Press Releases

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and author of the bipartisan law to invest in domestic semiconductor manufacturing, released the following statement on the Trump administration’s announcement that it would allow American chipmaker Nvidia to send H200 chips to China:

“American companies must remain the undisputed leader in AI hardware because our strategic competition with China on AI will boil down to whose ecosystem drives adoption and innovation globally, as NVIDIA has acknowledged. Unfortunately, the Trump administration’s haphazard and transactional approach to export policy demonstrates that it does not have any sort of coherent strategy for how we will compete with China, specifically as it relates to whose chips, tools, cloud infrastructure, and ecosystem will influence the most AI developers worldwide. I fear that with no strategic vision for that broader competition across multiple key dimensions of AI innovation, this administration risks squandering U.S. AI leadership and deferring to the People’s Republic of China up and down the AI stack.”

###

* High-quality photographs of Sen. Mark R. Warner are available for download here *

Photos may be used online and in print, and can be attributed to ‘The Office of Sen. Mark R. Warner’

WASHINGTON – Today, U.S. Sens. Mark Warner (D-VA), Bill Cassidy, M.D. (R-LA), Maggie Hassan (D-NH), and John Cornyn (R-TX) reintroduced the Health Care Cybersecurity and Resilience Act to protect Americans’ health data by strengthening cybersecurity. This legislation is a product of the senators’ bipartisan health care cybersecurity working group launched in 2023.

“Cyberattacks on our health care organizations threaten the sensitive information of millions of Americans and can have life-or-death consequences on the care patients receive,” said Sen. Warner. “I’m glad to join my colleagues in introducing this bill to strengthen our cybersecurity, protect patients, and provide additional tools for rural health care providers in Virginia.”

“Cyberattacks on our health care sector not only put patients’ sensitive health data at risk but can delay life-saving care,” said Dr. Cassidy. “This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats.”

“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” said Sen. Hassan. “Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it.”

“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” said Sen. Cornyn. “This legislation would strengthen interagency coordination and improve security practices for rural providers, ensuring Texans’ health care is not delayed or compromised by cyberattacks.”

The Health Care Cybersecurity and Resiliency Act of 2025:

Strengthens cybersecurity in the health care sector by providing grants to health entities to improve cyberattack prevention and response.
Provides training to health entities on cybersecurity best practices.
Supports rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies.
Improves coordination between the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the health care sector.
Modernizes current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices.
Requires the HHS Secretary to develop and implement a cybersecurity incident response plan.

Click here for full bill text.

BACKGROUND

Health records, unlike other personal records like credit card numbers, are more valuable on the black market since health conditions are permanent and cannot be reissued.

There were more than 730 cyber breaches last year, affecting over 270 million Americans. This includes the attack on Change Healthcare, the largest health care cybersecurity incident in history. This attack exposed the data of over 190 million people, leading to significant delays in care and electronic prescribing.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, released the following statement after the Federal Communications Commission (FCC) voted to roll back cybersecurity regulations put in place following Salt Typhoon, the worst telecommunications cyberattack in our nation’s history:

“In the aftermath of the worst telecommunications compromise in our nation’s history, today’s vote by the FCC walks back yet another effort to set meaningful, enforceable cybersecurity standards for America’s communications backbone, after congressional Republicans overturned cybersecurity rules set by the FCC in 2017.

“The Salt Typhoon intrusion made clear that existing voluntary measures alone have not been sufficient to prevent sophisticated, state-sponsored actors from gaining long-term, covert access to critical networks. While collaboration with industry is essential, it must be paired with clear, enforceable expectations that reflect the scale of the threat.

“I am concerned that abandoning an enforceable, standards-based approach in favor of undefined ‘flexible’ solutions leaves us without a credible plan to address the gaps exposed by Salt Typhoon, including basic failures like credential reuse and the absence of multi-factor authentication for highly privileged accounts.

“Congress, the administration, and the FCC should be moving toward greater transparency and stronger protections, not less. I will continue pressing for a comprehensive national strategy to ensure that our telecommunications infrastructure is resilient against the kinds of intrusions we know are not hypothetical, but ongoing.”

###

* High-quality photographs of Sen. Mark R. Warner are available for download here *

Photos may be used online and in print, and can be attributed to ‘The Office of Sen. Mark R. Warner’

U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence and Co-Chair of the Senate Cybersecurity Caucus, issued the following statement in response to a partisan report from the Senate Commerce Committee attacking the Cybersecurity and Infrastructure Security Agency (CISA):

“This new report is a cynical effort to distract from the Trump administration's ongoing unconstitutional efforts to intimidate broadcasters, social media platforms, and everyday Americans. Biden officials’ good faith efforts to tip social media platforms to foreign influence campaigns targeting our election and COVID response have no parallel in the sustained and coercive efforts of Donald Trump, JD Vance, and Brendan Carr to devastate our nation's history of independent media and free debate.”

###

WASHINGTON — Today, U.S. Sens. Mark Warner (D-VA), Vice Chairman of the Senate Intelligence Committee, and Alex Padilla (D-CA), Ranking Member of the Senate Committee on Rules and Administration, wrote Director of National Intelligence Tulsi Gabbard regarding concerns that she may have directed the Intelligence Community (IC) to cease disclosing attempted foreign interference in U.S. elections and requested she provide an urgent briefing on foreign election threats. The Senators also demanded Gabbard clarify her comments made about alleged “evidence” of vulnerabilities to electronic voting systems and manipulation of election results, which has not been substantiated.

As the country approaches the 2026 federal midterm elections, the Senators highlighted the importance of protecting the United States from foreign influence, including cyber threats. Warner and Padilla pushed Gabbard and the Office of the Director of National Intelligence (ODNI) to coordinate an IC briefing on these threats by October 10th, and requested a plan for defensive cybersecurity measures ahead of the 2025 and 2026 election cycles.

This year, Gabbard has made harmful and unsubstantiated statements about voting system vulnerabilities as the Trump Administration has dismantled election security efforts at the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, and curtailed the Congressionally authorized Foreign Malign Influence Center at ODNI. At a cabinet meeting in April, Gabbard claimed that she has “evidence” about voting manipulation in electronic voting machines, and on a right-wing podcast in July, she said that her office has evidence of voting machine vulnerabilities that it had not disclosed to the American public or Congress.

“As your testimony before the Senate Select Committee on Intelligence in March made clear, foreign adversaries continue to conduct influence activities to undermine public confidence in our election system and potentially even shape election outcomes,” wrote the senators. “While you have chosen not to release a declassified version of the Intelligence Community Assessment for the 2024 U.S. Elections, the final Election Security Update ahead of Election Day noted that ‘Foreign actors – particularly Russia, Iran, and China – remain intent on’ pursuing efforts to undermine public confidence in our democratic system, including inciting violence among Americans. We are concerned that you may have directed the Intelligence Community (IC) to cease its intelligence reporting on this vital topic.”

“Given sustained efforts by the current Administration to dismantle CISA’s election security mission, including discontinuing funding to the critically important Elections Infrastructure Information Sharing and Analysis Center, over the bipartisan objections of Secretaries of State, your cyber vulnerability claims are puzzling and elicit justified skepticism, as well as concerns of politicization,” continued the senators. “Since taking office, the Administration paused CISA’s election security work, fired election security staff, and staff are reportedly afraid to work with state and local election officials and vendors for fear of retribution.”

Full text of the letter is available here and below:

Director Gabbard:

For the better part of the last decade, the Senate Rules Committee and Senate Select Committee on Intelligence have led efforts to educate the United States Senate, and the American public, about foreign threats to our elections. As your testimony before the Senate Select Committee on Intelligence in March made clear, foreign adversaries continue to conduct influence activities to undermine public confidence in our election system and potentially even shape election outcomes. While you have chosen not to release a declassified version of the Intelligence Community Assessment for the 2024 U.S. Elections, the final Election Security Update ahead of Election Day noted that “Foreign actors – particularly Russia, Iran, and China – remain intent on” pursuing efforts to undermine public confidence in our democratic system, including inciting violence among Americans. We are concerned that you may have directed the Intelligence Community (IC) to cease its intelligence reporting on this vital topic.

As the election cycle for the 2026 federal mid-term elections gets underway, and multiple state contests have already begun, we write to request that the Office of the Director of National Intelligence (ODNI) coordinate an IC briefing for Senators on foreign election threats, including efforts to influence election outcomes through influence or cyber-enabled means. As part of that briefing, ODNI and the IC should also update the Senate on the status of planned defensive steps to ensure the cybersecurity of several state-wide elections in November 2025 and the mid-term elections in 2026.

In addition to an intelligence briefing on these threats, we invite you to clarify public statements that you have made about voting system security, which have generated significant confusion against the backdrop of efforts to dismantle key election security initiatives and programs at the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation, and at the Foreign Malign Influence Center at ODNI. Specifically, at a cabinet meeting with the President on April 10, 2025, you stated that ODNI was “investigating” the issue of “election integrity”:

“We have evidence of how these electronic voting systems have been vulnerable to hackers for a very long time and vulnerable to exploitation to manipulate the results of the votes being cast […].”

