Nextgov/FCW - Cybersecurity

Cyber Force? Senator pushes to create service branch under the Army

Thomas Novelly — Fri, 29 May 2026 16:59:00 -0400

A new cyber-focused military service branch would sit under the Army if one senator’s proposal comes to fruition.

Sen. Kirsten Gillibrand, D-N.Y., is spearheading a markup amendment to the Senate’s 2027 National Defense Authorization Act that would create a “Cyber Force” as the next armed service branch. The senator’s office confirmed that the amendment proposes to establish the branch under the Army, just as the Space Force and Marine Corps sit under the Air Force and Navy.

Similar provisions are reportedly being floated in the House, according to two people familiar with policy discussions. Earlier this year, Rep. Pat Fallon, R-Texas, told the Center For Strategic and International Studies that a “Cyber Force is inevitable” and “we’re going to get this done.” A Fallon spokesperson did not respond to multiple requests for comment on Friday asking about a potential amendment.

“New and escalating cyber threats on the battlefield demand a change to our current approach. The status quo and years of incremental changes are not meeting the current threat and are insufficient as that threat grows,” Gillibrand told Defense One in an emailed statement. “I believe, and many experts agree, that the creation of a dedicated Cyber Force will ensure the United States is ready to fight and win on the modern battlefield and protect our national security.”

The proposed amendment marks the latest push in a years-long effort. Gillibrand and House lawmakers have backed the idea before. In the 2025 National Defense Authorization Act, lawmakers commissioned the National Academies of Sciences, Engineering, and Medicine to study “alternative organizational models for the cyber forces of the Armed Forces.” Those findings have not been released. Details from the amendments showing what a Cyber Force might look like are not yet public, but think tanks and national security experts have already been pitching their own force designs.

A 2024 Foundation for Defense of Democracies report concluded that a Cyber Force could sit under the Army, muster about 10,000 personnel, and need a budget of around $16.5 billion. In August 2025, the FDD and the Center for Strategic and International Studies announced a commission on Cyber Force Generation. A report from those think tanks is scheduled to be released next month.

One former military official said there would be strengths to a cyber-focused service, but putting it under the Army is a bad idea. They argued that cyber would remain a secondary priority amid the branch’s many missions.

“The Army is the largest service by far,” the former official said. “Manpower-wise, it's like half the department, and it's like, ‘we'll put it under because it'll be easy for the Army to just put in another force.’ It's already hard enough to run the Army as it is.”

Mark Montgomery, a retired Navy rear admiral and an FDD senior fellow who advocates for a Cyber Force, argued that this year is an ideal time to create a new service.

“Timing-wise, you need to do this in the beginning or middle of an administration, not at the end of an administration,” Montgomery said.

The proposed amendment would need to survive multiple Senate and House edits to make the final compromise NDAA.

It’s not clear if the Trump administration would support the latest bipartisan push. Last year, the Pentagon rolled out CYBERCOM 2.0, a series of policy changes aimed at beefing up the recruiting, training, and missions of the existing U.S. Cyber Command.

Katie Sutton, the assistant defense secretary for cyber policy and principal cyber advisor to Defense Secretary Pete Hegseth, defended the Cyber Command reforms during a January Senate hearing, and said a renewed command and a new service could co-exist.

“I think this is a really important debate for us all to be having about the future of the cyber warfighting domain,” Sutton told the Senate Armed Services Committee in January. “I do think one of the most common misconceptions about Cyber Command is that it is a debate between Cyber Command 2.0 and a cyber force, and they are actually separate debates that I believe both need to be had, and we need to look closely at the pros and cons of both.”

Advocates for a separate and independent cyber-focused service branch say it aligns with the Trump administration’s calls for “offensive cyber operations against those planning to kill Americans,” the White House’s new counterterrorism strategy said. It also comes as President Donald Trump and Gen. Dan Caine, the Joint Chiefs chairman, acknowledged the growing role of cyber effects in U.S. military operations in Iran and Venezuela, Defense One and sister publication NextGov/FCW have previously reported.

“The president says, ‘We've got to be more offensive’ but then you got to better generate forces to be offensive, and we don't generate enough forces to do both offensive cyber and defensive cyber operations,” Montgomery said. “A cyber force is clearly necessary.”

]]>

Commercial location data is being used to target US servicemembers, lawmakers warn

Edward Graham — Fri, 29 May 2026 13:10:00 -0400

Foreign adversaries have used commercially available data from U.S. servicemembers to target their locations in active war zones, a bipartisan group of lawmakers revealed Thursday.

In a letter to Department of Defense Chief Information Officer Kirsten Davies, fourteen members of Congress — led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C. — warned that the Pentagon “has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

Reuters first reported the news.

According to unclassified written responses that the lawmakers shared with their letter, U.S. Central Command revealed last month that it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”

This type of data can be acquired from legitimate data brokers for a nominal fee and then used to track the locations of groups of individuals, particularly those who follow set routines or are based in remote areas.

“That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts,” the lawmakers wrote.

The Pentagon has been aware for some time now of the security vulnerabilities posed by publicly available location data from smartphones or other wearable electronic devices.

When mobile fitness app Strava released a Global Heat Map of its users’ activities in late 2017, it inadvertently gave away the locations of some U.S. military sites in the Middle East and provided precise details on the routes personnel took when they jogged. Similar location data from running app Polar also revealed the locations of military personnel, and could be used in some cases to track them to their homes.

DOD subsequently issued a directive in August 2018 that banned uses of apps and devices that share geolocation data “while in locations designated as operational areas.”

In their letter, however, the lawmakers said CENTCOM shared that it “only rolled out the capability to administratively disable location sharing on smartphones” this month. The combatant command also revealed that the Pentagon has not yet taken steps to deactivate the tracking numbers on smartphones that are used by advertisers and data brokers.

“Both iOS and Android also include an opt-in privacy setting to disable this unique advertising ID, which the National Security Agency and the Cybersecurity and Infrastructure Security Agency recommend,” the letter said. “Unfortunately, USCENTCOM confirmed that the advertising ID is still not disabled on government-issued smartphones, but stated that the Defense Information Systems Agency is currently testing a capability to do so.”

The lawmakers urged DOD to disable the advertising ID on all agency-issued smartphones and to issue guidance requiring personnel to do the same on their personal devices brought overseas or onto military facilities. They also called for the agency to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from Pentagon-issued devices.

“Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC), which is already enforced by law in 12 states,” the letter said.

]]>

Iran’s hackers are coordinating more closely, Israel’s top cyberdefense official says

David DiMolfetta — Wed, 27 May 2026 15:42:00 -0400

Tehran’s hackers have grown more organized, more coordinated and more willing to use artificial intelligence for influence operations in recent months — and they have demonstrated many of those capabilities since the war with Iran began, according to Israel’s top cyberdefense official.

In a Tuesday interview, the director-general of Israel’s National Cyber Directorate, Yossi Karadi, said Iranian state-aligned groups are further sharing cyber tools among each other and using AI to polish disinformation and recruitment messages.

At the same time, Karadi said he is pressing major AI labs for controlled access to powerful models like Anthropic’s Mythos, arguing that governments need the same tools attackers are seeking to adopt.

In the last year, Iran’s state-backed hacking units have increasingly “begun to talk to each other, and then collaborate with each other, and then even sometimes exchange information” among themselves, he said. “Of course, when they work together, they can work more efficiently and better.”

During the recent war, Iran has sent hundreds of thousands of text messages to Israelis as part of a deception and influence campaign, he said.

“In some cases, they’d send messages like, ‘don’t go to the bomb shelters because they are closed,’” Karadi said, adding that other messages sought to recruit Israelis for intelligence-sharing.

For a while, those messaging campaigns were in “very bad Hebrew, so you understand, ‘okay, it’s nonsense,’” Karadi said. But more recently, AI has helped Tehran improve message quality.

In March, Israel said it bombed a key Iranian cyberwarfare operation center. Asked about how that attack and similar efforts affected Tehran’s hacking prowess, Karadi said only that the nation’s cyberactivity largely fluctuated, depending on the intensity of the conflict.

When bombing campaigns against Iran intensified, hacking activity tended to decrease because it was harder for state operatives to access physical assets like computers and other equipment needed for cyberattacks, he said. Conversely, when strikes slowed, state hacking groups would have more room to reorganize and collaborate again.

As the U.S. and Iran work to implement a peace agreement to end the war, Karadi said there is little expectation that cyber activity from either side will stop, arguing that any party can deny involvement in a cyberattack, compared to a physical strike using missiles or bombs.

