This bill reauthorizes and updates the Cybersecurity Act of 2015 to enhance information sharing, clarify definitions including AI, and improve outreach regarding critical infrastructure protection.
Andrew Garbarino
Representative
NY-2
This Act reauthorizes and significantly updates the Cybersecurity Act of 2015 to enhance national cybersecurity defenses. It modernizes definitions to include artificial intelligence and critical infrastructure, while requiring agencies to update guidance on sharing cyber threat indicators and defensive measures. The bill also mandates new outreach efforts to protect smaller and rural critical infrastructure operators.
Cybersecurity Overhaul Adds AI Definitions, Extends Government Authority Until 2035
The Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act) is essentially a major tune-up for the decade-old Cybersecurity Act of 2015. Think of it like taking your classic car into the shop to get a modern engine and a software update. The core purpose is to drag the government’s cybersecurity playbook into the age of Artificial Intelligence and increasingly complex threats, specifically targeting the systems that keep the lights on and the water running.
The AI Upgrade and the Definition Game
This bill explicitly updates the law to include definitions for "Artificial intelligence" and clarifies what counts as "Critical infrastructure" and which government agencies are the "Sector Risk Management Agenc[ies]." This isn't just bureaucratic paperwork; it means the federal government can now officially develop cybersecurity guidance that accounts for AI risks and, critically, use AI itself for developing that guidance and conducting technical assessments. This is a double-edged sword: it means better, faster threat detection, but it also raises questions about the transparency and potential bias of the AI tools the government is relying on for its security recommendations.
Critical Infrastructure Gets a Read-In
One of the biggest real-world changes is how information flows. Agencies are now required to constantly "update" their policies, not just issue them once. More importantly, they must provide one-time "read-ins" (briefings) to specific people identified by critical infrastructure owners—like the power grid or water treatment plants—if it "seems appropriate." This is designed to get actionable threat information into the hands of the people who can use it immediately. However, the phrase "seems appropriate" gives the government significant discretion over who gets the sensitive security briefing. For the average person, this is about ensuring the systems you rely on are protected, but it hinges on whether the right people are deemed worthy of receiving the crucial intelligence.
Outreach for the Little Guys
Recognizing that not every utility company has a massive IT department, the bill mandates a new, continuous outreach plan from the Secretary of Homeland Security. This plan specifically targets small or rural critical infrastructure owners who often lack dedicated cybersecurity staff. This is a huge win for smaller towns and cooperatives. The goal is to teach them how to share threat indicators, understand the benefits of real-time sharing, and know the legal protections they get when they participate. If you live in a rural area, this provision means the local water authority or electric co-op is now getting targeted help to fend off sophisticated attacks, which directly translates to more reliable services for you.
The Long Sunset: Extending Authority to 2035
While much of the bill focuses on modernization, a key provision quietly extends the sunset date for certain parts of the 2015 Act (specifically Section 111) from 2025 to 2035. A sunset clause means a law or provision automatically expires unless Congress acts. By pushing this date back a full decade, the bill effectively extends certain government authorities and reporting requirements without requiring a detailed review until much later. For a public that relies on regular legislative oversight, extending these provisions for ten years is a significant move that reduces accountability in the near term.
Expanding the Definition of Risk
Finally, the bill broadens what counts as a security risk. It expands the definition of a "security vulnerability" to explicitly include risks in the technology supply chain, like those found in AI components. It also updates the definition of "operational technology" to specifically mention modern industrial control systems, edge devices, and Internet of Things (IoT) devices impacted by ransomware. This means the government is finally catching up to the fact that ransomware isn't just hitting laptops; it's targeting the smart devices and industrial systems that run our physical world. This clarity is vital for ensuring that protective measures cover the full scope of modern cyber threats.