On July 31, 2025, you appeared on a partisan political podcast and repeated these claims, citing alleged information from CISA:

“[A] whistleblower who came forward who was working under CISA at that time which is responsible for critical infrastructure and trying to protect against cyber vulnerability and critical infrastructure, including of course the integrity of our elections. And what was interesting was seeing how this whistleblower brought forward information that CISA at the time – the federal government – was aware of vulnerabilities in our election machines but they chose not to disclose that information to the American people or administration at that time. […] We’re continuing to investigate this […].”

Given sustained efforts by the current Administration to dismantle CISA’s election security mission, including discontinuing funding to the critically important Elections Infrastructure Information Sharing and Analysis Center, over the bipartisan objections of Secretaries of State, your cyber vulnerability claims are puzzling and elicit justified skepticism, as well as concerns of politicization. Since taking office, the Administration paused CISA’s election security work, fired election security staff, and staff are reportedly afraid to work with state and local election officials and vendors for fear of retribution. In June, the Administration proposed to cut CISA’s Fiscal Year 2026 budget by $495 million and reduce its workforce by 30%. To date, CISA has failed to disclose its assessment of its election security work or its plans to secure future elections to Congress or the American people. According to public reports, you have also initiated a review of work of the Congressionally-authorized Foreign Malign Influence Center.

With significant elections occurring less than 60 days away, we ask that ODNI coordinate an IC briefing before October 10.

Sincerely,

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, joined by U.S. Sens. Ron Wyden (D-OR), a member of the Senate Select Committee on Intelligence, and Richard Blumenthal (D-CT) and Elissa Slotkin (D-MI), both members of the Senate Committee on Homeland Security & Governmental Affairs, wrote to Department of Homeland Security Secretary Kristi Noem urging her to reestablish the Cyber Safety Review Board (CSRB) after the Trump administration dismissed members earlier this year.

The CSRB, established in 2022 under President Biden, convenes cybersecurity experts from across multiple government agencies and the private sector to investigate serious cybersecurity breaches and make recommendations for businesses, government agencies, and individuals to better protect themselves. In January of this year, the board was disbanded.

The senators wrote, “The CSRB played a vital role in U.S. national security carrying out post-incident reviews and providing information and making recommendations to improve public and private sector cyber security. Therefore, we urge you to swiftly reconstitute the Board with qualified leaders to shape our nation’s cyber response.”

In their letter, the senators highlighted the key work that CSRB has done to investigate some of the most serious cyber incidents our country has faced, including Salt Typhoon, a breach believed to be perpetrated by the People’s Republic of China (PRC) that compromised U.S. and global telecommunications infrastructure.

“Against the backdrop of repeated insistence by this Administration on the need to leverage private sector and external expertise in government, the decision to dismantle this successful collaboration between the federal government and the private sector is particularly confounding,” the senators continued. “The CSRB has spearheaded crucial fact-finding efforts following cyber incidents, and developed recommendations and reports reflecting lessons learned following some of the most serious cyber incidents of the past few years, such as the Microsoft Exchange Online intrusion, the SolarWinds hack, and most recently (until the CSRB’s dissolution) the Salt Typhoon campaign against U.S telecommunications infrastructure.”

The senators concluded, “As we have said before, inadequate cyber security practices put our economy, our national security and even lives at risk. The January dismissal of CSRB members, and continued uncertainty about the future role of the Board, has undermined cyber defense preparations for public and private entities across the United States. In this age of great innovation, we cannot afford to see our private or public systems compromised by malicious actors. You have had more than four months to reestablish this Board to conduct this critical work – DHS leadership and CISA must work together to immediately reinstate the Board as a crucial part of America’s cyber defense infrastructure.”

A copy of letter is available here and text is below.

Dear Secretary Noem:

We write to you today with regard to the need to act to reestablish the Cyber Safety Review Board (“CSRB” or “Board”). As members of the Senate Select Committee on Intelligence or the Senate Committee on Homeland Security and Governmental Affairs, we extremely concerned with ensuring that America’s intelligence community, law enforcement agencies, state and local governments, and businesses have access to the best tools and resources to prepare for, and protect themselves against, ongoing cyber threats facing our nation. The CSRB played a vital role in U.S. national security carrying out post-incident reviews and providing information and making recommendations to improve public and private sector cyber security. Therefore, we urge you to swiftly reconstitute the Board with qualified leaders to shape our nation’s cyber response.

As chartered, the CSRB is composed of 20 standing members, with additional members appointed on a case-by-case basis for the purpose of specific investigations. All members bring expertise from both the public and private sector, and are to be selected on the basis of significant professional and technical expertise and regardless of political affiliation. This structure serves to create a body with a deep well of cyber security capabilities and knowledge that can conduct thorough reviews of cyber incidents and provide trusted, fact-based recommendations on how businesses, individuals, and agencies across all layers of government can better protect themselves.

When building cyber security capabilities, the software and IT ecosystem benefits tremendously from transparent, accessible, and rigorous research and forensics. Against the backdrop of repeated insistence by this Administration on the need to leverage private sector and external expertise in government, the decision to dismantle this successful collaboration between the federal government and the private sector is particularly confounding.

The CSRB has spearheaded crucial fact-finding efforts following cyber incidents, and developed recommendations and reports reflecting lessons learned following some of the most serious cyber incidents of the past few years, such as the Microsoft Exchange Online intrusion, the SolarWinds hack, and most recently (until the CSRB’s dissolution) the Salt Typhoon campaign against U.S telecommunications infrastructure.

These comprehensive and incredibly fact-intensive investigations have provided invaluable transparency and lessons for the wider software and IT sectors. For instance, the CSRB’s review of the 2023 Microsoft cyber incident, recently cited by Director of National Intelligence Tulsi Gabbard when presenting the Annual Threat Assessment at the March 25, 2025 SSCI open hearing, identified several operational and strategic lapses that contributed to this intrusion, with recommendations around authentication, logging, and public communication around security incidents that benefited the entire ecosystem.

As we have noted, the CSRB had been actively investigating potentially the most expansive and impactful cyber security breach in U.S. history: the unprecedented compromises of U.S. and global telecommunications infrastructure by threat actors associated with the People’s Republic of China, widely referred to as “Salt Typhoon.” However, the CSRB’s investigation into the Salt Typhoon compromises of U.S. telecommunication firms, launched in 2024, was effectively terminated on January 20, 2025 and is depriving the public of a fuller accounting of the origin, scope, scale, and severity of these compromises. It is essential that the U.S. develop a complete and thorough understanding of the factors that contributed to the success of these intrusions – including clear root-cause analyses of each successful penetration – and present key recommendations for the telecommunications sector to better protect itself against similarly complex and large-scale compromises by future threat actors.

As we have said before, inadequate cyber security practices put our economy, our national security and even lives at risk. The January dismissal of CSRB members, and continued uncertainty about the future role of the Board, has undermined cyber defense preparations for public and private entities across the United States. In this age of great innovation, we cannot afford to see our private or public systems compromised by malicious actors. You have had more than four months to reestablish this Board to conduct this critical work – DHS leadership and CISA must work together to immediately reinstate the Board as a crucial part of America’s cyber defense infrastructure.

Thank you in advance for your prompt attention to this important issue. It is our hope that we can work together to continue developing a robust cyber security infrastructure that protects all Americans.

Sincerely,

###

WASHINGTON — U.S. Sens. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK), a member of the Senate Committee on Homeland Security & Governmental Affairs, have introduced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025, legislation to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST).

Vulnerability Disclosure Policies (VDP) provide a way for organizations to receive unsolicited reports of vulnerabilities within their software so that they can be patched before an attack takes place. Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Currently, civilian federal agencies are required to have VDPs, however there is no requirement for federal contractors – civilian or defense – to have VDPs for the information systems used in the fulfillment of their contracts. This legislation would require the implementation of VDPs among federal contractors and formalize actions to accept, assess, and manage vulnerability disclosure reports in order to help reduce known security vulnerabilities among federal contractors.

“Vulnerability Disclosure Policies are crucial tools to help ensure that the federal government is operating using safe cybersecurity practices. This legislation will ensure that companies doing business with the federal government are held to the same standards, better securing the entire supply chain and protecting our national security,” Sen. Warner said.

“Federal agencies and contractors must be quickly made aware of cyber vulnerabilities, so they can resolve them. By strengthening cybersecurity efforts, contractors and agencies can keep their focus on serving the American people and keep data and systems safe from cybercrimes and hacking,” Sen. Lankford said.

Specifically, the Federal Contractor Cybersecurity Vulnerability Reduction Act would require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies.

Sens. Warner and Lankford originally introduced this bipartisan legislation last year. As a leader in the cybersecurity realm, Sen. Warner has led numerous legislative efforts to protect the economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner also co-authored legislation that was subsequently signed into law that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government.