“There is no ceasefire in cyber,” he said. “You cannot force any agreement on cyber.”

Over the last few months, Iran has compromised a swath of smaller Israeli organizations and a handful of American targets. Pro-Iran hackers have targeted various U.S. industrial control systems, federal officials said early last month. One group, likely state-affiliated, also claimed to have compromised medical technology giant Stryker. And just last week, researchers said Iran-linked hackers deployed a slew of cyberespionage techniques that targeted the U.S., Israel, the UAE and other Middle Eastern nations.

Asked if the cybersecurity community underestimated the strength of Iran’s hacking ecosystem, Karadi said he would only speak for Israel, and asserted they “obviously did not underestimate” Tehran. Since the 12-Day War last year, “we were in an 100% alert situation, and we have been preparing ourselves for high-scale cyber war,” he said.

The remarks provide a window into how Israeli officials believe Iran’s cyber apparatus has adapted under wartime pressure and amid negotiations now underway between the U.S. and Tehran that could end the war, which began in late February.

Karadi conducted the interview as part of a visit to Washington this week, where he said he has planned meetings with the FBI, the Cybersecurity and Infrastructure Security Agency, U.S. Cyber Command and representatives from industry.

In those meetings, he said officials have been discussing advanced cyber-focused AI models like Anthropic’s Mythos, which have quickly become central to global cyber policy talks. Asked whether Israeli institutions have been given access to those systems, he said the effort is a work in progress.

“I haven’t succeeded in it now, but hopefully I will,” he said, adding that he is trying to access such models to scan Israeli government organizations for vulnerabilities. He declined to name specific AI companies he is engaging with.

In early April, Anthropic launched Project Glasswing, an initiative with major companies designed to secure critical software across the globe using its Mythos model. It’s been withheld from public release amid concerns over its highly skilled hacking capabilities. About a month later, OpenAI unveiled GPT-5.5-Cyber, a similarly advanced model that was also reserved for verified organizations to prevent the acceleration of offensive cyber tools.

The White House and the federal government swiftly responded and worked to craft an executive order focused on AI and cybersecurity, but its signing was postponed last week amid overregulation concerns from industry.

Representing a government cyberdefense organization, Karadi said such models worry him.

“When you give [an attacker] a new tool, he needs to only use it at one time and one place. But I need to implement this tool at all the places and all the time,” he said.

He expects more of these models to proliferate in the coming months, and he considers them to now be the “main threat” in the cybersecurity world.

“I think that our world is getting more and more digital, AI-based and cloud-based,” he said. “It will take us to a permanent state of cyber warfare, some of the time against enemies that you know. But most of the time — against ghosts.”

]]>

State leaders renew call for cyber grant program’s renewal

Chris Teale — Tue, 26 May 2026 18:36:00 -0400

State leaders once again reiterated their calls for Congress to reauthorize and fund a popular cybersecurity grant program at a House hearing last week.

Officials said the State and Local Cybersecurity Grant Program, which has been reauthorized by the House but awaits action in the U.S. Senate before it expires in September, has been helpful for governments looking to build their cyber resilience against growing threats and must be allowed to continue.

“The scale, speed, and complexity of today’s threat environment require sustained funding, operational flexibility, and the ability to respond at the pace of emerging threats,” Tennessee Chief Information Officer Kristin Darby said in written testimony before the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation last week. “The State and Local Cybersecurity Grant Program is one of the most effective tools available to strengthen our collective defense.”

The $1 billion cyber grant program was initially funded through a 2021 infrastructure law and received a temporary extension of its authority through September as part of a government funding deal last year. The House voted in November to approve the Protecting Information by Local Leaders for Agency Resilience — or PILLAR — Act, which would reauthorize the grant program for another 10 years. A companion bill is pending in the Senate, albeit with only a one-year extension.

Witnesses at this latest House hearing said the cyber grant program has been crucial in helping them strengthen their cybersecurity postures, although much more work lies ahead. Darby said the $21 million in grant funding that Tennessee has received has secured almost 90,000 endpoints across local governments and provided cybersecurity training to more than 21,000 local government employees.

That grant funding, the majority of which has been passed to local governments, has also supported programs like managed endpoint detection and response; cybersecurity awareness training; critical infrastructure improvements like firewalls and disaster recovery systems; and managed services for jurisdictions without IT staff, Darby said.

What happens next remains an open question, however, especially if more money is not appropriated to the program. Outside groups have previously called for a stable funding stream of $4.5 billion over two years. Darby said that, without continued funding, local governments would lose access to various programs and services that require subscription funding, they and would be unable to sustain various managed services or make further investments. She also warned of job cuts if the grant program dries up.

“Most importantly, we risk losing the momentum, relationships, and trust that have been built through our whole-of-state approach,” Darby said. “Cyber adversaries are not slowing down. If funding and support diminish, the gap between attackers and defenders will widen.”

Speakers had various suggestions for how the program could be improved. Darby and Colin Ahern, New York’s director of security and intelligence, urged the subcommittee to fund the program consistently over multiple years to allow states to carry out longer-term procurements and initiatives, while Ahern said eliminating cost-share match requirements could help reduce the burden of cost sharing on smaller jurisdictions.

Ahern also said that the program should be amended to allow states and localities to buy memberships and services from the Multi-State Information Sharing and Analysis Center, which recently moved to a membership model after seeing its federal funding cut. All speakers agreed that the federal government must be a strong partner in any cybersecurity efforts alongside states and localities.

“The federal government is an essential partner in this work,” said Florida CIO Warren Sponholtz in written testimony. “Federal intelligence collection and sharing brings national visibility that no individual state can replicate. Federal advisories, threat feeds, automated indicator sharing, vulnerability guidance, and incident coordination help states understand what is happening across the country and what may be heading toward our jurisdictions.”

There appears to be broad bipartisan support for helping state and local governments in their cybersecurity posture and a recognition that, while it may need tweaks, the cyber grant program has been a positive step forward.

“The premise was simple [behind the grant program],” Rep. Andy Ogles, a Tennessee Republican who chairs the subcommittee, said in his opening statement. “A small town faces the same threats as a large city, and a rural county is not exempt from Chinese or Russian cyber actors just because it has a limited IT budget. That program helped communities that could not otherwise help themselves. Unless Congress acts, that program expires this September. We should not let that happen, and we certainly should not let it happen at a moment when the threat is growing ever worse.”

]]>

Draft executive order would set deadlines for digital signature and key quantum encryption

Alexandra Kelley — Wed, 20 May 2026 15:43:00 -0400

The White House is preparing a new executive order aiming to spur federal agency migration to a post-quantum cryptographic standard under particular deadlines, as well as requiring covered contractors to take similar steps within the same window.

A person familiar with the draft order told Nextgov/FCW that the current version tasks the Office of Management and Budget with issuing guidance and deadlines for transitioning high-impact systems to encryption standards intended to withstand code-breaking powered by an eventual fully operational quantum computer. The person confirmed that all agencies must migrate their high-value assets, apart from national security systems.

The draft document would require all agencies to transition their digital signatures for high-impact systems and high-value assets to a PQC standard by Dec. 31, 2031, and to use post-quantum cryptography for key establishment by Dec. 31, 2030, according to sections viewed by Nextgov/FCW.

Digital signatures are software tools that authenticate user identity for secure access into digital environments. Key establishment is the process of securing data by generating a unique digital code, or a cryptographic key, for specific parties to provide them secure access. Key establishment and exchange allows the parties to then securely encrypt and decrypt data. Many current versions of both digital signatures and key encryption are expected to be overpowered by the decryption abilities of a future cryptographically-relevant quantum computer.

The draft order also gives “covered contractors” working with federal agencies a 2030 deadline to comply with the PQC standards developed by the National Institute of Standards and Technology, the person familiar said, noting that the document is expected to be released sometime this week.

The White House didn't respond to a request for comment.

In February, Nextgov/FCW exclusively reported that the White House was developing a quantum-focused executive order focused on spurring U.S. leadership in quantum-powered systems.

That draft didn’t include PQC migration efforts, and the person familiar with the current draft’s development told Nextgov/FCW that elements included in the older draft — namely setting up a new initiative to leverage quantum computing for scientific discovery and updating the National Quantum Strategy — are not included in the PQC-focused order, suggesting the possibility of multiple quantum technology-focused executive items.

PQC has emerged as a newly critical element to cybersecurity, as the arrival of a future fault-tolerant quantum computer threatens the defensive encryption classical computing has relied upon for decades.

The 2030 deadline has long been floated as optimal to support comprehensive migrations to robust PQC standards. In 2022, the National Security Agency issued quantum-resistant algorithm requirements specifically for national security systems. The guidance recommends software and firmware signing and traditional and niche networking equipment migrate to a PQC standard by 2030.

