Nextgov/FCW - Cybersecurity

New CISA directive would reshape how agencies prioritize cyber risk, official says

David DiMolfetta — Tue, 09 Jun 2026 12:51:00 -0400

The Cybersecurity and Infrastructure Security Agency plans to release a binding directive on Wednesday that tasks the federal government with rethinking how it manages risks to its networks and prioritizing cyber vulnerabilities that demand the most urgency, agency acting director Nick Andersen said.

The goal is to push agencies to focus less on the sheer number of known cyber vulnerabilities and more on the risks those flaws pose if they’re exploited by hackers, said Andersen, who added that the cyber community needs to “be okay with saying there are some systems that are less important than others.”

“If we try to say that everything is equally as important, then absolutely nothing’s going to be important,” he told an audience of industry professionals at a Tuesday event held by cybersecurity firm Axonious.

“It’s going to be really hard for us, if one day we have to have those hard conversations with people about how we knew better and how we didn’t prioritize risk appropriately, how we didn’t make the hard choices,” he added.

The remarks are an acknowledgment that agencies cannot protect every system equally through patch mandates, and must instead focus their often limited resources on the vulnerabilities and networks whose compromise could cause the greatest damage.

Federal agencies are a constant target for hackers. For years, adversaries have compromised government systems for access to emails, employee records and other sensitive data.

Government agencies also oversee industry sectors such as energy, healthcare, telecommunications and water, meaning their cyber staff must also weigh how disruptions could ripple across critical services.

On the sidelines of the event, Andersen told reporters that artificial intelligence-backed cyber threats are one factor informing discussions around the directive, but he said CISA’s work on the AI ecosystem still predates the release of powerful systems such as Anthropic’s Mythos.

The administration’s approach to AI has shifted in recent months as officials confront a new class of cyber-focused models that can rapidly identify vulnerabilities across computer networks, becoming a major driver of discussions over how advanced AI systems could reshape both defensive and offensive cyber operations.

President Donald Trump recently signed an AI security executive order that encourages developers to submit powerful new models to a 30-day government review before public release. On Friday, he signed a memorandum aimed at speeding up government use of advanced AI across the military and intelligence community.

“Is the [directive] a recognition that we’re in a different dynamic environment with a shorter timeline to weaponization and exploitation? Yeah, that’s certainly a part of it,” Andersen said. “But well before these last couple of months, this is a conversation that we were having about this ever-shrinking window we have for addressing vulnerabilities today.”

“It’s too exceedingly easy for malicious cyber actors to be able to exploit [vulnerabilities] as soon as they’re published and be able to take advantage of the fact that a lot of people are just not as well-resourced as we would like, and they’re not as able to quickly have a continuous patch cycle to be able to address some of these devices,” he added.

]]>

CISA unveils President’s Cup Cybersecurity Competition winners

Alexandra Kelley — Tue, 09 Jun 2026 12:03:00 -0400

The Cybersecurity and Infrastructure Security Agency on Tuesday announced the winners of its 7th annual cybersecurity contest that brings federal employees together to test digital security strategies and responses.

The winners of the President’s Cup Cybersecurity Competition competed across three categories. For the Defense Track Champion, the “sheriffsparks” team from the U.S. Navy won, and the Offensive Track Champion winner was team “bdubya” from the U.S. Army.

The final winner of the Teams Champion category is the U.S. Army and U.S. Marine Corps’ “ENOENTHUSIASM” team.

The President’s Cup, an initiative established by President Donald Trump in an executive order during his first term in office, aims to test and harness the cybersecurity knowledge of federal workers across the government. Tasks in the challenge feature simulations of “high-stakes cyber operations requiring precision, resilience, and deep technical knowledge,” per the press release. Examples of scenarios include incident response, analyzing digital forensics, reverse engineering and threat hunting.

“The President’s Cup features the best cybersecurity talent the U.S. government has to offer,” said CISA Acting Director Nick Andersen in the press release. “These champions rose above an elite field, securing victory through sharp analysis, decisive action, and advanced cyber tradecraft. We congratulate this year’s winners and thank everyone who participated in the seventh annual President’s Cup.”

The President’s Cup began in January, with finalists competing to the end of May. CISA said that over 800 individuals and 200 teams entered to compete in the 2026 Cup.

While the competition aims to reward and highlight cybersecurity talent and promote cybersecurity education within the federal workforce, it also aims to bring levity and fun to digital defense and government work.

Michael Harpin, the cyber training branch chief at CISA, told Nextgov/FCW in 2024 that the President’s Cup isn’t meant to simply be an extension of daily work.

“We do want to have some fun with the participants and not to make it too regimented,” Harpin said. “But we do also want to focus that these are real-life skills and tasks that they would have to do within a cybersecurity workforce.”

]]>

Warner unveils bill to restore cyber information-sharing program funding

David DiMolfetta — Fri, 05 Jun 2026 16:02:00 -0400

Sen. Mark Warner, D-Va., is introducing legislation to permanently fund a cybersecurity information-sharing program used by thousands of state, local, tribal and territorial governments, after the Trump administration ended federal support for the effort last year.

The measure would require the Cybersecurity and Infrastructure Security Agency to provide funding for the Multi-State Information Sharing and Analysis Center, or MS-ISAC, a nonprofit-run program that offers services like threat intelligence and incident response assistance to roughly 19,000 government entities nationwide.

Under former Homeland Security Secretary Kristi Noem, DHS terminated CISA’s funding agreement with the Center for Internet Security, which operates MS-ISAC, and barred certain federal grant funds from being used for membership fees. Critics argued the move weakened a key mechanism for sharing cyber threat information with smaller governments that often lack dedicated cybersecurity resources.

Warner’s legislation would direct CISA to enter into a new agreement with the Center for Internet Security to provide cybersecurity services and threat intelligence at no cost to state, local, tribal and territorial entities. It would also authorize $50 million annually beginning in fiscal year 2027 and require the cyberdefense agency to report to Congress on its efforts to restore and expand participation.

In a letter sent Thursday to Homeland Security Secretary Markwayne Mullin, Warner urged the department to restore support for the program and reverse broader cuts to CISA. The senator argued that eliminating MS-ISAC funding left communities with fewer resources to detect and respond to cyber threats and more vulnerable to attacks.

“This is too important to let politics get in the way. I will stand alongside anyone committed to ensuring that when our adversaries test our critical infrastructure, it holds fast,” Warner wrote to Mullin. “I want to work with you to achieve that end and ask that you reach out to me directly to coordinate — because the question is not whether our critical infrastructure will be targeted, but whether we will be ready when it is.”

John Gilligan, president and CEO of the Center for Internet Security, did not directly address the bill but told Nextgov/FCW in a statement that MS-ISAC has supported cyber stakeholders for more than two decades and has received congressional funding for at least 20 years.

“In fiscal year 2025, the appropriated funding was $27 million,” he said.

“The Cybersecurity and Infrastructure Security Agency (CISA) communicates with our state and local partners regularly and provides them with timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks. This includes working with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to share cybersecurity information and guidance. State and local governments seeking assistance are encouraged to contact our CISA regional teams who can help assess risk, strengthen defenses, enhance resilience, and respond immediately to incidents," said CISA Chief External Affairs Officer Christine Serrano Glassner in a statement.

DHS did not immediately respond to a request for comment.

Warner also sent separate letters to governors nationwide warning that states may need to take a more active role in defending critical infrastructure as cyber threats grow and federal cybersecurity programs face continued uncertainty. He encouraged them to conduct infrastructure audits, expand participation in regional threat-sharing organizations and identify under-resourced operators that need cyber assistance.

The effort comes as some lawmakers continue to scrutinize staffing reductions, budget cuts and program eliminations at CISA. State and local officials, cybersecurity groups and former officials have repeatedly warned that reducing federal support leaves smaller governments more vulnerable to ransomware and other cyberattacks, especially with midterm elections coming in November.

MS-ISAC was established in 2003 and has long served as one of the core hubs for cyber threat information sharing between federal agencies and state and local governments. Smaller jurisdictions often lean on the center for services they can’t afford to finance on their own.

Editor's note: This article has been updated to include comment from CISA.

]]>

New coalition will enter legal debate over industry’s role in government cyber missions

David DiMolfetta — Thu, 04 Jun 2026 17:45:00 -0400

A new Washington initiative seeks to shape policy debates over how the government and private sector collaborate on cyber operations, a conversation that will inevitably raise complex questions about the legal authorities governing industry’s role, participants say.

