Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,300 words, this briefing is about a 6-minute read.
At a glance.
- EU looks to revamp Chips Act.
- CISA expires alongside the government shutdown.
EU unites around Chips Act 2.0.
The news.
On Monday, all of the European Union’s (EU) member states entered a Dutch-led chips coalition that aims to revise the regional government’s Chips Act. The group, better known as the “semicon coalition,” was created in March with nine member states, including the Netherlands, Italy, France, Germany, and Spain.
The revision aims to close the gaps left unaddressed by the original Act. A core aspect of this revision involves creating a more targeted drive to secure emerging technologies, speed up approval processes, and deepen the skills and financial capabilities across the semiconductor supply chain.
With this development, Dutch Economic Affairs Minister Vincent Karremans stated:
“Today all EU Ministers agreed on the fact that Europe’s industrial strategy should adapt to the increasing geopolitical tensions in the world.”
The knowledge.
This move to revamp the EU’s Chips Act follows the bill's failure to attract the investment opportunities the regional body had previously hoped for. Notably, the industry group, SEMI, has pushed back on the current system, claiming that it has stifled opportunities in the region. The group has emphasized that the regional government needs to have both a separate budget for chips and the need to quadruple semiconductor spending.
For greater context on the bill, the Chips Act was formally adopted in 2023 and aimed to establish a framework for improving the region’s semiconductor industry. The bill established three core pillars to execute on this strategic objective. These included:
- The “Chips for Europe Initiative” looked to support large-scale innovation and manufacturing.
- A new framework aimed at incentivizing both public and private investments to improve supply chains and resilience.
- A coordination mechanism through a new semiconductor board to facilitate communication between stakeholders, member states, and the European Commission.
The impact.
While the details of the revision have not yet been released, it is clear that the regional body is looking to spur greater investment. By attracting greater participation and growth in the EU’s semiconductor industry, the various member nations are looking to take on a greater role in the world’s emerging technologies and create a more resilient infrastructure rather than continue depending on foreign nations for the majority of their manufacturing and distribution needs.
Businesses in the sector will need to track these revisions closely, as they could reshape investment strategies, existing supply chains, and partnership structures in the EU. Accounting for and properly managing these changes will be critical for European companies both to avoid manageable risks and take advantage of new opportunities.
CISA expires after government shutdown.
The news.
This week, Congress failed to reauthorize the 2015 Cybersecurity Information Sharing Act (CISA). The bill expired on September 30th after Congress was unable to pass an extension for the foundational security bill. The expiration occurred alongside the federal government’s shutdown.
Senator Gary Peters warned about the dangers of letting this bill expire on Tuesday. Senator Peters stated:
“If we don’t extend these critical authorities, we will lose one of our most effective defenses against cyberattacks, as our adversaries’ attacks continue to grow more aggressive and more sophisticated. This law has protected our economy, it has protected our infrastructure, and it has protected our government for more than a decade.”
While the House of Representatives did introduce a short-term extension in mid-September, the resolution failed to pass. If the resolution had passed, it would have extended the bill’s original provisions and authorities until November 21st, 2025.
The knowledge.
Since its passage in 2015, CISA has been one of the most foundational cybersecurity laws. One of the core provisions of the original law was to allow for the sharing of internet traffic information between both government agencies and private companies. By encouraging companies to share cyber threat indicators, like malware signatures, IP addresses, or threat actor tactics, with the Department of Homeland Security, the government became a central hub for both receiving and distributing cybersecurity threat information.
Additionally, the law also gave liability protections to companies sharing threat data, provided they were following all the law’s guidelines. This provision was crucial to increasing information sharing, as it alleviated concerns about being sued by customers or partners.
On September 24th, the Protecting America’s Cyber Networks Coalition wrote a letter to Congress emphasizing the importance of the law. The coalition, made up of numerous private and public entities, wrote the following:
“This important cybersecurity law allows private entities to enhance their protection of data, devices, and networks while promoting cyber threat information sharing with industry and government partners within a secure policy and legal framework.”
The coalition further emphasized that reauthorizing the bill has broad bipartisan support and urged lawmakers to send reauthorization legislation to ensure businesses “have legal certainty and protection against frivolous lawsuits when voluntarily sharing and receiving threat indicators.”
The impact.
Without CISA, companies lose their clear liability protections when sharing threat data, which may both slow down the flow of sharing efforts and negatively impact cooperation. That gap could lead to slower and more fragmented response efforts in the short term.
With the ongoing federal government shutdown, it is unclear when Congress will pass a new funding bill, which could take weeks, if not longer. Until Congress acts, US businesses are going to operate in a more uncertain and likely riskier cyber environment.
Highlighting key conversations.
In this week’s Caveat Podcast, our team focused on two key stories. The first involves law enforcement beginning to implement AI platforms to assist with synthesizing evidence for criminal cases. The second story focuses on Taiwan and how the nation has been facing increasing pressures to move its chip manufacturing capabilities to the US.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
Trump signs TikTok order.
What: President Trump signed an executive order announcing his plan to sell TikTok to US owners.
Why: Last week, President Trump signed an executive order declaring his intent to sell TikTok to US owners. The new company will be valued at around $14 billion. According to the order, TikTok’s algorithm will be retained and monitored by the US and will be under the control of the new joint venture.
With this order, Vice President JD Vance stated:
“There was some resistance on the Chinese side, but the fundamental thing that we wanted to accomplish is that we wanted to keep TikTok operating, but we also wanted to make sure that we protected Americans’ data privacy as required by law.”
Amazon settles FTC lawsuit for $2.5 billion.
What: Amazon settled a lawsuit alleging that the company used deceptive methods to sign up Prime customers.
Why: Last week, Amazon and the Federal Trade Commission (FTC) settled a lawsuit, which will require Amazon to pay a $1 billion civil penalty and provide $1.5 billion in refunds. The Settlement also requires them to cease their unlawful enrollment and cancellation practices related to Prime.
FTC Chairman Andrew Ferguson commented on the settlement, stating:
“Today, the Trump-Vance FTC made history and secured a record-breaking, monumental win for the millions of Americans who are tired of deceptive subscriptions that feel impossible to cancel.”