The exclusion of national security systems from mandatory migration efforts in the latest potential PQC executive action follows a December 2024 NSA FAQ stating that the agency intends for all national security systems to be quantum-resistant by 2035, “with the hope of completing much of the transition sooner.”

A draft memorandum developed by the Office of Management and Budget last summer and seen by Nextgov/FCW aimed to spur PQC migration efforts within the federal government by conducting inventories of high-risk network assets and asking vendors to disclose their PQC migration timelines.

President Donald Trump has consistently prioritized the advancement of both PQC and quantum information and sciences research writ large, beginning with signing the National Quantum Initiative Act during his first term in 2018.

The White House’s proposed Fiscal Year 2027 budget also includes a provision that the federal budget “maintains funding for research in artificial intelligence and quantum information science at key agencies.”

]]>

House Homeland Dems request CISA briefing amid report of leaked agency credentials

David DiMolfetta — Wed, 20 May 2026 12:23:00 -0400

Top Democratic lawmakers on the House Homeland Security Committee have requested a briefing from Cybersecurity and Infrastructure Security Agency acting Director Nick Andersen following reports of a contractor-linked leak of internal agency credentials.

Independent journalist Brian Krebs reported Monday that researchers identified a publicly accessible GitHub repository connected to government contractor Nightwing that allegedly exposed a broad collection of sensitive access information tied to systems used by CISA and its parent agency, the Department of Homeland Security.

“We demand a briefing as soon as possible on how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future,” wrote Rep. Bennie Thompson of Mississippi, the committee’s ranking member, and Rep. Delia Ramirez of Illinois, the ranking member of the panel’s cyber subcommittee, in a Tuesday letter shared with Nextgov/FCW.

The materials, stored in a repository labeled “Private CISA,” reportedly included items like authentication credentials, AWS GovCloud information and other sensitive data. The repository was later removed from public view. Nextgov/FCW has not independently verified its contents.

“Security researchers said the content openly available online included information on ‘how CISA builds, tests and deploys software internally,’ and they described it as ‘one of the most egregious government data leaks in recent history.’ We agree,” said the letter, referring to the contents of Krebs' reporting.

A Nightwing spokesperson referred inquiries to CISA.

“We do not comment on congressional correspondence but respond to members directly,” an agency spokesperson said.

A separate letter to Andersen was sent by Sen. Maggie Hassan, D-N.H., Axios reported Tuesday.

CISA has undergone significant workforce cuts in the last year, which Thompson and Ramirez say may have contributed to the incident. They worry that “a substantially reduced workforce, coupled with the administration’s indifference to security, created the conditions that allowed such a significant security lapse to occur. Moreover, we are concerned that the incident undermines CISA’s credibility.”

Editor’s note: This story was updated to include a comment from CISA.

]]>

Telecom firms form new cyber information-sharing group

David DiMolfetta — Tue, 19 May 2026 13:41:00 -0400

Several of the telecommunications industry’s largest companies formed a new cybersecurity-focused information-sharing group, roughly two years after a sweeping Chinese hacking campaign compromised several major carriers and providers worldwide.

AT&T, Charter, Comcast, Cox, Lumen Technologies, T-Mobile, Verizon and Zayo have formed the Communications Cybersecurity Information Sharing and Analysis Center, or C2 ISAC, which was announced Tuesday.

Rich Baich, chief information security officer for AT&T, is serving as the inaugural chair of the C2 ISAC’s board. Valerie Moon, a former Cybersecurity and Infrastructure Security Agency and FBI official who currently works as the executive director for the Institute for Critical Infrastructure Technology, will serve as the group’s executive director.

“The U.S. telecommunications sector recognizes the urgent need for robust, unified defenses in the face of persistent threats to networks and consumers,” a group statement reads. “The founding members formed C2 ISAC because no single company has full visibility into every threat or can address every risk alone. By sharing resources, expertise, and real-time intelligence, C2 ISAC helps members anticipate, identify and respond to cyber threats more quickly and effectively.”

In 2024, investigators uncovered a sweeping Chinese hack tied to a group known as Salt Typhoon that compromised telecom providers in the U.S. and abroad — including multiple firms now belonging to C2 ISAC — and breached U.S. lawful intercept systems used for court-ordered surveillance.

The Salt Typhoon intrusions have been underway since at least 2019, according to the FBI, and there is no clear public indication that the hackers have been fully excised from communications networks.

A suspected China-linked breach of an FBI surveillance system discovered earlier this year likely revealed phone numbers of targets being monitored by the bureau.

Communications networks are highly favored targets for hackers because penetrating them can enable access to customer data, call records and sensitive communications.

The formation of an independent ISAC is a notable step for the telecom industry. A separate but related information-sharing group focused on communications security was established in the 1980s and is run within CISA, an agency that has faced significant workforce reductions over the last year.

Federal agencies are searching for Chinese-linked telecom and surveillance equipment that officials warn could enable covert hacking and spying. The departments of Defense and Energy found a small number of vulnerable devices and are working to address the risks, according to a GAO report issued Tuesday.

]]>

Microsoft disrupts cybercrime service offering malware disguised as legitimate software

David DiMolfetta — Tue, 19 May 2026 11:00:00 -0400

Microsoft on Tuesday took actions against a “malware-signing-as-a-service” provider that has helped criminal hackers evade security defenses designed to check whether software is legitimate.

The group, dubbed Fox Tempest, was found to be abusing Microsoft code signing tools that validate whether software has been tampered with. Microsoft said it seized Fox Tempest’s website, took down hundreds of virtual machines running its operation and blocked access to another site that hosted underlying code used by the group.

Microsoft also unsealed a legal case in New York that targeted the group, and named another ransomware gang known as Vanilla Tempest as a co-conspirator.

Normally, software signing certificates are meant to prove a program is safe upon download and installation. Operations like Fox Tempest are often sought after in the cybercriminal world because they can be paid to bless hackers’ malware with a valid-looking signature to help it evade detection.

Fox Tempest has been operating its malware disguise services since May of last year, Microsoft said. The downstream impact of its operations — which have let other criminal hackers distribute ransomware and other malicious packages — “has resulted in attacks against a broad range of industry sectors, including healthcare, education, government, and financial services” in the U.S., France, India and China, the company said in an assessment of the group.

Hackers paid thousands of dollars to get their malicious code signed by Fox Tempest, with higher-paying plans receiving priority, the company added.

Illicit code-signing tools have been exchanged for years, but “what’s changed is how this activity is marketed, packaged and sold as a service, along with the scale at which it is now used across ransomware campaigns,” Microsoft’s Digital Crimes Unit assistant general counsel Steven Masada said in a prepared statement.

“When attackers can make malicious software look legitimate, it undermines how people and systems decide what’s safe. Disrupting that capability is key to raising the cost of cybercrime,” he said.

]]>

Trump says he and Xi discussed cyberattacks and spying between US, China

David DiMolfetta — Fri, 15 May 2026 12:30:00 -0400

President Donald Trump said on Friday that he and Chinese President Xi Jinping discussed cyberattacks and espionage activities carried out by both nations during their bilateral meeting this week.

Speaking to reporters aboard Air Force One during his return flight to the United States, Trump, when asked if he raised the topics in their discussions, said, “I did. And he talked about attacks that we did in China. Y’know, what they do, we do too.”

“They’re talking about the spying. Well, we do it too,” he said. “We spy like hell on them too.”

“I told him, ‘we do a lot of stuff to you that you don’t know about and you’re doing things to us that we probably do know about,’” Trump added.

The president didn’t describe specific cyber campaigns that were discussed. China has made waves in recent years for its sweeping intrusions into telecommunications systems, government agencies and other infrastructure in the U.S. and around the world.

One such campaign, tied to a group known as Volt Typhoon, involves cyberspies burrowing into critical infrastructure systems, like power grids and water treatment plants, with the goal of potentially disrupting or sabotaging them to distract the American public in the event China moves to invade Taiwan, officials have assessed.

Asked about these intrusions, Trump said, “Well, you don’t know that. I mean, I’d like to see it, but it’s very possible that they do.”

The remarks offer a rare public acknowledgment of the clandestine efforts the U.S. deploys to monitor Chinese computer networks and government officials. Intelligence agencies like the NSA and CIA rely on a range of covert tools, capabilities and secret partnerships to track foreign adversaries.

The CIA, in particular, has made a more public effort to recruit Chinese officials as assets. Its video campaigns aimed at recruiting Chinese personnel are working and have “inspired new sources,” an agency official previously said.