Venable’s Center for Cybersecurity Policy and Law launched the Cyber Operations Policy Coalition this week, seeking to be a “trusted forum for collaboration among industry, government, legal experts, academia, and civil society to help develop policy frameworks for collective cyber defense,” according to its mission statement.

At a launch event Wednesday, current and former officials concurred that stakeholders will need to confront unresolved questions about legal authorities, liability and the rules of the road for companies before deeper public‑private cyber operations can truly scale.

Legal expertise will be “key to the success” of integrating industry and government more closely, Katie Sutton, assistant secretary of defense for cyber policy and the principal cyber advisor to the defense secretary, said in a discussion held at the event.

“We talk about authorities — everything is under what authorities do I have, what authorities does Cyber Command have, under what authorities is this operation happening? [There are] a lot of well-defined authorities from a government perspective. Industry actually has quite a few authorities that they can bring to bear too, because they run this domain,” Sutton added.

“We can’t be in a model … asking permission every time a certain step is going to be taken. That’s going to require a lot of the unsexy work we heard about the legal and policy foundations, the understanding of liability and everything that surrounds that,” said Tonya Ugoretz, who heads PwC’s Cyber & Risk Innovation Institute and previously served in senior roles at the FBI and the Office of the Director of National Intelligence.

Unlike traditional military domains, cyber conflict often runs through privately owned networks, forcing the government to rely on companies that may be both targets of foreign activity and essential partners in responding to it.

The U.S. has sought to integrate cyber activity into military operations, lending the debate urgency as the White House more openly discusses offensive cyber operations and as private companies are drawn deeper into the market for cyber tools. The advent of advanced cyber-focused frontier AI models has also contributed to the discussions.

As part of its emerging counter-advanced persistent threat planning with major providers, the Joint Cyber Defense Collaborative — a Cybersecurity and Infrastructure Security Agency-led body for coordinating public and private sector cyberdefense — is beginning to explicitly map out both defensive playbooks and potential offensive-leaning moves that might be on the table in a geopolitical crisis, according to Matt Springer, the JCDC deputy assistant director.

That would also raise fresh questions about legal risk and authorities for companies that own and operate infrastructure. “We have some potential cyber offensive options that could be taken theoretically by partners in those scenarios,” he said at the launch event. “This will get into some of the policy questions I know we wanted to touch on. That’s a dicey area.”

The discussions highlight how cybersecurity is becoming a more central arena for national security law, as officials and industry leaders examine whether existing legal frameworks are sufficient for operations that frequently require closer coordination between the government and private firms.

In the last year, top national officials have sought to highlight the role of cyber operations in their recent military achievements. A new cyber service branch is also being weighed in the must-pass annual defense bill.

]]>

NSA taps three officials for top cybersecurity positions

David DiMolfetta — Mon, 01 Jun 2026 18:22:00 -0400

The National Security Agency has internally named a trio of appointments focused on the spy agency’s cyber operations.

David Imbordino, who has overseen the NSA’s Cybersecurity Directorate in an acting capacity in recent months, has been tapped to lead the office permanently, according to two former senior national security officials familiar with the selections.

Holly Baroody — a senior United Kingdom-based NSA official and a former civilian lead in U.S. Cyber Command — will serve as Imbordino’s deputy, the second former official said. Imbordino and Baroody have served as acting officials in their respective roles since around January.

Created in 2019, the cyber directorate combines the agency’s intelligence-gathering and digital defense expertise to help protect U.S. government networks, military systems and contractors from hacking threats.

The second former official also said that Bruce Jones, a longtime agency leader with experience in both technical and operational roles, will head the NSA’s Cybersecurity Collaboration Center, a hub used to share cyber threat intelligence between the government and the private sector.

Both former officials requested anonymity to communicate their knowledge of the positions.

Nextgov/FCW has asked the NSA for comment. The Record first reported the selections.

For the last year, the signals intelligence and foreign eavesdropping giant has grappled with leadership vacuums and significant morale decline as the Trump administration has sought to taper its workforce.

Gen. Josh Rudd was confirmed in March to lead Cyber Command and the NSA in a dual-hatted manner, with Tim Kosiba joining the spy agency soon after to serve as its deputy director.

The NSA has sought to take a role in artificial intelligence policy developments, amid the recent emergence of advanced cyber-focused AI models that, in the wrong hands, could help foreign adversaries and criminal hackers more easily penetrate U.S. computer networks.

The New York Times reported last month that the White House approved some $9 billion for spy agencies like NSA to accelerate AI adoption, though shortages of advanced computing chips have constrained the use of state-of-the-art AI models on their classified systems.

]]>

Hackers are already laying groundwork to disrupt the 2026 midterms, research says

David DiMolfetta — Mon, 01 Jun 2026 06:00:00 -0400

Hackers are already preparing for the 2026 midterms, with a new report warning that campaigns, fundraising platforms, public websites and local governments could face a wave of phishing, credential theft, artificial intelligence-generated deception and foreign influence activity.

The findings, produced by cybersecurity firm Check Point, do not point to voting machines as the most likely near-term target, but instead warn that attackers are more likely to exploit infrastructure around elections — like campaign accounts and fundraising platforms — to steal credentials, impersonate trusted organizations, disrupt public information or fuel doubts about the nation’s electoral process.

The conclusions come as the Trump administration has pursued a more aggressive role in election administration, including through a March executive order aimed at tightening rules around mail-in voting and voter eligibility. The U.S. Postal Service has also proposed a rule that would require states to submit lists of voters receiving mail ballots.

The report also comes amid scrutiny of the intelligence community’s posture toward election threats under outgoing Director of National Intelligence Tulsi Gabbard. ODNI recently named two officials to coordinate the intelligence community’s election-threat mission for the 2026 cycle.

The firm does not address the administration directly. The assessment is notable, however, because it points to AI and digital threats as more immediate election security concerns, rather than the voting-procedure issues that have dominated talking points from the White House.

“Overall, the most significant 2026 risks center on the trusted accounts, platforms, services, and information channels that election-related organizations rely on to operate and maintain public trust, with election-adjacent systems presenting the more immediate source of operational exposure,” the report says.

Check Point also said it observed sustained election-related infrastructure creation in early 2026, including new websites containing terms such as “election” and “vote.”

In January, the firm identified roughly 1,300 newly registered domains containing the keyword “election” and nearly 3,000 containing “vote.” Between April 13 and May 14, it identified about 1,140 newly registered domains containing “election” and roughly 4,000 containing “vote.”

The company cautioned that those registrations do not prove malicious activity on their own, but they expand the pool of web infrastructure that could later be used for phishing, fake donation pages, impersonation or misinformation campaigns.

Check Point also found exposed credentials tied to some of the most widely used political and government platforms, including roughly 9,500 linked to ActBlue, the Democratic fundraising platform, and 6,500 linked to WinRed, its Republican counterpart. The exposed credentials are not part of a breach of these platforms, but were exposed from compromises of user data through other means.

The firm also observed smaller volumes tied to gop.com and democrats.org, the national party websites, as well as usa.gov, the federal government’s public services portal.

The company identified Russia, Iran and China as the principal state actors to monitor. AI is expected to make their influence operations easier to scale, and could be used to create more convincing phishing lures, cloned audio, manipulated images and deepfake videos.

Local governments may be especially exposed because they often operate with fewer resources, older technology and smaller security teams. Check Point cited recent ransomware incidents affecting Winona County, Minnesota, and Foster City, California, as examples of how municipal cyberattacks can disrupt public services and erode trust in government systems.

“Even when election operations are not directly affected, disruption at the local government level can still create confusion, delay public communications, and undermine confidence during politically sensitive periods,” the report says.

The findings also come as the Cybersecurity and Infrastructure Security Agency’s election security role faces new uncertainty. The Trump administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program, including funds for information-sharing support to state and local officials and dedicated election security advisors.

Efforts under the Trump administration to scale back CISA and its election resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month. Sen. Mark Warner, D-Va., the vice chairman of the Senate Intelligence Committee, has also pressed DHS over reports that CISA is no longer providing the same election security training and resources it offered in prior years.

Editor's note: This article has been updated to better clarify how the ActBlue credentials were exposed.

]]>

Cyber Force? Senator pushes to create service branch under the Army

Thomas Novelly — Fri, 29 May 2026 16:59:00 -0400

A new cyber-focused military service branch would sit under the Army if one senator’s proposal comes to fruition.