“Palo Alto Networks applauds Senator Warner’s continued efforts to promote federal cyber resilience through the Federal Cybersecurity Vulnerability Reduction Act. This legislation has strong bipartisan support, and will benefit the entire cybersecurity ecosystem,” said Bruce Byrd, EVP and General Counsel of Palo Alto Networks.

“With cyberattacks by foreign adversaries and criminals on the rise, this legislation addresses a critical gap in our nation’s defenses,” said Ilona Cohen, chief legal and policy officer at HackerOne. “This common sense legislation brings the practices of federal contractors in line with those of the agencies they serve and is essential to protect the government information and personal data they process.”

A copy of the legislation is available here.

###

WASHINGTON — Today, U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Committee on Banking, Housing, and Urban Affairs, led a group of colleagues in introducing the Defending Our Government's Electronic data: Bolstering Responsible Oversight & Safeguards (DOGE BROS) Act, legislation to hold Elon Musk and the Department of Government Efficiency (DOGE) accountable for their continued efforts to improperly access, and retain, individuals’ personally identifiable information (PII) including names, addresses, phone numbers, email addresses, Social Security numbers, and other financial information.

“As unvetted and unqualified DOGE employees continue to recklessly access the sensitive personal information of millions of Americans, it’s important that we take steps to better protect this data,” Sen. Warner said. “For too long, our privacy laws have sat outdated, barely serving as a deterrent for improper handling or potential release of information. This legislation would enforce that privacy must be a priority when handling the data of the American public.”

Joining Sen. Warner in introducing the DOGE BROS Act are U.S. Sens. Tim Kaine (D-VA), Chris Van Hollen (D-MD), Angela Alsobrooks (D-MD), Adam Schiff (D-CA), Ben Ray Luján (D-NM), and Peter Welch (D-VT).

“Elon Musk and his ‘Department of Government Efficiency’ are wreaking havoc across the government and gaining access to Americans’ sensitive information without proper authorization, which poses significant privacy and national security concerns,” Sen. Kaine said. “That’s why I’m introducing this bill to increase the penalties for violating privacy laws and help safeguard Americans’ personal information.”

“Elon Musk and his DOGE cronies have been illegally ransacking federal agencies to gain access to troves of Americans’ sensitive personal data – from Social Security numbers to medical records to bank account information. Strengthening penalties for the theft of this data will help further deter these illegal abuses and keep Americans’ private information safe,” Sen. Van Hollen said.

“The American people do not want Elon Musk knowing their Social Security numbers and sifting through their financial information. Musk and his team of wildly unqualified DOGE employees have gone too far – and we are sick of it. The Senate needs to prove we care more about those we serve than Elon Musk. Let’s immediately pass this legislation to protect the data and privacy of the American people,” Sen. Alsobrooks said.

“From day one, Elon Musk’s DOGE has taken a wrecking ball to the federal government and critical services for the American people, all while carelessly pursuing their sensitive personal data,” Sen. Luján said. “Congress must do more to protect that information and keep it out of the wrong hands. That’s why I’m proud to join my colleagues in introducing legislation to strengthen our privacy laws and put Americans’ privacy first.”

“Elon Musk’s so-called ‘Department of Government Efficiency’ and his DOGE agents are wreaking havoc on the federal government and the programs millions of Americans rely on. There’s no reason DOGE should gain access to Vermonters’ personal information, and I’m working with my colleagues to hold DOGE accountable and protect peoples’ privacy and data,” Sen. Welch said.

The United States has existing laws that are designed to protect personal information held by the government. However, the penalties established in these various laws have not been properly adjusted or increased to account for inflation, making them far less impactful today. The DOGE BROS Act would increase five penalties for violation of federal privacy laws to better protect the sensitive information that DOGE is accessing in their reckless purge of the federal government. Specifically, the DOGE BROS Act would increase the following existing penalties for the unauthorized release of the following information:

Individually Identifiable Information Contained Within Any Agency Record

Code Section: 5 U.S.C. §552a(i)(i, ii, iii)
Current Penalty: up to $5,000
Proposed Penalty: up to $30,000

Information from Any Department or Agency of the United States Obtained Using a Computer Without Authorization

Code Section: 18 U.S.C. 1030(a)(2)(B)
Current Penalty: up to $250,000
Proposed Penalty: up to $750,000

Social Security and Medicare Data

Code Sections: 42 U.S.C. §1306
Current Penalty: up to $10,000
Proposed Penalty: up to $25,000

Tax Return Information

Code Section: 26 U.S.C. §7213
Current Penalty: up to $5,000
Proposed Penalty: up to $25,000

Census Data

Code Section: 13 U.S.C. §214
Current Penalty: up to $5,000
Proposed Penalty: up to $25,000

Copy of the bill text is available here.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) released the following statement ahead of a Senate procedural vote on a revised version of the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act:

“The stablecoin market has reached nearly $250 billion and the U.S. can’t afford to keep standing on the sidelines. We need clear rules of the road to protect consumers, defend national security, and support responsible innovation. The GENIUS Act is a meaningful step forward. It sets high standards for issuers, limits big tech overreach, and creates a safer, more transparent framework for digital assets. It’s not perfect, but it’s far better than the status quo.

“Many senators, myself included, have very real concerns about the Trump family’s use of crypto technologies to evade oversight, hide shady financial dealings, and personally profit at the expense of everyday Americans. We have a duty to shine a light on these abuses and stop Donald Trump from exploiting emerging technologies to enrich himself, dodge accountability, and weaken the safeguards that protect American consumers and the rule of law.

“But we cannot allow that corruption to blind us to the broader reality: blockchain technology is here to stay. If American lawmakers don’t shape it, others will – and not in ways that serve our interests or democratic values. Innovation in this space is happening, with or without us. We have a responsibility to ensure it happens safely, transparently, and in a way that advances U.S. economic and national security interests. The GENIUS Act will help get us started.”

###

WASHINGTON – As Elon Musk’s Department of Government Efficiency (DOGE) continues its purge of federal programs, U.S. Sen. Mark Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, is cautioning the Office of Personnel Management (OPM) against prematurely eliminating government contracts that protect millions of federal employees whose personal information was compromised in massive data breaches nearly 10 years ago.

In 2015, OPM announced two separate cybersecurity incidents attributed to the People’s Republic of China (PRC) that compromised the Social Security numbers, birthdates, and addresses of approximately 21.5 million individuals.

“The federal workforce was dangerously exposed by the 2015 OPM breach, and millions of impacted individuals will continue to be at risk because of the breach, likely for the remainder of their lives. In addition to Social Security numbers, birthdates, and addresses, there were also 1.1 million sets of fingerprints and detailed financial and health records exposed—some of the most valuable information today on the dark web,” wrote Sen. Warner.

In the immediate aftermath of the breach, Sen. Warner introduced legislation to protect federal workers affected by the attacks and eventually secured OPM-contracted identity protection services for those impacted by the breach. However, despite previous efforts by the Trump administration to protect federal workers whose data was compromised, DOGE has signaled that these protections may be in jeopardy.

Sen. Warner continued, “Given the recent personnel cuts to OPM and Elon Musk’s imminent departure from the Trump administration, I am deeply concerned that OPM is planning to curtail identity theft monitoring for millions of public servants and their families whose information was compromised in 2015. I urge you to ensure that identity theft protection services for the impacted individuals from the 2015 OPM breach continue, as required by law.”

A copy of letter is available here and text is below.

Dear Mr. Ezell:

I write to bring your attention to a vital issue affecting the federal workforce, past and current, and their families. In 2015, the Office of Personnel Management (OPM) announced two separate cybersecurity incidents. The Social Security numbers, birthdates, and addresses of approximately 21.5 million individuals were compromised in the breaches, including 19.7 million individuals who applied for background investigations and 1.8 million non-applicants (predominantly spouses or cohabitants of applicants). In response to this massive security compromise, I co-sponsored the RECOVER Act, the original bill for OPM-contracted identity protection services for the impacted individuals. Congress appropriated funds in section 633(a) of the Consolidated Appropriations Act of 2017. The Act and appropriation protected the 21.5 million impacted individuals with identity protection coverage and identity theft insurance. This appropriation was “effective for a period of not less than 10 years,” and expires at the end of fiscal year 2026, on September 30, 2026.

The 2015 OPM cybersecurity breach was attributed to the People’s Republic of China (PRC). In the decade since the breach, the PRC has mounted additional attacks to steal information about America’s leaders and public servants to disrupt and endanger the lives of everyday Americans, including recent cyber, critical infrastructure, and telecom security breaches. The federal workforce was dangerously exposed by the 2015 OPM breach, and millions of impacted individuals will continue to be at risk because of the breach, likely for the remainder of their lives. In addition to Social Security numbers, birthdates, and addresses, there were also 1.1 million sets of fingerprints and detailed financial and health records exposed—some of the most valuable information today on the dark web.