Trump’s remarks also reveal a notable diplomatic posture on the issue, particularly given how difficult cyber operations can be to publicly attribute or verify.

Chinese officials routinely deny allegations of hacking and espionage, though Trump’s description of his conversation with Xi appeared to suggest some acknowledgment from Beijing that it has sought to infiltrate U.S. computer networks and recruit American assets of its own.

The White House and the Chinese embassy in Washington did not immediately respond to a request for comment.

Suspected Chinese spies sought out a former senior State Department officer late last year, requesting they draft an assessment of U.S. policy priorities in Venezuela in exchange for payment, Nextgov/FCW reported in January. Such recruitment efforts have resurfaced amid a wave of departures from the federal government over the last year, as the administration has pursued various measures to shrink the federal workforce.

In Trump’s second term, U.S. officials have been seeking a more hardened approach against foreign hackers and cybercriminal groups. In doing so, they have created a budding market for offensive cyber capabilities that government and industry are still grappling with. Offensive cyber operations would be among the tools the administration plans to use against groups deemed threats to the U.S., according to a counterterrorism strategy released earlier this month.

]]>

Canvas breach spotlights cybercriminal appetite for student data

David DiMolfetta — Mon, 11 May 2026 12:00:00 -0400

A major cybercrime gang’s hack of Canvas is highlighting how education technology providers have become attractive targets for cybercriminals, whose access to student records, login credentials and other sensitive data can create opportunities for fraud, identity theft, extortion and future intrusions.

ShinyHunters on Thursday claimed responsibility for a hack into Instructure’s Canvas platform that facilitates course materials and class management for thousands of institutions. An extensive document posted by the hackers and obtained by Route Fifty lists some 9,000 customers apparently impacted in the breach, including Georgetown, Harvard and Cornell universities. It’s not clear whether all victims listed were accessed, or what data may have been stolen.

As Instructure worked to restore services, the hackers appeared to launch follow-on attacks, while students flooded social media during final exam season with photos and videos showing compromised Canvas pages appearing upon login. ShinyHunters claims it accessed names, email addresses, student identification and private messages.

The hacking group said Saturday it would not comment further. An extortion message posted on affected sites says that Instructure has until May 12 to reach out to the hackers. ShinyHunters has since removed Instructure from their Pay-or-Leak portal and the company says Canvas functions have been restored.

Route Fifty has asked Instructure if it is negotiating with the group or has paid a ransom to prevent data from being leaked.

The FBI is likely investigating the incident, according to two people familiar with the matter who requested anonymity to communicate their understanding of the government’s response to the breach.

An FBI spokesperson said on Friday that the bureau is aware of the compromise.

“If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. By receiving a message, that does not necessarily mean your personal information has been compromised,” their statement said.

Hackers often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims, the FBI spokesperson added. “We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the [Learning Management System] provider, or law enforcement and to verify the contact through known channels before responding.”

Universities are a “treasure trove” of data and ransomware hackers know this, said Cynthia Kaiser, a former senior FBI cyber official. “At the same time, the openness that defines higher education can make these institutions more exposed than many other organizations.”

Kaiser, now vice president of the Ransomware Research Center at Halcyon, said that criminal hacker groups frequently obtain credentials from other intrusions and use them to carry out other hacks.

“You have to remember that groups like ShinyHunters, Lapsus$ and Scattered Spider often log in rather than hack in,” she said, referring to a slew of major criminal hacker gangs that have made headlines for their intrusions over the years.

Any stolen data wouldn’t enable immediate financial theft, though it’s highly valuable for targeted phishing and social-engineering attacks, said Adam Marrè, a former FBI special agent and Chief Information Security Officer at Arctic Wolf.

“The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate. Students, parents, and educators should stay alert for unexpected or urgent messages, avoid clicking unverified links, enable multi-factor authentication on email accounts and be cautious with any request for personal information,” he said.

The House Homeland Security Committee is investigating the matter, according to a letter sent Monday to Instructure CEO Steve Daly from Rep. Andrew Garbarino, R-N.Y., the panel’s chairman. He asked company executives to brief lawmakers and staff by May 21.

Instructure said in a blog post that the unauthorized access involved information like usernames, email addresses, course names, enrollment information and messages. The company also “identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited.”

It’s not known how long it took for the hackers to craft the plan for the intrusion, but the fact that they carried it out during final exams “shows the level of planning that went into this attack,” said Damien Skeeles, a senior manager at Filigran, which sells open-source cybersecurity solutions.

“You wonder how much more planning went into it, and how many more acts there are to follow,” he said.

]]>

Trump admin will push for ‘long-term’ reauthorization of key cyber data-sharing law

Edward Graham and David DiMolfetta — Thu, 07 May 2026 13:21:00 -0400

The White House is pressing Congress to extend a key cybersecurity authority that is poised to expire later this year unless renewed, a top official said Thursday.

The Cybersecurity Information Sharing Act of 2015 temporarily expired during the 43-day government shutdown that occurred late last year, but lawmakers ultimately extended it as part of the stopgap funding bill that ended that lapse. The government funding package signed into law in early February included a provision that prolonged the statute through September 2026.

Speaking at the Special Competitive Studies Project’s AI+ Expo event in Washington, D.C., National Cyber Director Sean Cairncross said the Trump administration is “pushing for a long-term reauthorization” of the law.

“I expect that, on the Hill, the right thing will be done over the course of time, and we will get there,” Cairncross said.

The measure allows private sector firms to freely transmit threat intelligence to federal partners with key legal exemptions in place. Legal carve-outs were made a core feature of the original 2015 law because cyber threat information often contains sensitive data on victims and companies. To help the U.S. trace nation-state cyber intruders and criminal hackers, those datasets often need to be shared with government cybersecurity and intelligence analysts.

The White House’s national cybersecurity strategy, which was released in March, called for enhancing communication between the public and private sectors to deter cyber threats. The same document also said the Trump administration was pursuing more offensive cyber operations against bad actors, including moving to “unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.”

Cairncross said part of that overall effort includes “working on new ways to share information between the private sector and the [U.S. government] that’s actionable, that's fast and in both directions” — including through the Cybersecurity and Information Sharing Act of 2015.

The national cyber director has previously pushed for a clean extension of the law, but his comments show the Trump administration is vying to prevent its lapse for a significant time period.

In the early 2010s, legislative efforts to establish a cyber threat information-sharing framework faced major hurdles amid public skepticism over government privacy abuses following Edward Snowden’s 2013 global surveillance disclosures.

The view shifted after the Office of Personnel Management suffered a massive data breach in 2015, compromising the personal information of over 21 million current and former federal employees, which galvanized support for the law as it stands today.

]]>

Senator warns CISA election security pullback could leave midterms vulnerable

David DiMolfetta — Wed, 06 May 2026 17:34:00 -0400

Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is demanding answers from the Department of Homeland Security over what he says is a sharp decline in federal election security support ahead of the 2026 midterms, warning that cuts to the Cybersecurity and Infrastructure Security Agency could leave states more exposed to cyber threats and foreign interference.

In a letter sent Wednesday to DHS Secretary Markwayne Mullin, Warner said state and local officials have reported that CISA is no longer providing the same level of election security training, intelligence sharing and cybersecurity assistance it offered in prior election cycles.

The letter adds to growing criticism over the Trump administration’s handling of CISA and its election security mission, which has faced deep staffing reductions enacted over the last year.

“While the states are taking valiant and expensive measures to protect their elections, it is impossible for states to independently obtain intelligence, subject-matter expertise, and real-time incident reporting, and information at the scale and speed required to protect state elections from physical and cyber threats,” Warner wrote.

After this story was published, a DHS spokesperson said that, under President Joe Biden, CISA “was focused on censorship, branding, and electioneering instead of defending America’s critical infrastructure.”

Under President Donald Trump, the spokesperson said the agency is “committed to delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

“CISA’s mission is ensuring state and local election officials are cognizant of and utilize the most capable and timely threat intelligence, expertise, resources they need to defend against risks, and identify critical infrastructure security needs to maintain electoral functions,” the spokesperson added.

Efforts under the Trump administration to scale back CISA and its election security resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month.

The administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program funding, including information-sharing efforts and election security advisor positions.

Warner’s letter also cited testimony delivered last week by the head of U.S. Cyber Command and the National Security Agency, who said that foreign adversaries are expected to target the 2026 elections.

The senator asked DHS to explain what CISA is doing to warn state and local officials about malign influence campaigns and cyber threats targeting election infrastructure. He also requested records of election-related training, cybersecurity reviews, incident responses and outreach efforts that have been conducted by the agency since January 2025.