Sen. Kirsten Gillibrand, D-N.Y., is spearheading a markup amendment to the Senate’s 2027 National Defense Authorization Act that would create a “Cyber Force” as the next armed service branch. The senator’s office confirmed that the amendment proposes to establish the branch under the Army, just as the Space Force and Marine Corps sit under the Air Force and Navy.

Similar provisions are reportedly being floated in the House, according to two people familiar with policy discussions. Earlier this year, Rep. Pat Fallon, R-Texas, told the Center For Strategic and International Studies that a “Cyber Force is inevitable” and “we’re going to get this done.” A Fallon spokesperson did not respond to multiple requests for comment on Friday asking about a potential amendment.

“New and escalating cyber threats on the battlefield demand a change to our current approach. The status quo and years of incremental changes are not meeting the current threat and are insufficient as that threat grows,” Gillibrand told Defense One in an emailed statement. “I believe, and many experts agree, that the creation of a dedicated Cyber Force will ensure the United States is ready to fight and win on the modern battlefield and protect our national security.”

The proposed amendment marks the latest push in a years-long effort. Gillibrand and House lawmakers have backed the idea before. In the 2025 National Defense Authorization Act, lawmakers commissioned the National Academies of Sciences, Engineering, and Medicine to study “alternative organizational models for the cyber forces of the Armed Forces.” Those findings have not been released. Details from the amendments showing what a Cyber Force might look like are not yet public, but think tanks and national security experts have already been pitching their own force designs.

A 2024 Foundation for Defense of Democracies report concluded that a Cyber Force could sit under the Army, muster about 10,000 personnel, and need a budget of around $16.5 billion. In August 2025, the FDD and the Center for Strategic and International Studies announced a commission on Cyber Force Generation. A report from those think tanks is scheduled to be released next month.

One former military official said there would be strengths to a cyber-focused service, but putting it under the Army is a bad idea. They argued that cyber would remain a secondary priority amid the branch’s many missions.

“The Army is the largest service by far,” the former official said. “Manpower-wise, it's like half the department, and it's like, ‘we'll put it under because it'll be easy for the Army to just put in another force.’ It's already hard enough to run the Army as it is.”

Mark Montgomery, a retired Navy rear admiral and an FDD senior fellow who advocates for a Cyber Force, argued that this year is an ideal time to create a new service.

“Timing-wise, you need to do this in the beginning or middle of an administration, not at the end of an administration,” Montgomery said.

The proposed amendment would need to survive multiple Senate and House edits to make the final compromise NDAA.

It’s not clear if the Trump administration would support the latest bipartisan push. Last year, the Pentagon rolled out CYBERCOM 2.0, a series of policy changes aimed at beefing up the recruiting, training, and missions of the existing U.S. Cyber Command.

Katie Sutton, the assistant defense secretary for cyber policy and principal cyber advisor to Defense Secretary Pete Hegseth, defended the Cyber Command reforms during a January Senate hearing, and said a renewed command and a new service could co-exist.

“I think this is a really important debate for us all to be having about the future of the cyber warfighting domain,” Sutton told the Senate Armed Services Committee in January. “I do think one of the most common misconceptions about Cyber Command is that it is a debate between Cyber Command 2.0 and a cyber force, and they are actually separate debates that I believe both need to be had, and we need to look closely at the pros and cons of both.”

Advocates for a separate and independent cyber-focused service branch say it aligns with the Trump administration’s calls for “offensive cyber operations against those planning to kill Americans,” the White House’s new counterterrorism strategy said. It also comes as President Donald Trump and Gen. Dan Caine, the Joint Chiefs chairman, acknowledged the growing role of cyber effects in U.S. military operations in Iran and Venezuela, Defense One and sister publication NextGov/FCW have previously reported.

“The president says, ‘We've got to be more offensive’ but then you got to better generate forces to be offensive, and we don't generate enough forces to do both offensive cyber and defensive cyber operations,” Montgomery said. “A cyber force is clearly necessary.”

]]>

Commercial location data is being used to target US servicemembers, lawmakers warn

Edward Graham — Fri, 29 May 2026 13:10:00 -0400

Foreign adversaries have used commercially available data from U.S. servicemembers to target their locations in active war zones, a bipartisan group of lawmakers revealed Thursday.

In a letter to Department of Defense Chief Information Officer Kirsten Davies, fourteen members of Congress — led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C. — warned that the Pentagon “has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

Reuters first reported the news.

According to unclassified written responses that the lawmakers shared with their letter, U.S. Central Command revealed last month that it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”

This type of data can be acquired from legitimate data brokers for a nominal fee and then used to track the locations of groups of individuals, particularly those who follow set routines or are based in remote areas.

“That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts,” the lawmakers wrote.

The Pentagon has been aware for some time now of the security vulnerabilities posed by publicly available location data from smartphones or other wearable electronic devices.

When mobile fitness app Strava released a Global Heat Map of its users’ activities in late 2017, it inadvertently gave away the locations of some U.S. military sites in the Middle East and provided precise details on the routes personnel took when they jogged. Similar location data from running app Polar also revealed the locations of military personnel, and could be used in some cases to track them to their homes.

DOD subsequently issued a directive in August 2018 that banned uses of apps and devices that share geolocation data “while in locations designated as operational areas.”

In their letter, however, the lawmakers said CENTCOM shared that it “only rolled out the capability to administratively disable location sharing on smartphones” this month. The combatant command also revealed that the Pentagon has not yet taken steps to deactivate the tracking numbers on smartphones that are used by advertisers and data brokers.

“Both iOS and Android also include an opt-in privacy setting to disable this unique advertising ID, which the National Security Agency and the Cybersecurity and Infrastructure Security Agency recommend,” the letter said. “Unfortunately, USCENTCOM confirmed that the advertising ID is still not disabled on government-issued smartphones, but stated that the Defense Information Systems Agency is currently testing a capability to do so.”

The lawmakers urged DOD to disable the advertising ID on all agency-issued smartphones and to issue guidance requiring personnel to do the same on their personal devices brought overseas or onto military facilities. They also called for the agency to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from Pentagon-issued devices.

“Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC), which is already enforced by law in 12 states,” the letter said.

]]>

Iran’s hackers are coordinating more closely, Israel’s top cyberdefense official says

David DiMolfetta — Wed, 27 May 2026 15:42:00 -0400

Tehran’s hackers have grown more organized, more coordinated and more willing to use artificial intelligence for influence operations in recent months — and they have demonstrated many of those capabilities since the war with Iran began, according to Israel’s top cyberdefense official.

In a Tuesday interview, the director-general of Israel’s National Cyber Directorate, Yossi Karadi, said Iranian state-aligned groups are further sharing cyber tools among each other and using AI to polish disinformation and recruitment messages.

At the same time, Karadi said he is pressing major AI labs for controlled access to powerful models like Anthropic’s Mythos, arguing that governments need the same tools attackers are seeking to adopt.

In the last year, Iran’s state-backed hacking units have increasingly “begun to talk to each other, and then collaborate with each other, and then even sometimes exchange information” among themselves, he said. “Of course, when they work together, they can work more efficiently and better.”

During the recent war, Iran has sent hundreds of thousands of text messages to Israelis as part of a deception and influence campaign, he said.

“In some cases, they’d send messages like, ‘don’t go to the bomb shelters because they are closed,’” Karadi said, adding that other messages sought to recruit Israelis for intelligence-sharing.

For a while, those messaging campaigns were in “very bad Hebrew, so you understand, ‘okay, it’s nonsense,’” Karadi said. But more recently, AI has helped Tehran improve message quality.

In March, Israel said it bombed a key Iranian cyberwarfare operation center. Asked about how that attack and similar efforts affected Tehran’s hacking prowess, Karadi said only that the nation’s cyberactivity largely fluctuated, depending on the intensity of the conflict.

When bombing campaigns against Iran intensified, hacking activity tended to decrease because it was harder for state operatives to access physical assets like computers and other equipment needed for cyberattacks, he said. Conversely, when strikes slowed, state hacking groups would have more room to reorganize and collaborate again.

As the U.S. and Iran work to implement a peace agreement to end the war, Karadi said there is little expectation that cyber activity from either side will stop, arguing that any party can deny involvement in a cyberattack, compared to a physical strike using missiles or bombs.

“There is no ceasefire in cyber,” he said. “You cannot force any agreement on cyber.”