The risks and appropriate remedies for the compromise of sensitive information about public servants are well known to this administration. In March 2025, the Trump administration acknowledged the improper disclosure of sensitive information to former public servants when it disclosed the Social Security numbers, birthdates, and other sensitive information of hundreds of individuals in the release of the files pertaining the death of President John F. Kennedy. To protect those compromised individuals, the Trump administration is reportedly providing credit monitoring and, in some cases, has issued new Social Security numbers to the impacted individuals. While the March 2025 disclosure was a staggering unforced error, I applaud the administration’s swift response to protect the victims. Current and former public servants should not be abandoned to bear the risks of the federal government’s failure to protect their sensitive information.

It was not practicable to issue millions of new Social Security numbers to the Americans impacted by the 2015 OPM data breach, which is why the federal government responded at the time, followed by Congress appropriating funds to OPM to contract for identity theft protection services. Given the recent personnel cuts to OPM and Elon Musk’s imminent departure from the Trump administration, I am deeply concerned that OPM is planning to curtail identity theft monitoring for millions of public servants and their families whose information was compromised in 2015. I urge you to ensure that identity theft protection services for the impacted individuals from the 2015 OPM breach continue, as required by law. Any attempt to prematurely phase out services to the victims of the 2015 OPM breach will introduce tremendous risk to former and current federal employees and create an opportunity for America’s adversaries and criminals to target and potentially further compromise millions of Americans.

If you do decide to alter or terminate the current contract(s) protecting over 21 million Americans from identity theft as a result of the 2015 OPM breach, please inform my office and the relevant committees of Congress as soon as you make any such determination.

Sincerely,

###

WASHINGTON – Today, U.S Sens. Mark R. Warner (D-VA) released the following statement regarding a Senate procedural vote on the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act:

“This is an area that demands American leadership. Stablecoins are undeniably a part of the future of finance, and the United States should set the standard for responsible innovation in the digital financial space.

“While we’ve made meaningful progress on the GENIUS Act, the work is not yet complete, and I simply cannot in good conscience ask my colleagues to vote for this legislation when the text isn’t yet finished.

“I remain fully committed to getting this right. I plan to continue working with my colleagues to strengthen this legislation and move it forward in a way that promotes innovation while protecting the interests of the American people. It is my sincere hope that we can start floor consideration next week after we have finalized our work and given our colleagues adequate time to review.”

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, John Cornyn (R-TX), and Maggie Hassan (D-NH) introduced legislation to strengthen cybersecurity in the health care sector and protect Americans’ health data. This legislation is a product of the senators’ health care cybersecurity working group launched last year.

“Cyberattacks on our health care systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption. I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients,” said Sen. Warner.

“In an increasingly digital world, it is essential that Americans’ health care data is protected,” said Sen. Cornyn. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.”

The Health Care Cybersecurity and Resiliency Act of 2024:

Strengthens cybersecurity in the health care sector by providing grants to health entities to improve cyberattack prevention and response.
Provides training to health entities on cybersecurity best practices.
Supports rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies.
Improves coordination between the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the health care sector.
Modernizes current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices.
Requires the HHS Secretary to develop and implement a cybersecurity incident response plan.

Click here for full bill text.

###

WASHINGTON – With less than 40 days until the election, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, wrote to Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), to push CISA to do more to assist state and local governments in identifying, responding to, and mitigating the spread of misinformation and disinformation that could impact the 2024 election and afterwards.

“Unfortunately, throughout this election cycle we have witnessed an unprecedented rise in targeted election disinformation campaigns… the Intelligence Community’s 2024 Annual Threat Assessment shed light into strategic and intentional attempts by foreign actors, including Russia, China, and Iran, to magnify and exploit social divisions and conduct election influence operations through the dissemination of false and misleading information – with presidential elections being prime targets of such efforts,” wrote Sen. Warner.

The letter calls attention to a range of voter intimidation plots throughout the years, and emphasizes their success in both suppressing turnout and sowing general mistrust among voters. In response to these threats, Sen. Warner urges robust action from CISA to increase its resources and grow its collaborative efforts to track these efforts. He also calls on CISA to facilitate communication between election offices and social media platforms – an effort the agency has moved away from.

“I also encourage CISA to work closely with all relevant parties, including academics and researchers, state and local officials, and private sector entities (such as technology companies and social media platforms) in an effort to increase information sharing. I strongly encourage the agency to again coordinate efforts with platforms to combat election disinformation. In an election cycle where threats persistently grow but some platforms are dedicating fewer resources towards election integrity and content moderation efforts, this presents an opportune moment to ramp up such collaborations. CISA would play an invaluable role facilitating communication between election offices and platforms, empowering both to better combat the dissemination of deceptive and misleading information,” Sen. Warner continued.

The letter also raises the unique threats posed by the development of artificial intelligence (AI) and calls attention to an incident in the New Hampshire primary where AI-generated robocalls impersonating Joe Biden urged voters to stay home and “save” their vote for the general election. Sen. Warner concludes by urging CISA to stay alert to the ways AI changes the threat landscape.

“Although AI alone has not changed the threat landscape observed in previous elections, it has supercharged the threats and adjusted the risk calculus. CISA should likewise adjust with this change in risk to ensure that election offices and the public have the necessary protections in place to remain resilient against AI-enhanced threats,” Sen. Warner continued.

Over the past year, Sen. Warner has repeatedly raised the alarm about the elevated threat environment around the 2024 election. He has hosted two open hearings in the Intelligence Committee to call on representatives from both the U.S. government and large tech companies to testify about their knowledge of and efforts to crack down on foreign malign influence online. He has also spoken out specifically about Russia and Iran’s attempts to influence the 2024 election. Additionally, in January, Sen. Warner sent a letter to CISA to push for more robust efforts to get ahead of this threat.

A copy of the letter is available here and below:

Dear Director Easterly:

I write to you today with great concern regarding the potential for election misinformation and disinformation campaigns impacting state and local election offices ahead of the November 5, 2024 Presidential election. Attacks against state and local election offices and officials will have ramifications on our democratic processes, including the administration of elections and possible voter suppression and intimidation. As such, I strongly urge you to use all the tools at your disposal to provide state and local administrators with the necessary resources to uncover, build resilience against, and rapidly respond to information manipulation campaigns leading up to the election and afterwards.

State and local election offices play a vital role in the administration of elections, including supervising and holding elections, providing for the safety and security of our voting systems, and serving as trusted determiners of election results. In the lead up to consequential elections, election offices serve as credible information ecosystems, providing critical information on the time, manner, and place of elections. Voters trust these entities to ensure that our elections are accurate, safe, secure, and accessible. That is why I am encouraged by and salute the work of the Cybersecurity & Infrastructure Security Agency (CISA) in continuing to support state and local efforts to safeguard election integrity.

Unfortunately, throughout this election cycle we have witnessed an unprecedented rise in targeted election disinformation campaigns. Most infamously, in January 2024, voters in New Hampshire were on the receiving end of robocalls from domestic partisan actors using an artificial intelligence (AI) generated voice impersonating President Joe Biden ahead of the state’s primary, urging voters not to vote and to instead save their vote for the general election. Separately, the Intelligence Community’s 2024 Annual Threat Assessment shed light into strategic and intentional attempts by foreign actors, including Russia, China, and Iran, to magnify and exploit social divisions and conduct election influence operations through the dissemination of false and misleading information – with presidential elections being prime targets of such efforts. Just earlier this month, the Department of Justice successfully disrupted a covert Russian government-sponsored influence campaign to shape voter perceptions in the upcoming election through the purchase of internet domains intended to mimic legitimate news organizations. While the IC remains confident that foreign actors could not successfully manipulate election systems to impact election outcomes without detection, it has elevated concerns that foreign actors could instead utilize information operations to undermine confidence in the election.

In addition to disrupting the stable administration of elections, these types of information manipulation campaigns can result in potential voter suppression and intimidation. In the last several years, false claims that the Immigration and Customs Enforcement (ICE) agency will be patrolling polling locations on Election Day have gone viral and were found to be distributed in-person, creating an environment of intimidation for potential voters. In 2020, political operatives targeted tens of thousands of Black voters in Midwestern states, placing robocalls making false claims that individuals who vote by mail would have their personal information added to a government database for monitoring that could then be used for pursuing debts, warrants, and then-mandatory vaccines. During that same year, tens of thousands of voters in Florida received targeted emails directing them to change their party affiliation and vote for a particular candidate or face physical violence, a clear voter intimidation plot. Additionally, foreign actors have also engaged in these practices; in its Intelligence Community Assessment for the 2020 U.S. election, the IC assessed that both Russia and Iran pursued efforts to spread false information about electoral processes and – in both cases – suppress (or even intimidate) American voters. Such efforts not only severely impact voter turnout and participation in our democracy, but can erode public trust and weaken voter confidence in our democratic institutions and electoral processes.