He also asked DHS whether any CISA personnel were involved in an FBI raid tied to election systems in Fulton County, Georgia — where Director of National Intelligence Tulsi Gabbard was publicly seen alongside federal officials — or in her office’s seizure and testing of voting machines in Puerto Rico.

The letter comes as the future of CISA’s election security role has become increasingly uncertain. Republican lawmakers and many Trump allies have long criticized the agency’s election-related activities, particularly after CISA publicly pushed back on false claims surrounding the 2020 election.

Editor's note: This article has been updated to include a statement from CISA.

]]>

US lists offensive cyberattacks in counterterrorism strategy

David DiMolfetta — Wed, 06 May 2026 17:04:00 -0400

Offensive cyber operations would be a part of a suite of counterterrorism responses aimed at groups deemed threats to U.S. interests, according to the Trump administration’s counterterrorism strategy that was released Wednesday.

Counter-terror activities against state actors “include offensive cyber operations against those planning to kill Americans or who support those plotting to do so,” the strategy reads.

The framework, more broadly, specifically lists narcoterrorists and transnational gangs, legacy Islamic terrorist groups and “violent left-wing extremists, including anarchists and anti-fascists” as the main entities threatening the nation.

Diplomatic, financial, cyber, and covert actions would be used to undermine or deter harmful state actors from assisting foreign terrorist organizations, the strategy says. Cyber operations would continue against Iran-backed proxy groups, it later adds.

The overt mention of offensive cyberattacks underscores the White House’s broader push to reshape foreign hackers’ behavior and follows several public acknowledgments of U.S. cyber warriors’ involvement in the administration’s military activities.

The specific nature of these offensive cyber operations is not described in the document.

The White House has helped shape a budding market for offensive cyber tools and capabilities, but executives and officials are grappling with legal questions over definitions of cyber offense and defense, as well as who would bear responsibility when private firms are involved in digital operations.

]]>

CISA unveils CI Fortify to help secure critical infrastructure during conflicts

David DiMolfetta — Tue, 05 May 2026 12:26:00 -0400

The Cybersecurity and Infrastructure Security Agency announced the release of its CI Fortify project on Tuesday, aiming to help critical infrastructure owners and operators defend themselves against hackers and maintain continuity during a geopolitical conflict.

“For planning purposes, operators should assume that in a conflict scenario third-party connections — such as telecommunications, internet, vendors, service providers, and upstream dependencies — will be unreliable and that threat actors will have some access to the [operational technology] network,” a webpage describing the initiative says.

Per guidance, CISA wants critical infrastructure providers to focus on isolation and recovery planning objectives.

“We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors,” agency acting director Nick Andersen said in a prepared statement.

Critical infrastructure — like water treatment plants, financial institutions and electric grids — are a regular target for foreign hackers. U.S. officials have assessed for years that China is burrowing into non-military critical infrastructure networks, preparing to sabotage them should the U.S. enter into a major conflict with the nation, especially involving Chinese interests in Taiwan.

Hackers linked to China, Russia, Iran, North Korea and ransomware groups will continue to pose critical threats to U.S. networks and critical infrastructure, U.S. intelligence agencies assessed this year.

Amid the U.S.-Israel war against Iran, Tehran-backed hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors, targeting equipment manufactured by Rockwell Automation, according to a government advisory issued last month.

Last year, Australia, a Five Eyes partner, launched its own CI Fortify program.

]]>

Operational technology providers are feeling ‘annoyance’ at exclusion from Anthropic’s Mythos rollout, sources say

David DiMolfetta — Mon, 04 May 2026 15:51:00 -0400

Operational technology providers and their industry groups have been pressing for access to Anthropic’s cybersecurity-focused Mythos Preview model, arguing the initial rollout — which focused on major tech and finance firms under a global vulnerability patching effort — left out a widely exposed segment of critical infrastructure that’s often targeted by hackers.

In recent weeks, OT industry representatives have expressed frustration during roundtables and listening sessions about their initial exclusion from Project Glasswing, Anthropic’s initiative with major companies designed to secure critical software across the globe using the Mythos model, according to four people familiar with the discussions.

The processes for these firms to be granted access are ongoing, two of the people said. All of the sources requested anonymity because the discussions are private.

American Water, one of the nation’s largest regulated U.S. water and wastewater utilities, is among several organizations that have recently met with the Office of the National Cyber Director to discuss Mythos and broader AI-cybersecurity threats, said one of the people. American Water heavily relies on and oversees complex operational technology systems to manage its water treatment and distribution infrastructure.

“There’s definitely an annoyance in the OT world,” that person said. “That doesn’t mean people aren’t considering the needs of OT,” they noted, but decisionmakers dictating initial Glasswing access “weren’t thinking in those terms.”

Nextgov/FCW has asked Anthropic, ONCD and American Water for comment.

Operational technology, which is embedded in critical infrastructure everywhere, is a constant point of concern for cyberdefenders because it underpins essential everyday services like energy, water and transportation. Disruptions to those systems can have immediate real-world consequences.

DARPA recently concluded a two-year-long competition where teams built AI models to autonomously identify and patch vulnerabilities in open-source code used in critical infrastructure systems. Many major AI firms, including Anthropic and OpenAI, provided model infrastructure to participants.

Even when access is granted to Mythos, that doesn’t automatically mean all vulnerabilities in a network are fixed, said Cynthia Kaiser, a former senior FBI cybersecurity official, adding that firms will have to prioritize what to patch once they can test their infrastructure against the model.

“It’s not just about getting access. People need to think about — when they get it, where do they start?” said Kaiser, now senior vice president at Halcyon’s Ransomware Research Center.

Physical operational systems are often harder to patch than IT because they usually can’t be easily taken offline to apply fixes, and they rely on aging, vendor-controlled equipment that makes rapid patching difficult.

Regardless, “the fact that boards and CEOs have been asking about this — and that the requests aren’t coming from [Chief Information Security Officers] — shows that the release of Mythos means companies are taking cybersecurity more seriously,” she added. “I think it’s good and important that they’re thinking about this now.”

Mythos has been deemed a major turning point for cybersecurity and AI practitioners because it demonstrates how advanced models can be purpose-built for real-world cyber operations, including those planned inside the intelligence community. In the wrong hands, it could be used to carry out sophisticated cyberattacks against government networks, critical infrastructure or other key U.S. systems.

The Pentagon labeled Anthropic a supply chain risk earlier this year — and the White House later ordered a governmentwide phaseout of its technology — after the AI company declined to ease restrictions on its products being used in domestic surveillance and fully autonomous weapons.

The company has legally challenged the supply chain risk label. A federal judge issued a temporary injunction on the designation and ban in late March, which the government has said it intends to appeal.

]]>

Pentagon launches cyber apprenticeship program

Edward Graham — Tue, 28 Apr 2026 18:53:00 -0400

The Department of Defense is launching a Cyber Registered Apprenticeship Program to accelerate its onboarding of skilled cybersecurity professionals, the agency said, part of a Trump administration push to bring non-traditional talent into the federal workforce.

The initiative is being led through DOD’s Office of the Chief Information Officer and was first announced during a Labor Department signing ceremony on Monday for National Apprenticeship Week.

The 12-month program is slated to launch as a pilot this summer, with the Pentagon calling it “a significant first step in energizing the Department’s commitment to workforce innovation and rapidly delivering leading-edge expertise to the warfighter.”

The Pentagon said the apprenticeship is driven by a governmentwide focus on prioritizing skills-based hiring for technical- and cybersecurity-focused roles. The Office of Personnel Management released new standards for technology positions earlier this month that no longer include degree requirements as part of an effort to emphasize experience in the hiring process.

The new program, DOD said, will place an emphasis on preparing participants for top cybersecurity roles, including as cyber defense analysts, infrastructure support specialists and incident responders. Participants will also receive training certifications and continued education opportunities, as well as the chance to receive full-time cyber roles within DOD upon completion of the apprenticeship.

“This program is a critical investment in our people and the bedrock of our national security,” Marci McCarthy, the DOD CIO’s director of external engagements, said in a statement. “The Cyber RAP provides a direct pathway for dedicated individuals to join our mission, securing the vital networks, infrastructure, and weapon systems that our Warfighters depend on every single day.”

The effort to train and onboard new cyber talent comes as the Pentagon and other federal agencies look to fill a host of digital defense-focused roles, with the U.S. as a whole struggling to address more than 500,000 vacancies in cybersecurity positions across both the public and private sectors.