Over the last few months, Iran has compromised a swath of smaller Israeli organizations and a handful of American targets. Pro-Iran hackers have targeted various U.S. industrial control systems, federal officials said early last month. One group, likely state-affiliated, also claimed to have compromised medical technology giant Stryker. And just last week, researchers said Iran-linked hackers deployed a slew of cyberespionage techniques that targeted the U.S., Israel, the UAE and other Middle Eastern nations.

Asked if the cybersecurity community underestimated the strength of Iran’s hacking ecosystem, Karadi said he would only speak for Israel, and asserted they “obviously did not underestimate” Tehran. Since the 12-Day War last year, “we were in an 100% alert situation, and we have been preparing ourselves for high-scale cyber war,” he said.

The remarks provide a window into how Israeli officials believe Iran’s cyber apparatus has adapted under wartime pressure and amid negotiations now underway between the U.S. and Tehran that could end the war, which began in late February.

Karadi conducted the interview as part of a visit to Washington this week, where he said he has planned meetings with the FBI, the Cybersecurity and Infrastructure Security Agency, U.S. Cyber Command and representatives from industry.

In those meetings, he said officials have been discussing advanced cyber-focused AI models like Anthropic’s Mythos, which have quickly become central to global cyber policy talks. Asked whether Israeli institutions have been given access to those systems, he said the effort is a work in progress.

“I haven’t succeeded in it now, but hopefully I will,” he said, adding that he is trying to access such models to scan Israeli government organizations for vulnerabilities. He declined to name specific AI companies he is engaging with.

In early April, Anthropic launched Project Glasswing, an initiative with major companies designed to secure critical software across the globe using its Mythos model. It’s been withheld from public release amid concerns over its highly skilled hacking capabilities. About a month later, OpenAI unveiled GPT-5.5-Cyber, a similarly advanced model that was also reserved for verified organizations to prevent the acceleration of offensive cyber tools.

The White House and the federal government swiftly responded and worked to craft an executive order focused on AI and cybersecurity, but its signing was postponed last week amid overregulation concerns from industry.

Representing a government cyberdefense organization, Karadi said such models worry him.

“When you give [an attacker] a new tool, he needs to only use it at one time and one place. But I need to implement this tool at all the places and all the time,” he said.

He expects more of these models to proliferate in the coming months, and he considers them to now be the “main threat” in the cybersecurity world.

“I think that our world is getting more and more digital, AI-based and cloud-based,” he said. “It will take us to a permanent state of cyber warfare, some of the time against enemies that you know. But most of the time — against ghosts.”

]]>

State leaders renew call for cyber grant program’s renewal

Chris Teale — Tue, 26 May 2026 18:36:00 -0400

State leaders once again reiterated their calls for Congress to reauthorize and fund a popular cybersecurity grant program at a House hearing last week.

Officials said the State and Local Cybersecurity Grant Program, which has been reauthorized by the House but awaits action in the U.S. Senate before it expires in September, has been helpful for governments looking to build their cyber resilience against growing threats and must be allowed to continue.

“The scale, speed, and complexity of today’s threat environment require sustained funding, operational flexibility, and the ability to respond at the pace of emerging threats,” Tennessee Chief Information Officer Kristin Darby said in written testimony before the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation last week. “The State and Local Cybersecurity Grant Program is one of the most effective tools available to strengthen our collective defense.”

The $1 billion cyber grant program was initially funded through a 2021 infrastructure law and received a temporary extension of its authority through September as part of a government funding deal last year. The House voted in November to approve the Protecting Information by Local Leaders for Agency Resilience — or PILLAR — Act, which would reauthorize the grant program for another 10 years. A companion bill is pending in the Senate, albeit with only a one-year extension.

Witnesses at this latest House hearing said the cyber grant program has been crucial in helping them strengthen their cybersecurity postures, although much more work lies ahead. Darby said the $21 million in grant funding that Tennessee has received has secured almost 90,000 endpoints across local governments and provided cybersecurity training to more than 21,000 local government employees.

That grant funding, the majority of which has been passed to local governments, has also supported programs like managed endpoint detection and response; cybersecurity awareness training; critical infrastructure improvements like firewalls and disaster recovery systems; and managed services for jurisdictions without IT staff, Darby said.

What happens next remains an open question, however, especially if more money is not appropriated to the program. Outside groups have previously called for a stable funding stream of $4.5 billion over two years. Darby said that, without continued funding, local governments would lose access to various programs and services that require subscription funding, they and would be unable to sustain various managed services or make further investments. She also warned of job cuts if the grant program dries up.

“Most importantly, we risk losing the momentum, relationships, and trust that have been built through our whole-of-state approach,” Darby said. “Cyber adversaries are not slowing down. If funding and support diminish, the gap between attackers and defenders will widen.”

Speakers had various suggestions for how the program could be improved. Darby and Colin Ahern, New York’s director of security and intelligence, urged the subcommittee to fund the program consistently over multiple years to allow states to carry out longer-term procurements and initiatives, while Ahern said eliminating cost-share match requirements could help reduce the burden of cost sharing on smaller jurisdictions.

Ahern also said that the program should be amended to allow states and localities to buy memberships and services from the Multi-State Information Sharing and Analysis Center, which recently moved to a membership model after seeing its federal funding cut. All speakers agreed that the federal government must be a strong partner in any cybersecurity efforts alongside states and localities.

“The federal government is an essential partner in this work,” said Florida CIO Warren Sponholtz in written testimony. “Federal intelligence collection and sharing brings national visibility that no individual state can replicate. Federal advisories, threat feeds, automated indicator sharing, vulnerability guidance, and incident coordination help states understand what is happening across the country and what may be heading toward our jurisdictions.”

There appears to be broad bipartisan support for helping state and local governments in their cybersecurity posture and a recognition that, while it may need tweaks, the cyber grant program has been a positive step forward.

“The premise was simple [behind the grant program],” Rep. Andy Ogles, a Tennessee Republican who chairs the subcommittee, said in his opening statement. “A small town faces the same threats as a large city, and a rural county is not exempt from Chinese or Russian cyber actors just because it has a limited IT budget. That program helped communities that could not otherwise help themselves. Unless Congress acts, that program expires this September. We should not let that happen, and we certainly should not let it happen at a moment when the threat is growing ever worse.”

]]>

Draft executive order would set deadlines for digital signature and key quantum encryption

Alexandra Kelley — Wed, 20 May 2026 15:43:00 -0400

The White House is preparing a new executive order aiming to spur federal agency migration to a post-quantum cryptographic standard under particular deadlines, as well as requiring covered contractors to take similar steps within the same window.

A person familiar with the draft order told Nextgov/FCW that the current version tasks the Office of Management and Budget with issuing guidance and deadlines for transitioning high-impact systems to encryption standards intended to withstand code-breaking powered by an eventual fully operational quantum computer. The person confirmed that all agencies must migrate their high-value assets, apart from national security systems.

The draft document would require all agencies to transition their digital signatures for high-impact systems and high-value assets to a PQC standard by Dec. 31, 2031, and to use post-quantum cryptography for key establishment by Dec. 31, 2030, according to sections viewed by Nextgov/FCW.

Digital signatures are software tools that authenticate user identity for secure access into digital environments. Key establishment is the process of securing data by generating a unique digital code, or a cryptographic key, for specific parties to provide them secure access. Key establishment and exchange allows the parties to then securely encrypt and decrypt data. Many current versions of both digital signatures and key encryption are expected to be overpowered by the decryption abilities of a future cryptographically-relevant quantum computer.

The draft order also gives “covered contractors” working with federal agencies a 2030 deadline to comply with the PQC standards developed by the National Institute of Standards and Technology, the person familiar said, noting that the document is expected to be released sometime this week.

The White House didn't respond to a request for comment.

In February, Nextgov/FCW exclusively reported that the White House was developing a quantum-focused executive order focused on spurring U.S. leadership in quantum-powered systems.

That draft didn’t include PQC migration efforts, and the person familiar with the current draft’s development told Nextgov/FCW that elements included in the older draft — namely setting up a new initiative to leverage quantum computing for scientific discovery and updating the National Quantum Strategy — are not included in the PQC-focused order, suggesting the possibility of multiple quantum technology-focused executive items.

PQC has emerged as a newly critical element to cybersecurity, as the arrival of a future fault-tolerant quantum computer threatens the defensive encryption classical computing has relied upon for decades.

The 2030 deadline has long been floated as optimal to support comprehensive migrations to robust PQC standards. In 2022, the National Security Agency issued quantum-resistant algorithm requirements specifically for national security systems. The guidance recommends software and firmware signing and traditional and niche networking equipment migrate to a PQC standard by 2030.