As evidenced through the disturbing incidents above, the widespread presence, expanded scope, and increased sophistication of AI technologies, including generative AI, has only strengthened deceptive and manipulative information campaigns. While AI capabilities continue to grow at a rapid pace, state and local governments’ IT, public outreach, and cybersecurity teams continue to operate with limited staff and resources, making it extremely difficult for smaller teams to respond to sophisticated AI-backed campaigns targeting elections.

That is why the work of CISA is crucial in securing the systems and assets that support our nation’s elections. CISA, and the Department of Homeland Security more broadly, provide wide-ranging and essential resources, including cybersecurity assessments, detection and prevention, information sharing and awareness, and training and career development – most of these listed in the Election Infrastructure Security Resource Guide at no cost to state and local governments. These products are integral in safeguarding our election systems and ensuring that our democratic processes can continue as intended.

I strongly urge CISA to increase its provision to assist state and local governments in identifying, responding to, and mitigating the spread of misinformation and disinformation that could impact the administration of elections and voting processes. I recognize that CISA has proactively provided educational materials and products, including toolkits and FAQs and I commend your agency for these efforts. I encourage CISA to build upon these resources and expand the work of entities, like the Elections Infrastructure Information Sharing and Analysis Center (EI-SAC) and work with other bodies, like the National Association of State Election Directors (NASED) and the National Association of Secretaries of State (NASS) to determine and meet the needs of election offices as it pertains to the spread of election misinformation and disinformation.

Within the vein of collaborative efforts, I also encourage CISA to work closely with all relevant parties, including academics and researchers, state and local officials, and private sector entities (such as technology companies and social media platforms) in an effort to increase information sharing. I strongly encourage the agency to again coordinate efforts with platforms to combat election disinformation. In an election cycle where threats persistently grow but some platforms are dedicating fewer resources towards election integrity and content moderation efforts, this presents an opportune moment to ramp up such collaborations. CISA would play an invaluable role facilitating communication between election offices and platforms, empowering both to better combat the dissemination of deceptive and misleading information.

Finally, although AI alone has not changed the threat landscape observed in previous elections, it has supercharged the threats and adjusted the risk calculus. CISA should likewise adjust with this change in risk to ensure that election offices and the public have the necessary protections in place to remain resilient against AI-enhanced threats.

Thank you in advance for your prompt attention to this important issue. It is my hope that we can work together to safeguard our democracy against misinformation and disinformation.

Sincerely,

###

WASHINGTON – Senator Mark Warner (D-VA) and Senate Finance Committee Chair Ron Wyden (D-OR) today announced legislation to improve cybersecurity in the American health care system amid a wave of increased cyberattacks that are breaching Americans’ privacy and causing major disruptions to care across the country.

“Cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long term health,” Sen. Warner said. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards.”

“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Sen. Wyden said. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”

“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyber attacks and ensure patient safety,” said Andrea Palm, Deputy Secretary of the Department of Health and Human Services. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential. We are grateful for Senator Wyden and Senator Warner’s leadership and look forward to continuing to work together on this legislation to strengthen cyber resiliency across our entire health care ecosystem.”

The bill, titled the “Health Infrastructure Security and Accountability Act,” would require the Department of Health and Human Services (HHS) to develop and enforce a set of tough minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates, including stronger standards for systemically important entities and entities important for national security. The bill would also remove the existing cap on fines under the Health Insurance Portability and Accountability Act, which prevent the regulator from issuing fines large enough to deter megacorporations from ignoring cybersecurity standards, and provides funding for hospitals to improve their cybersecurity, particularly low-resource hospitals in rural and urban areas.

A one-page summary of the bill can be found here. The legislative text can be found here.

###

WASHINGTON — U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and James Lankford (R-OK), a member of the Senate Committee on Homeland Security & Governmental Affairs, today announced the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024, legislation they will introduce to strengthen federal cybersecurity by ensuring that federal contractors adhere to guidelines set forth by the National Institute of Standards and Technology (NIST). Companion legislation, introduced in the House of Representatives, is being led by Rep. Nancy Mace (R-SC-01).

“VDPs are a crucial tool used to proactively identify and address software vulnerabilities,” said Sen. Warner. “This legislation will ensure that federal contractors, along with federal agencies, are adhering to national guidelines that will better protect our critical infrastructure, and sensitive data from potential attacks.”

Specifically the Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 would:

Require the Office of Management and Budget (OMB) to oversee updates to the Federal Acquisition Regulation (FAR) to ensure federal contractors implement a vulnerability disclosure policy consistent with what is already required by federal agencies;
Require the Secretary of Defense to oversee updates to the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements to ensure defense contractors implement the same.

This legislation is the latest step in Sen. Warner’s efforts to mitigate to damage of potential cybersecurity attacks. He has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner also co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

“This bipartisan legislation addresses a critical gap in our nation’s cybersecurity protections by bringing the practices of federal contractors in line with those of the agencies they serve and with guidelines issued by the National Institute of Standards and Technology,” said Ilona Cohen, Chief Legal and Policy Officer of HackerOne. “This proactive approach to security will ensure that businesses are actively protecting government systems, critical infrastructure, and sensitive data from exploitation by malicious actors. We applaud Senators Warner and Lankford for their leadership on this important issue.”

A copy of the legislation is available here. A one-pager of the legislation is available here.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger to quickly develop and release mandatory minimum cyber standards for the health care sector. This letter comes as cyberattackers continue to exploit vulnerabilities in many current systems.

“I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks. Health care is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032. More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk,” Sen. Warner wrote.

This letter comes months after a major cybersecurity incident at Change Healthcare affected billing and care authorization portals and led to prescription backlogs and missed revenue for providers. This attack, and other similar attempts, pose a serious risk not only to regular business operations, but also to patient care. In his letter, Sen. Warner highlighted that without basic security measures, these attacks are relatively easy to carry out and will happen with more frequency.

Sen. Warner continued, “Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low.”

Sen. Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

Sen. Warner has also examined cybersecurity in the health care sector specifically. In 2022, Sen. Warner authored “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. Since publishing, Sen. Warner has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the health care and public health sector.

A copy of the letter can be found here are below.

Dear Secretary Becerra and Ms. Neuberger:

Thank you for your continued commitment to improving cybersecurity in America’s health care system. I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks. Health care is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032. More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk.

Financially-motivated threat actors realize that the sector has both highly valuable data in its possession and also faces tremendous pressure to respond quickly to a ransomware demand. Health records are more valuable than credit card records on the dark market and disruptions to operations of health care providers have direct impact on the life and well-being of their patients. Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low.

Further, both the size and increasingly interconnected nature of the sector create a vulnerable attack surface. Not only do attacks against the sector often result in the loss of highly personal and sensitive data, those attacks have also affected the ability of providers to maintain the availability and quality of their care. We have seen devastating incidents, including the recent cyberattack on Change Healthcare, that ultimately took down the ability of providers to pay their workers and prevented pharmacists from looking up patient insurance and co-pay information. The recent cyberattack on the nationwide provider, Ascension, has also resulted in delays in care. And we have a growing body of evidence that clearly demonstrates that cybersecurity is, above all else, a patient safety issue.

The health care sector must be fully engaged in developing, implementing, and maintaining a coherent and effective cybersecurity regime; accepting cyberattacks due to lack of preparedness cannot and should not be a cost of doing business. The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding health care stakeholders that are systemically important nationally or regionally. Mandatory minimum cyber standards would ensure that all health care stakeholders prioritize cybersecurity in their work.

Policymakers, cybersecurity professionals, and patients alike have long been raising the alarm that the voluntary nature of cybersecurity in health care is insufficient and dangerous. It’s critical that the Administration expeditiously act to create mandatory, enforceable policies in the health care sector.

Sincerely,

###

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) issued the statement below, following a press briefing from the Office of the Director of National Intelligence, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency on the foreign threat landscape ahead of the election.

“I have long pushed the Intelligence Community to be more open with the public about the complex and serious foreign influence threats targeting the United States – particularly in the context of U.S. elections. Today’s press briefing is a strong step in that direction. I applaud the ODNI, FBI, and CISA for commencing these regular public updates on foreign efforts to manipulate our democratic processes and undermine our election. There is no doubt that these updates – in addition to efforts by civil society and the private sector – will serve to better inform and prepare the public.

“As the Chairman of the Senate Intelligence Committee, I would encourage all Americans to stay informed and alert. Social media, in particular, continues to be a popular vector for foreign covert influence attempts, and our adversaries remain focused on stoking social, racial, and political tensions among Americans. The best thing Americans can do to help safeguard our election is avoid succumbing to nefarious foreign efforts to create division and sow chaos. I am committed to working with the Intelligence Community to declassify more information and further increase transparency.”