]]>

Federal drawdown of election support ‘destroyed’ ongoing relationships, experts say

David DiMolfetta — Tue, 28 Apr 2026 18:06:00 -0400

Efforts under President Donald Trump to scale back the Cybersecurity and Infrastructure Security Agency and its election security resources have strained relationships with state and local officials, raising concerns that jurisdictions may be far less prepared to counter threats to the November midterms, officials in Michigan and Georgia said Tuesday.

The warnings, delivered by state officials and other experts at a hearing hosted by Democrats on the House Homeland Security Committee, come as the Trump administration has sought to expand the federal role in election administration through executive orders and the growing involvement of Director of National Intelligence Tulsi Gabbard in election-related matters, including an FBI raid on a Fulton County, Georgia elections office.

The drawdown of CISA election resources over the last year has “been very damaging,” said Aghogho Edevbie, Michigan’s deputy secretary of state.

“We had CISA employees and officials work alongside us,” he added, describing that CISA representatives would deploy to places where voting occurred and votes were being counted to conduct security assessments. “All of those relationships have been destroyed. We’ve had instances where our local election officials have been corresponding with members of CISA, and then, all of a sudden, there’s no response, because presumably that person has been fired.”

Earlier this month, the Justice Department demanded that Michigan’s Wayne County turn over all ballots from the November 2024 election. Edevbie, in the hearing, called the inquiry “unlawful,” aligning with other state officials.

Last year, CISA put much of its election disinformation staff on leave. The White House’s fiscal year 2027 budget proposal eliminates CISA’s election security program entirely, and would cut funding for information-sharing support to state and local officials and remove dedicated election security advisors across the nation.

Election cybersecurity threats can include ransomware attacks, phishing campaigns and efforts by foreign adversaries to probe election systems and conduct influence operations.

Larry Norden, the VP of the Brennan Center for Justice’s Elections and Government program, noted that, in a recent survey, 75% of observed state and local election officials said their governments had not provided sufficient resources to fill the gap that was created by CISA cuts.

“And perhaps most damaging of all, many election officials that we talked to no longer trust the federal partners that they used to rely on to help them coordinate around election security,” Norden said.

Mo Ivory, former county commissioner for Fulton County who is now running for commission chair, criticized the FBI raid that Gabbard attended.

It “raised immediate questions about chain of custody, voter privacy, access to public records, preservation of official materials and whether Fulton County could continue meeting its legal obligations while federal authorities had taken possession of our documents,” she said.

“It also sent a message to the public servants who administer elections: even after doing your job, even after following the law, even after audits and reviews, you can still be pulled back into a political fight over an election that ended six years ago,” she added.

In 2020, Trump lost in Georgia by roughly 11,000 votes, prompting him and supporters to press state officials to uncover supposed missing votes to change the outcome. A later hand-count of the ballots upheld the original results.

“The Cybersecurity and Infrastructure Security Agency works with critical infrastructure owners and operators to assist them in securing both the physical security and cybersecurity of the systems and assets that support the nation’s election process,” agency acting director Nick Andersen said in a statement.

It adds that the agency offers state and local election officials free, voluntary support on request, including threat information sharing, technical expertise, vulnerability scanning and resilience assistance, with regional teams helping assess risks, strengthen defenses and respond quickly to threats.

“We are committed to supporting state and local elections officials to protect election infrastructure and safeguard our democracy,” Andersen added.

The tensions between the Trump administration and CISA date back to the 2020 election, when its then-director Chris Krebs publicly affirmed the security of the vote and was subsequently dismissed by Trump. In his second term, Trump has continued to target Krebs, including ordering a federal investigation last year into his government tenure.

Jessica Marsden, a deputy director and counsel at Protect Democracy, said such efforts are meant to erode sources of high quality information and that attacks on critics of the administration “look like an effort to silence those who will tell the truth.”

On Tuesday, Gen. Josh Rudd, the director of U.S. Cyber Command and the NSA, told senators it is “reasonable to expect” foreign adversaries would seek to interfere in the upcoming midterm elections. Rudd said he was unsure whether the Election Security Group, a joint task force central to countering foreign election sabotage since 2018, has been reconvened.

“I don’t know that an ESG has been established yet, but we are prepared to as required,” he said. “I think it is really important to set up an ESG and I will follow up with you on whether that is happening.”

Editor’s Note: This story was updated to add a comment from CISA’s Nick Andersen.

]]>

Italy extradites alleged Chinese state-backed hacker to US over theft of COVID-19 research

David DiMolfetta — Mon, 27 Apr 2026 17:44:00 -0400

A Chinese national accused of hacking U.S. universities to steal COVID-19 research and carrying out parts of a sweeping cyber espionage campaign earlier in the decade has been extradited from Italy to the United States, where he now faces federal charges tied to the yearslong intrusions.

Xu Zewei, 34, was transferred from Milan over the weekend and appeared Monday in federal court in Houston on a nine-count indictment alleging wire fraud, identity theft and unauthorized access to protected computers, the Justice Department said.

Authorities allege he was part of a network of contract hackers operating on behalf of China’s Ministry of State Security. Xu and co-conspirators were directed to conduct intrusions aimed at stealing sensitive COVID-19 vaccine, treatment and testing research from U.S. entities.

Xu was also allegedly involved in intrusions between 2020 and 2021, including attacks on U.S. research institutions and exploitation of Microsoft Exchange vulnerabilities tied to the sprawling HAFNIUM campaign, which compromised thousands of organizations worldwide, including roughly 13,000 in the United States.

The case highlights longstanding concerns within the U.S. government about China’s use of private-sector contractors to carry out cyber espionage. Prosecutors allege Xu worked for a Shanghai-based company that functioned as one of many “enabling” firms conducting hacking operations for Chinese intelligence services.

Court filings describe how Xu allegedly reported directly to Chinese intelligence officers and carried out specific tasks, including targeting the email accounts of immunologists and virologists conducting COVID-19 research. In one instance, prosecutors say Xu confirmed he had accessed the network of a Texas-based research university and later retrieved the contents of researchers’ email accounts at the direction of a state security officer.

Xu has denied the allegations through an attorney. He was arrested in Milan in July 2025.

The Justice Department first unsealed charges against Xu and an alleged co-conspirator, Zhang Yu, last year. Zhang remains at large. If convicted on all counts, Xu could face decades in prison.

“The extradition of Xu Zewei demonstrates the FBI’s reach extends well beyond U.S. borders,” Brett Leatherman, the FBI’s Cyber Division assistant director, said in a prepared statement. “Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk.”

The case reflects both the scale of China’s hacking operations and the difficulty of holding alleged state-backed cyber operatives accountable. While U.S. authorities have increasingly sought to name and charge foreign cyber operators, arrests and extraditions remain less common due to jurisdictional and diplomatic constraints.

But the extradition could mark a notable step in that effort. Italian authorities arrested Xu at the request of U.S. officials, and American investigators credited international coordination with securing his transfer.

]]>

Cyber Command carried out over 8,000 missions in 2025, director says

David DiMolfetta — Wed, 22 Apr 2026 12:54:00 -0400

U.S. Cyber Command, the digital combatant command tasked with defending the nation’s cyberspace and supporting other military components’ offensive and defensive operations, carried out over 8,000 missions in 2025, its new director said Tuesday.

Gen. Josh Rudd, recently confirmed to lead Cyber Command and the NSA in a dual-hatted capacity, told lawmakers on the House Armed Services Committee that he expects that number to increase through the remainder of 2026. He testified alongside Katie Sutton, the assistant secretary of defense for cyber policy.

The 2025 total is a 25% increase compared to 2024, Rudd added. The figures, which he did not elaborate on, help to underscore how cyber elements are becoming more ingrained into military activities.

The Trump administration has sought to highlight the command’s involvement in its broader military missions. Gen. Dan Caine, chairman of the Joint Chiefs of Staff, has acknowledged Cyber Command’s role in operations that targeted Iranian nuclear facilities and the ousting of Nicolás Maduro from Venezuela. More recently, the command has played a role in Iran war efforts.

“Our participation in Operation Absolute Resolve and Operation Epic Fury are prime examples of this integration in action,” said Rudd, referring to Venezuela and Iran, respectively.

Cyber Command often conducts “hunt forward” operations, defensive missions designed to identify, mitigate and learn from foreign cyber threats that target allied host nation networks.

Sutton, in her testimony, said her office is working on a new cyber strategy expected for release this summer.

“We’re taking all of those and really making it an integrated approach that’s going to be a very bold transformation of how we think about cyberspace,” she said, describing how the Defense Department is drawing on previous national security strategies to inform the crafting of this new framework.