The exclusion of national security systems from mandatory migration efforts in the latest potential PQC executive action follows a December 2024 NSA FAQ stating that the agency intends for all national security systems to be quantum-resistant by 2035, “with the hope of completing much of the transition sooner.”

A draft memorandum developed by the Office of Management and Budget last summer and seen by Nextgov/FCW aimed to spur PQC migration efforts within the federal government by conducting inventories of high-risk network assets and asking vendors to disclose their PQC migration timelines.

President Donald Trump has consistently prioritized the advancement of both PQC and quantum information and sciences research writ large, beginning with signing the National Quantum Initiative Act during his first term in 2018.

The White House’s proposed Fiscal Year 2027 budget also includes a provision that the federal budget “maintains funding for research in artificial intelligence and quantum information science at key agencies.”

]]>

House Homeland Dems request CISA briefing amid report of leaked agency credentials

David DiMolfetta — Wed, 20 May 2026 12:23:00 -0400

Top Democratic lawmakers on the House Homeland Security Committee have requested a briefing from Cybersecurity and Infrastructure Security Agency acting Director Nick Andersen following reports of a contractor-linked leak of internal agency credentials.

Independent journalist Brian Krebs reported Monday that researchers identified a publicly accessible GitHub repository connected to government contractor Nightwing that allegedly exposed a broad collection of sensitive access information tied to systems used by CISA and its parent agency, the Department of Homeland Security.

“We demand a briefing as soon as possible on how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future,” wrote Rep. Bennie Thompson of Mississippi, the committee’s ranking member, and Rep. Delia Ramirez of Illinois, the ranking member of the panel’s cyber subcommittee, in a Tuesday letter shared with Nextgov/FCW.

The materials, stored in a repository labeled “Private CISA,” reportedly included items like authentication credentials, AWS GovCloud information and other sensitive data. The repository was later removed from public view. Nextgov/FCW has not independently verified its contents.

“Security researchers said the content openly available online included information on ‘how CISA builds, tests and deploys software internally,’ and they described it as ‘one of the most egregious government data leaks in recent history.’ We agree,” said the letter, referring to the contents of Krebs' reporting.

A Nightwing spokesperson referred inquiries to CISA.

“We do not comment on congressional correspondence but respond to members directly,” an agency spokesperson said.

A separate letter to Andersen was sent by Sen. Maggie Hassan, D-N.H., Axios reported Tuesday.

CISA has undergone significant workforce cuts in the last year, which Thompson and Ramirez say may have contributed to the incident. They worry that “a substantially reduced workforce, coupled with the administration’s indifference to security, created the conditions that allowed such a significant security lapse to occur. Moreover, we are concerned that the incident undermines CISA’s credibility.”

Editor’s note: This story was updated to include a comment from CISA.

]]>

Telecom firms form new cyber information-sharing group

David DiMolfetta — Tue, 19 May 2026 13:41:00 -0400

Several of the telecommunications industry’s largest companies formed a new cybersecurity-focused information-sharing group, roughly two years after a sweeping Chinese hacking campaign compromised several major carriers and providers worldwide.

AT&T, Charter, Comcast, Cox, Lumen Technologies, T-Mobile, Verizon and Zayo have formed the Communications Cybersecurity Information Sharing and Analysis Center, or C2 ISAC, which was announced Tuesday.

Rich Baich, chief information security officer for AT&T, is serving as the inaugural chair of the C2 ISAC’s board. Valerie Moon, a former Cybersecurity and Infrastructure Security Agency and FBI official who currently works as the executive director for the Institute for Critical Infrastructure Technology, will serve as the group’s executive director.

“The U.S. telecommunications sector recognizes the urgent need for robust, unified defenses in the face of persistent threats to networks and consumers,” a group statement reads. “The founding members formed C2 ISAC because no single company has full visibility into every threat or can address every risk alone. By sharing resources, expertise, and real-time intelligence, C2 ISAC helps members anticipate, identify and respond to cyber threats more quickly and effectively.”

In 2024, investigators uncovered a sweeping Chinese hack tied to a group known as Salt Typhoon that compromised telecom providers in the U.S. and abroad — including multiple firms now belonging to C2 ISAC — and breached U.S. lawful intercept systems used for court-ordered surveillance.

The Salt Typhoon intrusions have been underway since at least 2019, according to the FBI, and there is no clear public indication that the hackers have been fully excised from communications networks.

A suspected China-linked breach of an FBI surveillance system discovered earlier this year likely revealed phone numbers of targets being monitored by the bureau.

Communications networks are highly favored targets for hackers because penetrating them can enable access to customer data, call records and sensitive communications.

The formation of an independent ISAC is a notable step for the telecom industry. A separate but related information-sharing group focused on communications security was established in the 1980s and is run within CISA, an agency that has faced significant workforce reductions over the last year.

Federal agencies are searching for Chinese-linked telecom and surveillance equipment that officials warn could enable covert hacking and spying. The departments of Defense and Energy found a small number of vulnerable devices and are working to address the risks, according to a GAO report issued Tuesday.

]]>

Microsoft disrupts cybercrime service offering malware disguised as legitimate software

David DiMolfetta — Tue, 19 May 2026 11:00:00 -0400

Microsoft on Tuesday took actions against a “malware-signing-as-a-service” provider that has helped criminal hackers evade security defenses designed to check whether software is legitimate.

The group, dubbed Fox Tempest, was found to be abusing Microsoft code signing tools that validate whether software has been tampered with. Microsoft said it seized Fox Tempest’s website, took down hundreds of virtual machines running its operation and blocked access to another site that hosted underlying code used by the group.

Microsoft also unsealed a legal case in New York that targeted the group, and named another ransomware gang known as Vanilla Tempest as a co-conspirator.

Normally, software signing certificates are meant to prove a program is safe upon download and installation. Operations like Fox Tempest are often sought after in the cybercriminal world because they can be paid to bless hackers’ malware with a valid-looking signature to help it evade detection.

Fox Tempest has been operating its malware disguise services since May of last year, Microsoft said. The downstream impact of its operations — which have let other criminal hackers distribute ransomware and other malicious packages — “has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services” in the U.S., France, India and China, the company said in an assessment of the group.

Hackers paid thousands of dollars to get their malicious code signed by Fox Tempest, with higher-paying plans receiving priority, the company added.

Illicit code-signing tools have been exchanged for years, but “what’s changed is how this activity is marketed, packaged and sold as a service, along with the scale at which it is now used across ransomware campaigns,” Microsoft’s Digital Crimes Unit assistant general counsel Steven Masada said in a prepared statement.

“When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime,” he said.

]]>

Trump says he and Xi discussed cyberattacks and spying between US, China

David DiMolfetta — Fri, 15 May 2026 12:30:00 -0400

President Donald Trump said on Friday that he and Chinese President Xi Jinping discussed cyberattacks and espionage activities carried out by both nations during their bilateral meeting this week.

Speaking to reporters aboard Air Force One during his return flight to the United States, Trump, when asked if he raised the topics in their discussions, said, “I did. And he talked about attacks that we did in China. Y’know, what they do, we do too.”

“They’re talking about the spying. Well, we do it too,” he said. “We spy like hell on them too.”

“I told him, ‘we do a lot of stuff to you that you don’t know about and you’re doing things to us that we probably do know about,’” Trump added.

The president didn’t describe specific cyber campaigns that were discussed. China has made waves in recent years for its sweeping intrusions into telecommunications systems, government agencies and other infrastructure in the U.S. and around the world.

One such campaign, tied to a group known as Volt Typhoon, involves cyberspies burrowing into critical infrastructure systems, like power grids and water treatment plants, with the goal of potentially disrupting or sabotaging them to distract the American public in the event China moves to invade Taiwan, officials have assessed.

Asked about these intrusions, Trump said, “Well, you don’t know that. I mean, I’d like to see it, but it’s very possible that they do.”

The remarks offer a rare public acknowledgment of the clandestine efforts the U.S. deploys to monitor Chinese computer networks and government officials. Intelligence agencies like the NSA and CIA rely on a range of covert tools, capabilities and secret partnerships to track foreign adversaries.

The CIA, in particular, has made a more public effort to recruit Chinese officials as assets. Its video campaigns aimed at recruiting Chinese personnel are working and have “inspired new sources,” an agency official previously said.

Trump’s remarks also reveal a notable diplomatic posture on the issue, particularly given how difficult cyber operations can be to publicly attribute or verify.