###

WASHINGTON – With under six months until the U.S. general election, Intelligence Committee Chairman Mark R. Warner (D-VA) today pushed tech companies to follow up on commitments made at the Munich Security Conference and take concrete measures to combat malicious misuses of generative artificial intelligence (AI) that could impact elections. In February, a group of AI companies signed the Tech Accord to Combat Deceptive Use of AI in 2024 Elections, a high-level roadmap for a variety of new initiatives, investments, and interventions that could improve the information ecosystem surrounding this year’s elections. Following that initial agreement, Sen. Warner is pushing for specific answers about the actions that companies are taking to make good on the Tech Accord.

“Against the backdrop of worldwide proliferation of malign influence activity globally – with an ever-growing range of malign actors embracing social media and wider digital communications technologies to undermine trust in public institutions, markets, democratic systems, and the free press – generative AI (and related media-manipulation) tools can impact the volume, velocity, and believability of deceptive election,” Sen. Warner wrote.

This year, elections are taking place in over 40 countries representing over 4 billion people, while AI companies are simultaneously releasing a range of powerful and untested new tools that have the potential to rapidly spread believable misinformation, as well as abuse by a range of bad actors. While the Tech Accord represented a positive, public-facing first step to recognize and address this novel challenge, Sen. Warner is pushing for effective, durable protections to ensure that malign actors can’t use AI to craft misinformation campaigns and to prevent its dissemination on social media platforms. To that end, he posed a series of questions to get specific information on the actions that companies are taking to prevent the creation and rapid spread of AI-enabled disinformation and election deception.

“While high-level, the commitments your company announced in conjunction with the Tech Accord offer a clear roadmap for a variety of new initiatives, investments, and interventions that can materially enhance the information ecosystem surrounding this year’s election contests. To that end, I am interested in learning more about the specific measures your company is taking to implement the Tech Accord. While the public pledge demonstrated your company’s willingness to constructively engage on this front, ultimately the impact of the Tech Accord will be measured in the efficacy – and durability – of the initiatives and protection measures you adopt,” Sen. Warner continued.

The letter concludes by pointing out that several of the proposed measures to combat malicious misuse in elections would also help address adjacent misuses of AI technology, including the creation of non-consensual intimate imagery, child sexual abuse material, and online bullying and harassment campaigns. Sen. Warner has been consistently calling attention to and pushing for action from AI companies on these and other potential misuses. On Wednesday, Sen. Warner will host a public Intelligence Committee hearing where leaders from the FBI, CISA, and the ODNI will provide updates on threats to the 2024 election.

Sen. Warner sent letters to every signatory of the Tech Accord: Adobe, Amazon, Anthropic, Arm, Eleven Labs, Gen, GitHub, Google, IBM, Inflection, Intuit, LG, LinkedIn, McAfee, Microsoft, Meta, NetApp, Nota, Open AI, Snap, Stability AI, TikTok, Trend, True Media, Truepic, and X.

A copy of every letter is available here and one example is included below:

Earlier this year, I joined to amplify and applaud your company’s commitment to advance election integrity worldwide through the Tech Accord to Combat Deceptive Use of AI in 2024 Elections. As generative artificial intelligence (AI) products proliferate for both commercial and general users, a multi-stakeholder approach is needed to ensure that industry, governments, and civil society adequately anticipate – and counteract – misuse of these products in ways that cause harm to vulnerable communities, public trust, and democratic institutions. The release of a range of powerful new AI tools – many enabled or directly offered by your [company/organization] -- coincides with an unprecedented number of elections worldwide. As memorialized during the Munich Summit, elections have occurred – or will occur – in over 40 countries worldwide, with more than four billion global citizens exercising their franchise. Since the signing of the Tech Accord on February 16^th, the first round of India’s elections have already concluded. European Parliament elections will take place in early June and– as primary contests are already well underway – the U.S. general election will take place on November 5^th.

While policymakers worldwide have begun the process of developing measures to ensure that generative AI technologies (and related media manipulation tools) serve the public interest, the private sector can – particularly in collaboration with civil society – dramatically shape the usage and wider impact of these technologies through proactive measures. Against the backdrop of worldwide proliferation of malign influence activity globally – with an ever-growing range of malign actors embracing social media and wider digital communications technologies to undermine trust in public institutions, markets, democratic systems, and the free press – generative AI (and related media-manipulation) tools can impact the volume, velocity, and believability of deceptive election information.

While high-level, the commitments your company announced in conjunction with the Tech Accord offer a clear roadmap for a variety of new initiatives, investments, and interventions that can materially enhance the information ecosystem surrounding this year’s election contests. To that end, I am interested in learning more about the specific measures your company is taking to implement the Tech Accord. While the public pledge demonstrated your company’s willingness to constructively engage on this front, ultimately the impact of the Tech Accord will be measured in the efficacy – and durability – of the initiatives and protection measures you adopt. Indeed, many of these measures will be vital in addressing adjacent misuses of generative AI products, such as the creation of non-consensual intimate imagery, child sexual abuse material, or content generated for online harassment and bullying campaigns. I request that you provide answers to the following questions no later than May 24, 2024.

What steps is your company taking to attach content credentials, and other relevant provenance signals, to any media created using your products? To the extent that your product is incorporated in a downstream product offered by a third-party, do license terms or other terms of use stipulate the adoption of such measures? To the extent you distribute content generated by others, does your company attach labels when you assess – based on either internal classifiers or credible third-party reports – to be machine-generated or machine-manipulated?
What specific public engagement and education initiatives have you initiated in countries holding elections this year? What has the engagement rate been thus far and what proactive steps are you undertaking to raise user awareness on the availability of new tools hosted by your platform?
What specific resources has your company provided for independent media and civil society organizations to assist in their efforts to verify media, generate authenticated media, and educate the public?
What has been your company’s engagement with candidates and election officials with respect to anticipating misuse of your products, as well as the effective utilization of content credentialing or other media authentication tools for their public communications?
Has your company worked to develop widely-available detection tools and methods to identify, catalogue, and/or continuously track the distribution of machine-generated or machine-manipulated content?
(To the extent your company offers social media or other content distribution platforms) What kinds of internal classifiers and detection measures are you developing to identify machine-generated or machine-manipulated content? To what extent to these measures depend on collaboration or contributions from generative AI vendors?
(To the extent your company offers social media or other content distribution platforms) What mechanisms has your platform implemented to enable victims of impersonation campaigns to report content that may violate your Terms of Service? Do you maintain separate reporting tools for public figures?
(To the extent your company offers generative AI products) What mechanisms has your platform implemented to enable victims of impersonation campaigns that may have relied on your models to report activity that may violate your Terms of Service?
(To the extent your company offers social media or other content distribution platforms) What is the current status of information sharing between platforms on detecting machine-generated or machine-manipulated content that may be used for malicious ends (such as election disinformation, non-consensual intimate imagery, online harassment, etc.)? Will your company commit to participation in a common database of violative content?

Thank you for your attention to these important matters and I look forward to your response.

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and Thom Tillis (R-NC) – the bipartisan co-chairs of the Senate Cybersecurity Caucus – introduced the Secure Artificial Intelligence Act of 2024, legislation to improve the tracking and processing of security and safety incidents and risks associated with Artificial Intelligence (AI). Specifically, this legislation aims to improve information sharing between the federal government and private companies by updating cybersecurity reporting systems to better incorporate AI systems. The legislation would also create a voluntary database to record AI-related cybersecurity incidents including so-called “near miss” events.

As the development and use of AI grow, so does the potential for security and safety incidents that harm organizations and the public. Currently, efforts within the federal government – led by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) – play a crucial role in tracking of cybersecurity through their National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures Program (CVE), respectively. The National Security Agency (NSA), through the Cybersecurity Collaboration Center, also provides intel-driven cybersecurity guidance for emerging and chronic cybersecurity challenges through open, collaborative partnerships. However, these systems do not currently reflect the ways in which AI systems can differ dramatically from traditional software, including the ways in which exploits developed to subvert AI systems (a body of research often known as “adversarial machine learning” or “counter-AI”) often do not resemble conventional information security exploits. This legislation updates current standards for cyber incident reporting and information sharing at these organizations to include and better protect against the risks associated with AI. The legislation also establishes an Artificial Intelligence Security Center at the NSA to drive counter-AI research, provide an AI research test-bed to the private sector and academic researchers, develop guidance to prevent or mitigate counter-AI techniques, and promote secure AI adoption.

“As we continue to embrace all the opportunities that AI brings, it is imperative that we continue to safeguard against the threats posed by – and to -- this new technology, and information sharing between the federal government and the private sector plays a crucial role,” said Sen. Warner. “By ensuring that public-private communications remain open and up-to-date on current threats facing our industry, we are taking the necessary steps to safeguard against this new generation of threats facing our infrastructure.”

"Safeguarding organizations from cybersecurity risks involving AI requires collaboration and innovation from both the private and public sector,” said Sen. Tillis. "This commonsense legislation creates a voluntary database for reporting AI security and safety incidents and promotes best practices to mitigate AI risks. Additionally, this bill would establish a new Artificial Intelligence Security Center, within the NSA, tasked with promoting secure AI adoption as we continue to innovate and embrace new AI technologies."