The department last released a cyber strategy in 2023.

]]>

Former FBI official proposes terror designations for ransomware hackers targeting hospitals

David DiMolfetta — Tue, 21 Apr 2026 10:03:00 -0400

A former FBI cyber chief is calling for the U.S. government to consider applying terrorism designations to ransomware actors who target hospitals and other critical, life-safety infrastructure, arguing a Bush-era terror financing authority could be applied beyond its traditional uses.

In testimony set to be delivered Tuesday before the House Homeland Security Committee, Cynthia Kaiser — who served as deputy assistant director in the FBI’s Cyber Division from 2022 to 2025 and is now a senior vice president at Halcyon’s Ransomware Research Center — also urged officials to examine whether prosecutors could pursue homicide charges under federal felony murder standards in cases where ransomware attacks on health facilities result in documented patient deaths.

Ransomware, malicious software that holds a victim’s systems or data hostage and demands payment in exchange for restoring access, costs U.S. victims tens of millions of dollars every year. Ransom hackers often target hospitals because disruptions can create urgent pressure to restore operations and therefore increase the likelihood victims will pay.

“When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within those definitions [of terrorism],” says Kaiser’s written testimony, which was given to Nextgov/FCW ahead of the hearing.

“At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224,” she adds, referring to the post-9/11 order that empowers agencies to crack down on foreign entities that commit, or pose a significant risk of committing, acts of terrorism.

The proposal is significant because, if implemented, it would broaden the use of counterterrorism tools against cybercrime, and it underscores a shift toward treating the most harmful ransomware attacks as national security threats.

Terrorism labels could give the government access to a broader set of tools than traditional cybercrime prosecutions, including the ability to freeze assets, restrict financial transactions and pursue charges against those who provide material support to designated actors, even when they operate overseas.

The label also means U.S. spy agencies could increase intelligence collection targeting the ransomware actors and their networks, and nations may face “significant diplomatic consequences” for harboring individuals involved in such cyberattacks, Kaiser adds.

Congress would likely play a central role in clarifying or expanding the legal framework for such designations, though recent administration actions — including the National Cyber Strategy and a related executive order on cybercrime — could also shape how those authorities are applied.

The proposal also suggests lawmakers consider whether the 2002 Terrorism Risk Insurance Act could help ensure hospitals get insurance coverage for cyber damages under such designations.

“The goal is not to punish victims. It is to ensure that the most dangerous actors in the ransomware ecosystem face consequences proportionate to the harm they cause,” the testimony reads.

In arguing for murder and manslaughter charges when such attacks cause death, Kaiser says the number of patient deaths caused by ransomware is higher today compared to documented evidence from previous years and that the “true number of lives lost to this crime is almost certainly in the hundreds.”

Under federal law, prosecutors can pursue murder charges when a death occurs during certain dangerous felonies, even without intent to kill, though it’s not typically applied to cyber offenses.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” the testimony says.

The pace of ransom intrusions on healthcare institutions has not slowed. A ransomware attack on the University of Mississippi Medical Center in February forced clinics across the state to shut down and surgeries to be canceled.

In 2024, a major ransomware attack on Change Healthcare disrupted critical healthcare systems nationwide and highlighted how such incidents can easily create negative downstream impacts on other components of the U.S. medical supply chain.

The U.S. has previously worked with international partners to take a harder line on ransom payments, though expert views remain split. Some argue payments should be banned because they fuel further cybercrime, while others say not paying could leave victims, including hospitals, with few options to quickly restore critical systems.

“The FBI and its federal partners are doing everything they can with the authorities they currently have,” Kaiser says. “I know this from the years I spent working alongside those agents. But the worst of the worst — those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

“These hackers are counting on us to respond with incremental measures,” she adds. “I urge you to prove them wrong.”

]]>

CISA resources ‘more limited than I would like’ amid shutdown, top official says

David DiMolfetta — Fri, 17 Apr 2026 13:09:00 -0400

The Cybersecurity and Infrastructure Security Agency’s top official said resources to detect and counter hacking threats are “more limited than I would like” as the cyberdefense office grapples with funding issues facing the Department of Homeland Security.

CISA acting Director Nick Andersen told House appropriators on Thursday that many “preparatory activities within the environment, a lot of the outreach that we’d typically be able to do” are not allowed during an ongoing shutdown in the department.

DHS employees were called back to the office this week, after President Donald Trump ordered the department to use funds from the One Big Beautiful Bill Act to pay civilian employees and their furloughed colleagues who hadn’t received pay throughout the shutdown.

But due to its current cash issues, CISA is unable to cover costs beyond employee salaries, according to an email Andersen sent to staff on Monday that was obtained by Nextgov/FCW. The email specified that any non-salary expenditures now require an exception under the Antideficiency Act, which governs how agencies use their congressionally appropriated funds.

DHS has now been unfunded for about two months, amid a partisan stalemate over immigration enforcement reforms.

The cyberdefense agency also canceled plans to onboard summer interns participating in a government scholarship program for cyber talent due to the funding lapse, Nextgov/FCW reported Tuesday.

Even beyond current financial limitations, the fiscal year 2027 budget request for CISA proposes to make significant reductions to election security, workforce development, stakeholder engagement and a range of infrastructure protection resources.

The budget plans reflect long-standing skepticism from the Trump administration and its allies toward the agency, particularly over its role in 2020 election security efforts and concurrent work to counter false information online. Critics have argued CISA strayed beyond its “core” mission of infrastructure protection and federal cyber defense.

Cyber practitioners and former officials have frequently said that even the cuts put in place in the last year go too far.

Those reductions, compounded by the current shutdown, come as the U.S. continues to face cyber threats from Iran, despite recent efforts by the Trump administration to broker a deal with Tehran and Israel.

Earlier this month, CISA and other agencies said Iran-aligned hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors.

Iran has been “opportunistically focused” in its hacking efforts and has targeted unsecured devices connected to the internet, added Andersen.

]]>

Expect more cybersecurity executive orders soon, national cyber director says

David DiMolfetta — Wed, 15 Apr 2026 12:34:00 -0400

President Donald Trump is expected to sign more cybersecurity-focused executive orders in the near future, following the release of his administration’s national cyber strategy, National Cyber Director Sean Cairncross said Wednesday.

At the Semafor World Economy forum in Washington, D.C., Cairncross said, “I think that that's the case, yeah,” when asked about the likelihood of more cyber executive actions from the president.

“There’s more coming and we expect that it will be relatively soon,” he added, without elaborating.

The second Trump administration’s national cyber strategy was unveiled early last month, alongside an executive order focused on “combating cybercrime, fraud, and predatory schemes.”

Executive orders and possible revisions to long-standing cybersecurity laws were expected to follow the strategy’s release, Nextgov/FCW previously reported.

The strategy’s pillars include goals to reshape adversary behavior; promote common sense regulation; modernize and secure federal government networks; secure critical infrastructure; sustain superiority in critical and emerging technologies; and build cyber talent and capacity.

Asked about the recent announcement of Anthropic’s Project Glasswing initiative and its concurrent Mythos Preview model, Cairncross said that Mythos is “the model right now that everyone’s talking about” but that AI capabilities, generally, are getting more sophisticated.

Advanced AI threats have caught the attention of senior administration officials, including Cairncross. The intelligence community has already been eyeing the Mythos Preview capabilities.

Earlier this year, Anthropic declined to ease restrictions against its tools being used for domestic surveillance or fully autonomous weapons for Pentagon use, triggering a “supply chain risk” designation from the Defense Department and a White House order that all federal agencies phase out their uses of Anthropic tools. The company has legally challenged the move.

Cairncross didn’t directly answer questions about whether Mythos Preview should be widely distributed. Anthropic says it held back the full, public release of its Claude Mythos Preview model because it was deemed too dangerous due to its advanced, autonomous hacking capabilities.

Project Glasswing grants certain companies selective access to Mythos for further safety and capability testing.

Asked about U.S. agencies — including the Treasury Department and Commerce Department — seeking access to the Mythos model, he said, “we’re working closely with the large-language model companies, we’re working closely with the tech sector [and] we’re working closely with industry to make sure that we do this in a responsible fashion.”

“This is not a special model,” Anthropic co-founder Jack Clark said Monday, referring to Mythos Preview. “There will be other systems just like this in a few months from other companies, and then a year to a year and a half later, there’ll be open-weight models from China that have these capabilities. So the world is going to have to get ready for more powerful systems that are going to exist within it.”

Nextgov/FCW Staff Reporter Alexandra Kelley contributed to this report.

