Warner Introduces Bill to Update Our Country’s Cybersecurity Plans, Defend Against Emerging AI Threats

WASHINGTON — U.S. Sen. Mark R. Warner (D-VA) today introduced the Combat Emerging Threats to Critical Infrastructure Act of 2026 , legislation that directs the Cybersecurity and Infrastructure Agency (CISA) to work with regulators and industry to develop up-to-date cybersecurity plans. In light of artificial intelligence’s rapid advancement, including the development of Anthropic’s Claude Mythos – an AI model capable of identifying and exploiting vulnerabilities in our country’s cybersecurity infrastructure – it is critical that CISA coordinate with other federal agencies to ensure there are current cybersecurity plans can meet emerging threats. “As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment,” said Sen. Warner. “It’s critical that government works closely with industry, regulators, and cybersecurity experts to develop and regularly update the plans we need to protect our critical infrastructure from increasingly sophisticated malicious actors, including those enabled by AI.” There are 16 critical infrastructure sectors designated under National Security Memorandum 22 (NSM-22) , a memo that helps ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen. NSM-22 required CISA, in conjunction with other federal departments and agencies designated as Sector Risk Management Agencies (SRMAs) , to develop sector-specific plans for each critical infrastructure sector. NSM-22 required a biennial updating of each sector-specific cybersecurity plan by the appropriate SRMA and that sector’s coordinating council. That update cadence has not been maintained, in many cases, for years. In fact, the cybersecurity plan for some critical infrastructure sectors has not been updated for over a decade. Specifically, the Combat Emerging Threats to Critical Infrastructure Act of 2026 would require CISA to complete the following: Update the sector-specific plans for each of the 16 critical infrastructure sectors – in conjunction with other SRMAs as appropriate – within 9 months of enactment; Notify and provide a copy of each cybersecurity plan to Congress within a month of completing that sector’s update; Determine each critical infrastructure sectors risk profile for technology-facilitated threats – like AI-enhanced cyberattacks, AI supply chain vulnerabilities, deepfakes, robotics, and quantum-based attacks on cryptography; and Update cybersecurity plans – in conjunction with the appropriate SRMAs – every two years and provide the associated congressional notification requirements. This bill is supported by the National Electrical Manufacturers Association. “Manufacturing is a critical pillar of America’s economy, and the electroindustry provides the essential technologies that every other critical infrastructure sector is built upon,” Brian Papp, Managing Director of Government Relations at NEMA . “As cyber and supply chain threats continue to evolve, the Combat Emerging Threats to Critical Infrastructure Act will help ensure security plans remain current, strengthen operational resilience, and equip manufacturers to address emerging risks, protect critical operations, and bolster American competitiveness.” Read the full bill here . ###