Specifically, the Secure Artificial Intelligence Act would:

· Require NIST to update the NVD and require CISA to update the CVE program or develop a new process to track voluntary reports of AI security vulnerabilities;

· Establish a public database to track voluntary reports of AI security and safety incidents;

· Create a multi-stakeholder process that encourages the development and adoption of best practices that address supply chain risks associated with training and maintaining AI models; and

· Establish an Artificial Intelligence Security Center at the NSA to provide an AI research test-bed to the private sector and academic researchers, develop guidance to prevent or mitigate counter-AI techniques, and promote secure AI adoption.

“IBM is proud to support the Secure AI Act that expands the current work of NIST, DHS, and NSA and addresses safety and security incidents in AI systems. We commend Senator Warner and Senator Tillis for building upon existing voluntary mechanisms to help harmonize efforts across the government. We urge Congress to ensure these mechanisms are adequately funded to track and manage today’s cyber vulnerabilities, including risks associated with AI,” said Christopher Padilla, Vice President, Government and Regulatory Affairs, IBM Corporation.

“Ensuring the safety and security of AI systems is paramount to facilitating public trust in the technology. ITI commends U.S. Senators Warner and Tillis for introducing the Secure Artificial Intelligence Act, which will advance AI security, encourage the use of voluntary standards to disclose vulnerabilities, and promote public-private collaboration on AI supply chain risk management. ITI also appreciates that this legislation establishes the National Security Agency’s AI Security Center and streamlines coordination with existing AI-focused entities,” said ITI President and CEO Jason Oxman.

“AI security is too big of a task for any one company to tackle alone,” said Jason Green-Lowe, Executive Director of the Center for AI Policy. “AI developers have much to learn from each other about how to keep their systems safe, and it's high time they started sharing that information. That's why the Center for AI Policy is pleased to see Congress coordinating a standard format and shared database for AI incident reporting. We firmly support Senator Warner and Tillis's new bill."

Full text of the legislation is available here. A one-page summary of the legislation is available here.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, introduced the Health Care Cybersecurity Improvement Act of 2024, legislation that would allow for advance and accelerated payments to health care providers in the event of a cyber incident, as long as they and their vendors meet minimum cybersecurity standards. The legislation follows a ransomware attack on Change Healthcare that has paralyzed billing services for providers nationwide, leaving many in danger of becoming financially insolvent.

“I’ve been sounding the alarm about cybersecurity in the health care sector for some time. It was only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide,” said Sen. Warner. “The recent hack of Change Healthcare is a reminder that the entire health care industry is vulnerable and needs to step up its game. This legislation would provide some important financial incentives for providers and vendors to do so.”

In rare situations, Medicare Part A providers (such as acute care hospitals, skilled nursing facilities, and other inpatient care facilities) and Part B suppliers (including physicians, nonphysician practitioners, durable medical equipment suppliers, and others who furnish outpatient services) can face cash flow challenges due to specified circumstances beyond their control (for instance, during the COVID-19 pandemic.) Since the 1980s, the Centers for Medicare & Medicaid Services (CMS) has provided temporary financial relief to participants in these programs through Accelerated and Advance Payment (AAP) programs, during which these providers and suppliers receive advance payments from the federal government that are later recovered by withholding payment for subsequent claims.

The Health Care Cybersecurity Improvement Act of 2024 would modify the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by:

Requiring the Secretary to determine if the need for payments results from a cyber incident;
If it does, requiring the health care provider receiving the payment to meet minimum cybersecurity standards, as determined by the Secretary, to be eligible; and
If a provider’s intermediary was the target of the incident, the intermediary must also meet minimum cybersecurity standards, as determined by the Secretary, for the provider to receive the payments.

These provisions would go into effect two years from the date of enactment. A copy of the bill text is available here.

In 2022, Sen. Warner authored “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. Since publishing, Sen. Warner has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the health care and public health sector.

###

WASHINGTON – Today, U.S. Sen. Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, released the following statement on the cybersecurity incident at Change Healthcare:

“This ransomware attack on a major health care company should surprise no one. For some time, I have been sounding the alarm on the need for the entire health care sector to drastically step up its game when it comes to cybersecurity. We’ve previously seen incidents that have caused regional disruptions in clinical care, and it was only a matter of time before one disrupted the ability to treat patients nationwide.

“The U.S. Department of Health and Human Services is working around the clock to help health care providers navigate the attack, and I urge them to ensure all Medicare providers can receive advance and accelerated payments to help them ride this crisis out. If HHS requires additional authorities from Congress to support providers during this time, it’s critical we know that so that we can act as soon as possible.

“This attack demonstrates that we need to have backup plans in place for such incidents. I plan to write and introduce legislation that would provide for accelerated and advanced payments to providers and vendors to protect them in the event of future disruptions, as long as they meet minimum cybersecurity standards.

“While the repercussions of this incident have been primarily – though not wholly – financial, what keeps me up at night is the possibility of a similar widespread attack directly affecting patient care and safety. That is why it is time to consider mandatory cyber hygiene standards for health care providers and their vendors. Sterilization and hand hygiene practices prevent infections – and cyber hygiene practices prevent cyber intrusions. Both are critical to protect patients.”

Sen. Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Marco Rubio (R-FL), Chairman and Vice Chairman of the Senate Select Committee on Intelligence, wrote to Secretary of Commerce Gina Raimondo to express the urgent need to increase the Commerce Department’s actions to protect U.S. critical technologies – including the biotech sector – through a more robust export-control regime, among other measures. This letter follows previous efforts from Sens. Warner and Rubio to push the Departments of Treasury and Commerce to counter the flow of U.S. technology and investments to the People’s Republic of China (PRC)’s military industrial complex.

“We write to underscore our continued concern that the Department of Commerce has not sufficiently used its existing tools, including export controls, to prevent adversary access to U.S. technology, capital, data, and talent in critical technology sectors,” the senators wrote.

The letter outlines efforts recently taken by PRC-affiliated biotech companies to undermine U.S. leadership in biotechnology and access sensitive American genetic data, including through the acquisition of an American company, which provides genetic sequencing machines to U.S. laboratories.

“We urge the Commerce Department, in cooperation with the Treasury Department and the Intelligence Community, to take a comprehensive approach to protecting American technology, investment, data, and talent in critical technology sectors, such as biotechnology. Specifically, the Commerce Department should implement an export-control regime—as undertaken with the semiconductor industry—and impose controls on the sharing of American data,” the senators continued.

In addition to advocating for the implementation of an export-control regime, the senators also committed to supporting any additional legislation to bolster American biosecurity.

The senators concluded, “The CCP has openly revealed its intentions to utilize biotechnology to advance its military capabilities and ambitions, undermine U.S. security, and continue its egregious violations of human rights. The U.S. must respond forcefully to these intentions. While the Department has ample authorities to take action, we commit to working with the Department if additional legislation is needed to secure American interests in biosecurity.”

A copy of the letter is available here and below:

Dear Secretary Raimondo:

We write to underscore our continued concern that the Department of Commerce has not sufficiently used its existing tools, including export controls, to prevent adversary access to U.S. technology, capital, data, and talent in critical technology sectors. Last February, in our capacity as Chairman and Vice Chairman of the Senate Select Committee on Intelligence, we wrote to you on this topic and have yet to receive a reply. As such, we renew our request for the Department of Commerce to increase its actions to protect U.S. critical technologies, including in the biotechnology sector, through a more robust export-control regime, among other measures.

In our February 9, 2023 letter, we highlighted the continued efforts by the People’s Republic of China (PRC) to target American technology, investment, and data in order to monopolize global supply chains, achieve technological dominance, and displace U.S. economic and military leadership. We urged the Department to use its authorities to track PRC efforts to acquire U.S. innovation, and immediately restrict these activities.

The PRC has continued its attempts to leverage the lack of U.S. controls surrounding access to American innovation, data, and talent to undermine U.S. superiority in critical sectors and related supply chains. The PRC has capitalized on the massive amounts of U.S. data and innovation it has acquired to develop weapons and technologies for nefarious ends.

We were pleased to see the Department of Commerce add 37 entities, including Beijing Genomics Institute (BGI) Research, BGI Tech Solutions, and Forensic Genomics International, to its Entity List in March 2023. The U.S. government, however, continues to allow PRC biotechnology companies to operate freely within the U.S., to purchase and/or invest in U.S. companies, and to acquire U.S. data. These companies include: BGI Group, MGI Tech, Complete Genomics, WuXi AppTech, and WuXi Biologics, which have linkages to the People’s Liberation Army (PLA), the Chinese Communist Party’s (CCP) Military-Civil Fusion program, and/or to the PRC’s ongoing genocide in the Xinjiang Uyghur Autonomous Region. For example, BGI has purchased American companies and leveraged these American companies to provide machines to unwitting U.S. laboratories and obtain sensitive genetic data of Americans.

