companies to meet minimum cybersecurity standards. While it is too late to prevent the Salt Typhoon hack, there is still time to prevent the next incident.”
The Senate subsequently passed by unanimous consent Wyden’s Telecommunications Cybersecurity Transparency Act, which would require that the report be released within 30 days of enactment.
CISA said in a statement to multiple media outlets Tuesday that the agency “intends to release the U.S. Telecommunications Insecurity Report (2022) that was developed but never released under the Biden administration in 2022, with proper clearance,” CISA Director of Public Affairs Marci McCarthy said. “CISA has worked with telecommunications providers before, during, and after Salt Typhoon — sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure.”
Wyden’s deputy policy director, Keith Chu, told The Register that the senator “intends to keep his hold in place” for now as CISA “has not told Sen. Wyden’s office when they plan to release the report, or explained what ‘proper clearance’ means.”
“There was unanimous support for releasing that report in the Senate last night, and Sen. Wyden intends to keep pushing until Americans are able to see the threats to the phone system for themselves,” Chu said.