Chinese officials routinely deny allegations of hacking and espionage, though Trump’s description of his conversation with Xi appeared to suggest some acknowledgment from Beijing that it has sought to infiltrate U.S. computer networks and recruit American assets of its own.

The White House and the Chinese embassy in Washington did not immediately respond to a request for comment.

Suspected Chinese spies sought out a former senior State Department officer late last year, requesting they draft an assessment of U.S. policy priorities in Venezuela in exchange for payment, Nextgov/FCW reported in January. Such recruitment efforts have resurfaced amid a wave of departures from the federal government over the last year, as the administration has pursued various measures to shrink the federal workforce.

In Trump’s second term, U.S. officials have been seeking a more hardened approach against foreign hackers and cybercriminal groups. In doing so, they have created a budding market for offensive cyber capabilities that government and industry are still grappling with. Offensive cyber operations would be among the tools the administration plans to use against groups deemed threats to the U.S., according to a counterterrorism strategy released earlier this month.

]]>

Canvas breach spotlights cybercriminal appetite for student data

David DiMolfetta — Mon, 11 May 2026 12:00:00 -0400

A major cybercrime gang’s hack of Canvas is highlighting how education technology providers have become attractive targets for cybercriminals, whose access to student records, login credentials and other sensitive data can create opportunities for fraud, identity theft, extortion and future intrusions.

ShinyHunters on Thursday claimed responsibility for a hack into Instructure’s Canvas platform that facilitates course materials and class management for thousands of institutions. An extensive document posted by the hackers and obtained by Route Fifty lists some 9,000 customers apparently impacted in the breach, including Georgetown, Harvard and Cornell universities. It’s not clear whether all victims listed were accessed, or what data may have been stolen.

As Instructure worked to restore services, the hackers appeared to launch follow-on attacks, while students flooded social media during final exam season with photos and videos showing compromised Canvas pages appearing upon login. ShinyHunters claims it accessed names, email addresses, student identification and private messages.

The hacking group said Saturday it would not comment further. An extortion message posted on affected sites says that Instructure has until May 12 to reach out to the hackers. ShinyHunters has since removed Instructure from their Pay-or-Leak portal and the company says Canvas functions have been restored.

Route Fifty has asked Instructure if it is negotiating with the group or has paid a ransom to prevent data from being leaked.

The FBI is likely investigating the incident, according to two people familiar with the matter who requested anonymity to communicate their understanding of the government’s response to the breach.

An FBI spokesperson said on Friday that the bureau is aware of the compromise.

“If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. By receiving a message, that does not necessarily mean your personal information has been compromised,” their statement said.

Hackers often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims, the FBI spokesperson added. “We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the [Learning Management System] provider, or law enforcement and to verify the contact through known channels before responding.”

Universities are a “treasure trove” of data and ransomware hackers know this, said Cynthia Kaiser, a former senior FBI cyber official. “At the same time, the openness that defines higher education can make these institutions more exposed than many other organizations.”

Kaiser, now vice president of the Ransomware Research Center at Halcyon, said that criminal hacker groups frequently obtain credentials from other intrusions and use them to carry out other hacks.

“You have to remember that groups like ShinyHunters, Lapsus$ and Scattered Spider often log in rather than hack in,” she said, referring to a slew of major criminal hacker gangs that have made headlines for their intrusions over the years.

Any stolen data wouldn’t enable immediate financial theft, though it’s highly valuable for targeted phishing and social-engineering attacks, said Adam Marrè, a former FBI special agent and Chief Information Security Officer at Arctic Wolf.

“The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate. Students, parents, and educators should stay alert for unexpected or urgent messages, avoid clicking unverified links, enable multi-factor authentication on email accounts and be cautious with any request for personal information,” he said.

The House Homeland Security Committee is investigating the matter, according to a letter sent Monday to Instructure CEO Steve Daly from Rep. Andrew Garbarino, R-N.Y., the panel’s chairman. He asked company executives to brief lawmakers and staff by May 21.

Instructure said in a blog post that the unauthorized access involved information like usernames, email addresses, course names, enrollment information and messages. The company also “identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited.”

It’s not known how long it took for the hackers to craft the plan for the intrusion, but the fact that they carried it out during final exams “shows the level of planning that went into this attack,” said Damien Skeeles, a senior manager at Filigran, which sells open-source cybersecurity solutions.

“You wonder how much more planning went into it, and how many more acts there are to follow,” he said.

]]>

Trump admin will push for ‘long-term’ reauthorization of key cyber data-sharing law

Edward Graham and David DiMolfetta — Thu, 07 May 2026 13:21:00 -0400

The White House is pressing Congress to extend a key cybersecurity authority that is poised to expire later this year unless renewed, a top official said Thursday.

The Cybersecurity Information Sharing Act of 2015 temporarily expired during the 43-day government shutdown that occurred late last year, but lawmakers ultimately extended it as part of the stopgap funding bill that ended that lapse. The government funding package signed into law in early February included a provision that prolonged the statute through September 2026.

Speaking at the Special Competitive Studies Project’s AI+ Expo event in Washington, D.C., National Cyber Director Sean Cairncross said the Trump administration is “pushing for a long-term reauthorization” of the law.

“I expect that, on the Hill, the right thing will be done over the course of time, and we will get there,” Cairncross said.

The measure allows private sector firms to freely transmit threat intelligence to federal partners with key legal exemptions in place. Legal carve-outs were made a core feature of the original 2015 law because cyber threat information often contains sensitive data on victims and companies. To help the U.S. trace nation-state cyber intruders and criminal hackers, those datasets often need to be shared with government cybersecurity and intelligence analysts.

The White House’s national cybersecurity strategy, which was released in March, called for enhancing communication between the public and private sectors to deter cyber threats. The same document also said the Trump administration was pursuing more offensive cyber operations against bad actors, including moving to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.”

Cairncross said part of that overall effort includes “working on new ways to share information between the private sector and the [U.S. government] that’s actionable, that's fast and in both directions” — including through the Cybersecurity and Information Sharing Act of 2015.

The national cyber director has previously pushed for a clean extension of the law, but his comments show the Trump administration is vying to prevent its lapse for a significant time period.

In the early 2010s, legislative efforts to establish a cyber threat information-sharing framework faced major hurdles amid public skepticism over government privacy abuses following Edward Snowden’s 2013 global surveillance disclosures.

The view shifted after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.

]]>

Senator warns CISA election security pullback could leave midterms vulnerable

David DiMolfetta — Wed, 06 May 2026 17:34:00 -0400

Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is demanding answers from the Department of Homeland Security over what he says is a sharp decline in federal election security support ahead of the 2026 midterms, warning that cuts to the Cybersecurity and Infrastructure Security Agency could leave states more exposed to cyber threats and foreign interference.

In a letter sent Wednesday to DHS Secretary Markwayne Mullin, Warner said state and local officials have reported that CISA is no longer providing the same level of election security training, intelligence sharing and cybersecurity assistance it offered in prior election cycles.

The letter adds to growing criticism over the Trump administration’s handling of CISA and its election security mission, which has faced deep staffing reductions enacted over the last year.

“While the states are taking valiant and expensive measures to protect their elections, it is impossible for states to independently obtain intelligence, subject-matter expertise, and real-time incident reporting, and information at the scale and speed required to protect state elections from physical and cyber threats,” Warner wrote.

After this story was published, a DHS spokesperson said that, under President Joe Biden, CISA “was focused on censorship, branding, and electioneering instead of defending America’s critical infrastructure.”

Under President Donald Trump, the spokesperson said the agency is “committed to delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

“CISA’s mission is ensuring state and local election officials are cognizant of and utilize the most capable and timely threat intelligence, expertise, resources they need to defend against risks, and identify critical infrastructure security needs to maintain electoral functions,” the spokesperson added.

Efforts under the Trump administration to scale back CISA and its election security resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month.

The administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program funding, including information-sharing efforts and election security advisor positions.

Warner’s letter also cited testimony delivered last week by the head of U.S. Cyber Command and the National Security Agency, who said that foreign adversaries are expected to target the 2026 elections.

The senator asked DHS to explain what CISA is doing to warn state and local officials about malign influence campaigns and cyber threats targeting election infrastructure. He also requested records of election-related training, cybersecurity reviews, incident responses and outreach efforts that have been conducted by the agency since January 2025.

He also asked DHS whether any CISA personnel were involved in an FBI raid tied to election systems in Fulton County, Georgia — where Director of National Intelligence Tulsi Gabbard was publicly seen alongside federal officials — or in her office’s seizure and testing of voting machines in Puerto Rico.