We urge the Commerce Department, in cooperation with the Treasury Department and the Intelligence Community, to take a comprehensive approach to protecting American technology, investment, data, and talent in critical technology sectors, such as biotechnology. Specifically, the Commerce Department should implement an export-control regime—as undertaken with the semiconductor industry—and impose controls on the sharing of American data. The CCP has openly revealed its intentions to utilize biotechnology to advance its military capabilities and ambitions, undermine U.S. security, and continue its egregious violations of human rights. The U.S. must respond forcefully to these intentions. While the Department has ample authorities to take action, we commit to working with the Department if additional legislation is needed to secure American interests in biosecurity.

###

WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and John Thune (R-SD) introduced the Drone Evaluation to Eliminate Cyber Threats Act of 2024 (DETECT Act), legislation directing the National Institute of Standards and Technology (NIST) to develop cybersecurity guidelines for the federal government’s use of drones.

Drones have the ability to collect sensitive information, and as they become more common, the security of this technology is of increasing importance. The DETECT Act would address cybersecurity concerns by directing the National Institute of Standards and Technology (NIST) to develop a set of guidelines. Following an implementation period, these guidelines would be binding on the federal government’s use of civilian drones, the private sector may voluntarily use these guidelines in their own operations.

“Drones and unmanned systems have the capability to transform the way we do business, manage our infrastructure, and deliver life-saving medicine, and as drones become a larger part of our society, it’s crucial that we ensure their safety and security,” said Sen. Warner. “This legislation will establish sensible cybersecurity guidelines for drones used by the federal government to ensure that sensitive information is protected while we continue to invest in this new technology.”

“As the capabilities of drones continue to evolve and be utilized by both the federal government and the private sector, it’s critically important that they operate securely,” said Sen. Thune. “This common-sense legislation would require the federal government to follow stringent cybersecurity guidelines and protocols for drones and unmanned systems.”

Specifically, The DETECT Act:

Directs NIST to develop guidelines covering cybersecurity for civilian drones;
Directs OMB to test the guidelines by requiring one federal agency to implement them on a pilot basis;
Directs OMB, after the conclusion of the test period described above, to require every agency with civilian drones to implement politics and principles based on the NIST guidelines;
Directs OMB to issue guidance to agencies governing the reporting of security vulnerabilities discovered in drones used by the agencies;
Requires contactors who supply civilian drones or drone-related services to the federal government to report any security vulnerabilities discovered;
Directs the Federal Acquisition Regulatory Council to promulgate any necessary regulation to carry the forgoing contractor requirements into effect;
Forbids agencies from acquiring drones that do not meet the guidelines referenced above, subject to a waiver process under certain circumstances.

Sens. Warner and Thune have been strong supporters of the domestic production of unmanned systems, including driverless cars, drones, and unmanned maritime vehicles, and have taken steps to ensure that domestic production of drones is both safe and keeping up with global competitors. Last year, the senators introduced the Increasing Competitiveness for American Drones Act, legislation that would clear the way for drones to be used for commercial transport of goods across the country. Sen. Warner also championed legislation to prohibit federal dollars from being used to procure or operate drones from countries or companies identified as posing a national security threat, which was ultimately included in the National Defense Authorization Act (NDAA) of 2024.

"As the use of drones for multiple types of important operations –critical infrastructure inspection, public safety, agriculture, drone delivery, and more– has grown significantly in recent years, the need for cybersecurity standards for these critical mission tools has become evident,” said Michael Robbins, Chief Advocacy Officer of the Association for Uncrewed Vehicle Systems International. “To ensure safety and security, the U.S. must lead in this area. AUVSI thanks Senators Warner and Thune for their leadership in protecting our nation from cyber risks and supporting American leadership in advanced aviation.”

Full text of the legislation is available here.

###

Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, John Cornyn (R-TX), and Maggie Hassan (D-NH) launched a bipartisan working group to examine and propose potential legislative solutions in the HELP Committee jurisdiction to strengthen cybersecurity in the health care and public health sector. This effort comes at a time of record cybersecurity attacks on health care entities. Health records, unlike other personal records like credit card numbers, are more valuable on the black market since health conditions are permanent and cannot be reissued.

According to the Department of Health and Human Services (HHS), a record 89 million Americans have already had their health information breached, more than double since last year. These cyberattacks severely impact health care operations, costing an average of $10 million per breach and leading to an interruption or long-term delay in care. Last year in Louisiana, hackers compromised almost 270,000 personal records, including health information.

“As Chairman of the Senate Select Committee on Intelligence, I am acutely aware of the most serious threats facing our country, and I know that shoring up our cybersecurity is one of the best tools we have to protect ourselves and our sensitive materials. In no industry is this more obvious and important than health care, where such care is increasingly connected and even a brief period of interruption can have life and death consequences. I am proud to launch this bipartisan group to build on the policy options I have been exploring and better improve our cybersecurity through legislative fixes,” said Sen. Warner.

“We are seeing a disturbing rise in cyberattacks on our health care system. These attacks not only put patients’ sensitive health data at risk but can delay life-saving care,” said Dr. Cassidy. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans’ crucial health data.”

“Cyberattacks on health care organizations threaten the security of patients’ private medical information and can interrupt the delivery of critical care,” said Sen. Cornyn. “I am eager to join my colleagues in looking for solutions that shield our health care institutions and Americans from these dangerous crimes.”

“Hospitals and doctor’s offices are increasingly facing cyberattacks that threaten to expose patients’ medical information and even shut down ERs,” said Sen. Hassan. “This is a particularly pressing challenge for rural doctors and hospitals, which often don’t have the resources necessary to protect against these threats. I am glad to join this bipartisan working group to find effective, commonsense ways to protect medical providers and patients from cyberattacks.”

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, wrote to Office of Management and Budget (OMB) Director Shalanda Young, calling on OMB to fulfill requirements outlined in his Internet of Things Cybersecurity Improvement Act of 2020. Under the law, OMB was directed to complete a review of agency policies pertaining to IoT devices to ensure they are consistent with the National Institute of Standards and Technology (NIST) cybersecurity guidelines. Almost three years later, OMB has yet to complete this review.

“I acknowledge that the law has far-reaching impacts across the federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security,” Sen. Warner wrote. “I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.”

Sen. Warner recognized the progress made by the agency to issue guidance, but voiced frustration over the lack of urgency to review agency policies.

He continued, “We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.”

In order to ensure that OMB is taking appropriate steps to fulfill its obligations outlined in the Internet of Things Cybersecurity Improvement Act of 2020, Sen. Warner posed a series of questions to Director Young:

Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
What policies and principles has OMB issued to date to:

ensure agency policies and principles are consistent with the NIST standards and guidelines?
address security vulnerabilities of information systems?

Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

Sen. Warner, a former technology entrepreneur, is co-Chair of Senate Cybersecurity Caucus and is a leader in the Senate on security issues related to the Internet of Things.

Text of the letter can be found here and below.

Dear Director Young,

I write today to express my concern and emphasize my support for the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 (Public Law No: 116-207). This Act, signed into law on December 4, 2020, requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take steps to increase the cybersecurity of Internet of Things (IoT) devices acquired by the Federal Government. NIST completed its statutory obligation – publishing IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements – on November 29, 2021. However, OMB has yet to uphold its own statutory obligation under the law – to review agency policies and principles pertaining to IoT devices to ensure those policies and principles are consistent with the NIST guidelines. Under the law, OMB was supposed to complete the agency review within 180 days of NIST’s publication but has yet to make significant progress on a key piece of implementation.

I acknowledge that the law has far-reaching impacts across the Federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security. The security of the Federal government’s IoT devices is a priority the Administration and I share, as outlined by Executive Order 14028, Improving the Nation’s Cybersecurity (EO 14028). Despite the requirements under this law and the aforementioned EO, I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.

Throughout 2022 and 2023, my office has been engaged with you in order to better understand where OMB stands in their implementation of this law. We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.

We intended the IoT Cybersecurity Improvement Act to harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I would like to emphasize the importance of OMB’s implementation of the IoT Cybersecurity Improvement Act of 2020 and ask that you provide responses to the following questions within 60 days:

Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
What policies and principles has OMB issued to date to:

ensure agency policies and principles are consistent with the NIST standards and guidelines?
address security vulnerabilities of information systems?

Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

I applaud OMB’s continued efforts to improve Federal government cybersecurity, and look forward to continued engagement as you make progress with implementation of the IoT Cybersecurity Improvement Act of 2020.

Sincerely,

###

Press Releases

Dec 09 2025

Dec 04 2025

Nov 20 2025

Sep 29 2025

Sep 15 2025

May 30 2025

May 23 2025

May 20 2025

May 19 2025

May 16 2025

May 08 2025

Nov 22 2024

Sep 27 2024

Sep 26 2024

Aug 09 2024

Jul 12 2024

Jul 09 2024

May 14 2024

May 01 2024

Mar 22 2024

Mar 08 2024

Feb 29 2024

Feb 07 2024

Nov 02 2023

Sep 26 2023