The letter comes as the future of CISA’s election security role has become increasingly uncertain. Republican lawmakers and many Trump allies have long criticized the agency’s election-related activities, particularly after CISA publicly pushed back on false claims surrounding the 2020 election.

Editor's note: This article has been updated to include a statement from CISA.

]]>

US lists offensive cyberattacks in counterterrorism strategy

David DiMolfetta — Wed, 06 May 2026 17:04:00 -0400

Offensive cyber operations would be a part of a suite of counterterrorism responses aimed at groups deemed threats to U.S. interests, according to the Trump administration’s counterterrorism strategy that was released Wednesday.

Counter-terror activities against state actors “include offensive cyber operations against those planning to kill Americans or who support those plotting to do so,” the strategy reads.

The framework, more broadly, specifically lists narcoterrorists and transnational gangs, legacy Islamic terrorist groups and “violent left-wing extremists, including anarchists and anti-fascists” as the main entities threatening the nation.

Diplomatic, financial, cyber, and covert actions would be used to undermine or deter harmful state actors from assisting foreign terrorist organizations, the strategy says. Cyber operations would continue against Iran-backed proxy groups, it later adds.

The overt mention of offensive cyberattacks underscores the White House’s broader push to reshape foreign hackers’ behavior and follows several public acknowledgments of U.S. cyber warriors’ involvement in the administration’s military activities.

The specific nature of these offensive cyber operations is not described in the document.

The White House has helped shape a budding market for offensive cyber tools and capabilities, but executives and officials are grappling with legal questions over definitions of cyber offense and defense, as well as who would bear responsibility when private firms are involved in digital operations.

]]>

CISA unveils CI Fortify to help secure critical infrastructure during conflicts

David DiMolfetta — Tue, 05 May 2026 12:26:00 -0400

The Cybersecurity and Infrastructure Security Agency announced the release of its CI Fortify project on Tuesday, aiming to help critical infrastructure owners and operators defend themselves against hackers and maintain continuity during a geopolitical conflict.

“For planning purposes, operators should assume that in a conflict scenario third-party connections — such as telecommunications, internet, vendors, service providers, and upstream dependencies — will be unreliable and that threat actors will have some access to the [operational technology] network,” a webpage describing the initiative says.

Per guidance, CISA wants critical infrastructure providers to focus on isolation and recovery planning objectives.

“We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors,” agency acting director Nick Andersen said in a prepared statement.

Critical infrastructure — like water treatment plants, financial institutions and electric grids — are a regular target for foreign hackers. U.S. officials have assessed for years that China is burrowing into non-military critical infrastructure networks, preparing to sabotage them should the U.S. enter into a major conflict with the nation, especially involving Chinese interests in Taiwan.

Hackers linked to China, Russia, Iran, North Korea and ransomware groups will continue to pose critical threats to U.S. networks and critical infrastructure, U.S. intelligence agencies assessed this year.

Amid the U.S.-Israel war against Iran, Tehran-backed hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors, targeting equipment manufactured by Rockwell Automation, according to a government advisory issued last month.

Last year, Australia, a Five Eyes partner, launched its own CI Fortify program.

]]>

Operational technology providers are feeling ‘annoyance’ at exclusion from Anthropic’s Mythos rollout, sources say

David DiMolfetta — Mon, 04 May 2026 15:51:00 -0400

Operational technology providers and their industry groups have been pressing for access to Anthropic’s cybersecurity-focused Mythos Preview model, arguing the initial rollout — which focused on major tech and finance firms under a global vulnerability patching effort — left out a widely exposed segment of critical infrastructure that’s often targeted by hackers.

In recent weeks, OT industry representatives have expressed frustration during roundtables and listening sessions about their initial exclusion from Project Glasswing, Anthropic’s initiative with major companies designed to secure critical software across the globe using the Mythos model, according to four people familiar with the discussions.

The processes for these firms to be granted access are ongoing, two of the people said. All of the sources requested anonymity because the discussions are private.

American Water, one of the nation’s largest regulated U.S. water and wastewater utilities, is among several organizations that have recently met with the Office of the National Cyber Director to discuss Mythos and broader AI-cybersecurity threats, said one of the people. American Water heavily relies on and oversees complex operational technology systems to manage its water treatment and distribution infrastructure.

“There’s definitely an annoyance in the OT world,” that person said. “That doesn’t mean people aren’t considering the needs of OT,” they noted, but decisionmakers dictating initial Glasswing access “weren’t thinking in those terms.”

Nextgov/FCW has asked Anthropic, ONCD and American Water for comment.

Operational technology, which is embedded in critical infrastructure everywhere, is a constant point of concern for cyberdefenders because it underpins essential everyday services like energy, water and transportation. Disruptions to those systems can have immediate real-world consequences.

DARPA recently concluded a two-year-long competition where teams built AI models to autonomously identify and patch vulnerabilities in open-source code used in critical infrastructure systems. Many major AI firms, including Anthropic and OpenAI, provided model infrastructure to participants.

Even when access is granted to Mythos, that doesn’t automatically mean all vulnerabilities in a network are fixed, said Cynthia Kaiser, a former senior FBI cybersecurity official, adding that firms will have to prioritize what to patch once they can test their infrastructure against the model.

“It’s not just about getting access. People need to think about — when they get it, where do they start?” said Kaiser, now senior vice president at Halcyon’s Ransomware Research Center.

Physical operational systems are often harder to patch than IT because they usually can’t be easily taken offline to apply fixes, and they rely on aging, vendor-controlled equipment that makes rapid patching difficult.

Regardless, “the fact that boards and CEOs have been asking about this — and that the requests aren’t coming from [Chief Information Security Officers] — shows that the release of Mythos means companies are taking cybersecurity more seriously,” she added. “I think it’s good and important that they’re thinking about this now.”

Mythos has been deemed a major turning point for cybersecurity and AI practitioners because it demonstrates how advanced models can be purpose-built for real-world cyber operations, including those planned inside the intelligence community. In the wrong hands, it could be used to carry out sophisticated cyberattacks against government networks, critical infrastructure or other key U.S. systems.

The Pentagon labeled Anthropic a supply chain risk earlier this year — and the White House later ordered a governmentwide phaseout of its technology — after the AI company declined to ease restrictions on its products being used in domestic surveillance and fully autonomous weapons.

The company has legally challenged the supply chain risk label. A federal judge issued a temporary injunction on the designation and ban in late March, which the government has said it intends to appeal.

]]>

Pentagon launches cyber apprenticeship program

Edward Graham — Tue, 28 Apr 2026 18:53:00 -0400

The Department of Defense is launching a Cyber Registered Apprenticeship Program to accelerate its onboarding of skilled cybersecurity professionals, the agency said, part of a Trump administration push to bring non-traditional talent into the federal workforce.

The initiative is being led through DOD’s Office of the Chief Information Officer and was first announced during a Labor Department signing ceremony on Monday for National Apprenticeship Week.

The 12-month program is slated to launch as a pilot this summer, with the Pentagon calling it “a significant first step in energizing the Department’s commitment to workforce innovation and rapidly delivering leading-edge expertise to the warfighter.”

The Pentagon said the apprenticeship is driven by a governmentwide focus on prioritizing skills-based hiring for technical- and cybersecurity-focused roles. The Office of Personnel Management released new standards for technology positions earlier this month that no longer include degree requirements as part of an effort to emphasize experience in the hiring process.

The new program, DOD said, will place an emphasis on preparing participants for top cybersecurity roles, including as cyber defense analysts, infrastructure support specialists and incident responders. Participants will also receive training certifications and continued education opportunities, as well as the chance to receive full-time cyber roles within DOD upon completion of the apprenticeship.

“This program is a critical investment in our people and the bedrock of our national security,” Marci McCarthy, the DOD CIO’s director of external engagements, said in a statement. “The Cyber RAP provides a direct pathway for dedicated individuals to join our mission, securing the vital networks, infrastructure, and weapon systems that our Warfighters depend on every single day.”

The effort to train and onboard new cyber talent comes as the Pentagon and other federal agencies look to fill a host of digital defense-focused roles, with the U.S. as a whole struggling to address more than 500,000 vacancies in cybersecurity positions across both the public and private sectors.

]]>

Federal drawdown of election support ‘destroyed’ ongoing relationships, experts say

David DiMolfetta — Tue, 28 Apr 2026 18:06:00 -0400

Efforts under President Donald Trump to scale back the Cybersecurity and Infrastructure Security Agency and its election security resources have strained relationships with state and local officials, raising concerns that jurisdictions may be far less prepared to counter threats to the November midterms, officials in Michigan and Georgia said Tuesday.

The warnings, delivered by state officials and other experts at a hearing hosted by Democrats on the House Homeland Security Committee, come as the Trump administration has sought to expand the federal role in election administration through executive orders and the growing involvement of Director of National Intelligence Tulsi Gabbard in election-related matters, including an FBI raid on a Fulton County, Georgia elections office.

The drawdown of CISA election resources over the last year has “been very damaging,” said Aghogho Edevbie, Michigan’s deputy secretary of state.

“We had CISA employees and officials work alongside us,” he added, describing that CISA representatives would deploy to places where voting occurred and votes were being counted to conduct security assessments. “All of those relationships have been destroyed. We’ve had instances where our local election officials have been corresponding with members of CISA, and then, all of a sudden, there’s no response, because presumably that person has been fired.”

Earlier this month, the Justice Department demanded that Michigan’s Wayne County turn over all ballots from the November 2024 election. Edevbie, in the hearing, called the inquiry “unlawful,” aligning with other state officials.

Last year, CISA put much of its election disinformation staff on leave. The White House’s fiscal year 2027 budget proposal eliminates CISA’s election security program entirely, and would cut funding for information-sharing support to state and local officials and remove dedicated election security advisors across the nation.

Election cybersecurity threats can include ransomware attacks, phishing campaigns and efforts by foreign adversaries to probe election systems and conduct influence operations.

Larry Norden, the VP of the Brennan Center for Justice’s Elections and Government program, noted that, in a recent survey, 75% of observed state and local election officials said their governments had not provided sufficient resources to fill the gap that was created by CISA cuts.

“And perhaps most damaging of all, many election officials that we talked to no longer trust the federal partners that they used to rely on to help them coordinate around election security,” Norden said.

Mo Ivory, former county commissioner for Fulton County who is now running for commission chair, criticized the FBI raid that Gabbard attended.

It “raised immediate questions about chain of custody, voter privacy, access to public records, preservation of official materials and whether Fulton County could continue meeting its legal obligations while federal authorities had taken possession of our documents,” she said.

“It also sent a message to the public servants who administer elections: even after doing your job, even after following the law, even after audits and reviews, you can still be pulled back into a political fight over an election that ended six years ago,” she added.

In 2020, Trump lost in Georgia by roughly 11,000 votes, prompting him and supporters to press state officials to uncover supposed missing votes to change the outcome. A later hand-count of the ballots upheld the original results.

“The Cybersecurity and Infrastructure Security Agency works with critical infrastructure owners and operators to assist them in securing both the physical security and cybersecurity of the systems and assets that support the nation’s election process,” agency acting director Nick Andersen said in a statement.

It adds that the agency offers state and local election officials free, voluntary support on request, including threat information sharing, technical expertise, vulnerability scanning and resilience assistance, with regional teams helping assess risks, strengthen defenses and respond quickly to threats.

“We are committed to supporting state and local elections officials to protect election infrastructure and safeguard our democracy,” Andersen added.

The tensions between the Trump administration and CISA date back to the 2020 election, when its then-director Chris Krebs publicly affirmed the security of the vote and was subsequently dismissed by Trump. In his second term, Trump has continued to target Krebs, including ordering a federal investigation last year into his government tenure.

Jessica Marsden, a deputy director and counsel at Protect Democracy, said such efforts are meant to erode sources of high quality information and that attacks on critics of the administration “look like an effort to silence those who will tell the truth.”

On Tuesday, Gen. Josh Rudd, the director of U.S. Cyber Command and the NSA, told senators it is “reasonable to expect” foreign adversaries would seek to interfere in the upcoming midterm elections. Rudd said he was unsure whether the Election Security Group, a joint task force central to countering foreign election sabotage since 2018, has been reconvened.

“I don’t know that an ESG has been established yet, but we are prepared to as required,” he said. “I think it is really important to set up an ESG and I will follow up with you on whether that is happening.”

Editor’s Note: This story was updated to add a comment from CISA’s Nick Andersen.

]]>

Italy extradites alleged Chinese state-backed hacker to US over theft of COVID-19 research

David DiMolfetta — Mon, 27 Apr 2026 17:44:00 -0400

A Chinese national accused of hacking U.S. universities to steal COVID-19 research and carrying out parts of a sweeping cyber espionage campaign earlier in the decade has been extradited from Italy to the United States, where he now faces federal charges tied to the yearslong intrusions.

Xu Zewei, 34, was transferred from Milan over the weekend and appeared Monday in federal court in Houston on a nine-count indictment alleging wire fraud, identity theft and unauthorized access to protected computers, the Justice Department said.

Authorities allege he was part of a network of contract hackers operating on behalf of China’s Ministry of State Security. Xu and co-conspirators were directed to conduct intrusions aimed at stealing sensitive COVID-19 vaccine, treatment and testing research from U.S. entities.

Xu was also allegedly involved in intrusions between 2020 and 2021, including attacks on U.S. research institutions and exploitation of Microsoft Exchange vulnerabilities tied to the sprawling HAFNIUM campaign, which compromised thousands of organizations worldwide, including roughly 13,000 in the United States.

The case highlights longstanding concerns within the U.S. government about China’s use of private-sector contractors to carry out cyber espionage. Prosecutors allege Xu worked for a Shanghai-based company that functioned as one of many “enabling” firms conducting hacking operations for Chinese intelligence services.

Court filings describe how Xu allegedly reported directly to Chinese intelligence officers and carried out specific tasks, including targeting the email accounts of immunologists and virologists conducting COVID-19 research. In one instance, prosecutors say Xu confirmed he had accessed the network of a Texas-based research university and later retrieved the contents of researchers’ email accounts at the direction of a state security officer.

Xu has denied the allegations through an attorney. He was arrested in Milan in July 2025.

The Justice Department first unsealed charges against Xu and an alleged co-conspirator, Zhang Yu, last year. Zhang remains at large. If convicted on all counts, Xu could face decades in prison.

“The extradition of Xu Zewei demonstrates the FBI’s reach extends well beyond U.S. borders,” Brett Leatherman, the FBI’s Cyber Division assistant director, said in a prepared statement. “Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk.”

The case reflects both the scale of China’s hacking operations and the difficulty of holding alleged state-backed cyber operatives accountable. While U.S. authorities have increasingly sought to name and charge foreign cyber operators, arrests and extraditions remain less common due to jurisdictional and diplomatic constraints.

But the extradition could mark a notable step in that effort. Italian authorities arrested Xu at the request of U.S. officials, and American investigators credited international coordination with securing his transfer.

]]>

Cyber Command carried out over 8,000 missions in 2025, director says

David DiMolfetta — Wed, 22 Apr 2026 12:54:00 -0400

U.S. Cyber Command, the digital combatant command tasked with defending the nation’s cyberspace and supporting other military components’ offensive and defensive operations, carried out over 8,000 missions in 2025, its new director said Tuesday.

Gen. Josh Rudd, recently confirmed to lead Cyber Command and the NSA in a dual-hatted capacity, told lawmakers on the House Armed Services Committee that he expects that number to increase through the remainder of 2026. He testified alongside Katie Sutton, the assistant secretary of defense for cyber policy.

The 2025 total is a 25% increase compared to 2024, Rudd added. The figures, which he did not elaborate on, help to underscore how cyber elements are becoming more ingrained into military activities.

The Trump administration has sought to highlight the command’s involvement in its broader military missions. Gen. Dan Caine, chairman of the Joint Chiefs of Staff, has acknowledged Cyber Command’s role in operations that targeted Iranian nuclear facilities and the ousting of Nicolás Maduro from Venezuela. More recently, the command has played a role in Iran war efforts.

“Our participation in Operation Absolute Resolve and Operation Epic Fury are prime examples of this integration in action,” said Rudd, referring to Venezuela and Iran, respectively.

Cyber Command often conducts “hunt forward” operations, defensive missions designed to identify, mitigate and learn from foreign cyber threats that target allied host nation networks.

Sutton, in her testimony, said her office is working on a new cyber strategy expected for release this summer.

“We’re taking all of those and really making it an integrated approach that’s going to be a very bold transformation of how we think about cyberspace,” she said, describing how the Defense Department is drawing on previous national security strategies to inform the crafting of this new framework.

The department last released a cyber strategy in 2023.

]]>