]]>

FCC selects ioXt Alliance to lead cyber labeling program

David DiMolfetta — Mon, 13 Apr 2026 12:25:00 -0400

The Federal Communications Commission announced Monday that California-based ioXt Alliance will be the lead administrator for its cybersecurity labeling program after the prior administrator pulled out of the initiative amid an investigation into its China ties.

The program, called the Cyber Trust Mark, was launched during the Biden administration and is designed to certify consumer smart devices with a label that deems them cybersecure.

The ioXt Alliance is a standards and certifications body for internet-of-things devices like remote thermostats, fitness trackers and connected cars.

“ioXt is an independent, U.S.-based non-profit organization, whose focus is on improving the security, privacy, and transparency of IoT products,” the FCC said in a statement announcing the decision.

UL Solutions, the prior Cyber Trust Mark lead, withdrew in December after FCC Chairman Brendan Carr launched a national security review earlier that year into its alleged ties to China, including the presence of technology testing locations in China’s borders.

“We are honored to be selected as a Cyber Labeling Authority for this transformative program,” Gary Jabara, CEO and Founder of ioXt Alliance said. “This recognition aligns with our mission to drive IoT security forward, and we are committed to collaborating with the FCC, UL Solutions, and industry stakeholders to make this program a success.”

]]>

US push to counter hackers draws industry deeper into offensive cyber debate

David DiMolfetta — Fri, 10 Apr 2026 12:22:00 -0400

The U.S. government has an offensive cyber wish list, and the private sector is already bidding. Many federal contractors back the effort, though they still have deeper questions about semantics and where offense ends and defense begins.

Terms like “disruption,” “cyber effects” and “defensive operations” were flung around in discussions at the RSAC Conference in San Francisco last month, one of the largest cybersecurity gatherings in the world. In discussions during and after the conference, Nextgov/FCW sought to learn how industry players perceive the vision under President Donald Trump to punch back harder against cyber adversaries, and how those industry leaders might contribute to the cause.

For the past year, industry executives and U.S. officials in closed-door meetings have weighed the concept of enlisting private sector cyber titans to hack for the government, inspired by the centuries-old practice of letters of marque and reprisal that made waves in the old days of naval warfare. But last month, National Cyber Director Sean Cairncross appeared to pour cold water on the concept.

He told audience members at an event that there’s “an enormous amount of capability on the private sector side,” but that he’s “not talking about private sector, industry or companies engaged in a cyber offensive campaign.”

Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” either defensively or in a more agile way to enemy hackers. His remarks came after the release of Trump’s national cyber strategy, whose first pillar focuses on ways to create obstacles for foreign state cyber operatives and criminal hackers.

But nearly a dozen interviews with industry stakeholders and former officials indicate that it remains an open question where companies draw the line on cyber offense and where the government does. The boundaries around offensive cyber are often blurred, and the private sector is still trying to learn its place. That uncertainty leaves more questions than answers about how offensive cyber operations should be structured, regulated and integrated into a broader U.S. national security strategy.

New market force

There’s consensus among security leaders that the private sector doesn’t want to be deployed for offensive hacking, said Adam Marrè, chief information security officer at Arctic Wolf. The talk of “hacking back” comes up every five to ten years, he said, but those talks break down every time for a number of reasons, mainly because of legal and ethical concerns.

Still, there’s no indication that the global cybersecurity environment is calming. Foreign adversaries would “absolutely” want access to powerful exploits that can steal information or wreak havoc on systems, Marrè said.

“[Adversaries] are mainly worried about what’s effective. So if it works, and if it ain’t broke, don’t fix it,” he said. “But if I can find a more exotic exploit that is going to allow me to have more access or access without being detected, or be able to get to somewhere I haven’t been able to get before, 100% they’re going to be looking for that."

Governments across the world are hankering for the latest and greatest hacking tools, said Elad Schulman, CEO of Lasso Security.

“If we are not developing capabilities, our enemies are developing those capabilities,” he said. “That is why we need to assume that, at any point in time, someone will find and use exploits against us.”

For years, companies have helped develop special technologies for the U.S. government’s secret cyber missions. But the new White House cyber strategy’s offensive focus sets a tone for companies and their investors, said Rob Joyce, the NSA’s former cybersecurity director.

“There’s been companies that are defense industrial base firms that know how to sell to the government, and there’s been some very boutique cyber companies that sell into the military cyber and intel community,” he said. “But this has the whole community and people out here in Silicon Valley who are not government-adjacent talking about ideas that they can help with in offensive cyber. I think it changes that ecosystem a little bit.”

Joyce is now a venture partner at DataTribe, which invests in early-stage cybersecurity companies often led by people who worked in the intelligence community. He said the government is in the market for an array of cyber capabilities, including vulnerability scanning, exploit development, tooling to analyze cyber threat data and digital infrastructure to obscure the origin of covert cyber operations.

This week, the cybersecurity world was sent into shock when Anthropic revealed it was holding back a powerful frontier AI model that could find previously undiscovered vulnerabilities at mass scale. The intelligence community is already eyeing its capabilities, Nextgov/FCW reported.

Still operating defensively

Many practitioners are advising the cyber ecosystem to invest in defensive measures, regardless of the White House’s more offensive posture.

“Being a defender, an ounce of prevention is worth a pound of cure,” said Ryan Anschutz, the incident response lead at IBM’s X-Force threat intelligence arm and a former FBI official. “A defensive prevention perspective, I think, would have more of an impact … than offensive capabilities, which, quite frankly, some arms of the federal government — their offensive capabilities far surpass the private sector.”

Even among companies that simulate adversary cyberattacks to improve network defenses, known formally as red-teaming, the definition of “offensive hacking” can get fuzzy.

“Would you classify offensive hacking as going out and fingerprinting the threat that was attacking you to gain the threat intelligence?” Anschutz said. “Is that offensive? Where does that change? Where’s the line drawn between what is offensive and what’s not offensive?”

The answer depends on who you ask.

Hacking back, in the sense of breaking into adversaries’ computer systems for data and geopolitical intelligence, takes a level of access that only belongs in the government space, said another industry executive that works closely with the intelligence community on cyber matters.

Google’s threat intelligence arm recently came out swinging with discussions of its new disruption unit, though executives soon quashed the notion that the unit is “offensive” in any way, arguing that removing infrastructure that hackers sit on is a defensive move that impedes their forward operations onto U.S. and allied systems.

Some companies are building out advanced defensive cyber solutions at as rapid a pace as the offensive market, a sign that a more capable offense is driving equally urgent demand for stronger digital shielding.

“We had just seen too many examples over and over again of how burned out these poor kids in these security operations centers are, how just overwhelmed at the enormity of all the alerts, all the boxes always flashing red,” said Bill MacMillan, a former CIA official and now the chief product officer at security operations center solutions provider Andesite.

“We have to transform. We have to adopt this technology because this is the threat environment and the resource environment that we’re operating in,” he said.

Considering new frameworks

The offensive philosophy in Washington, D.C., has made some cyber experts weigh the pros and cons of the current legal environment that facilitates hacking activities.

The NSA, Cyber Command and others are permitted to take more aggressive cyber actions to stop foreign adversaries and criminal hacker gangs. This week, the FBI said it covertly sent shutdown commands to kick Russian state-backed hackers out of thousands of routers housed in organizations around the world.

The move, like many FBI takedowns of digital infrastructure, required court authorization. More broadly, some of the most sensitive intelligence operations do not rely on a standard U.S. court warrant at all.

Even so, private companies lack those authorities. They may build the capabilities used in cyber operations, but — like a defense contractor manufacturing a missile — the decision to deploy them and the consequences that follow rest with the government, not the company.

But what happens if a firm is hacked and wants to take action? There’s room to discuss “stand-your-ground” laws that could permit companies to respond to intrusions, at least to a certain degree, said Philip George, executive technical strategist at Merlin Cyber.

“Obviously, there are some authority issues and some rules of engagement concerns, and we don’t necessarily want everyone returning fire or preemptively thwarting an attack,” he said. But if attacked in cyberspace, “what’s the extent that I can return fire, to at least take down infrastructure that may be targeting me?”

Asked if such a legal authority constitutes a counter-attack, he clarified it as a “counter-action” or “counter-response” because the former term carries “a lot of weight.”

Some serious conversations will need to be had about the future of legal measures under this offensive posture, said John Fokker, head of threat intelligence at Trellix and a former official in the Dutch National Police’s High-Tech Crime Unit.

“If authorities are operating in the grey area with certain private sector entities, I’d much rather define and start talking about that grey area,” he said.

Information-sharing between the public and private sectors — a cornerstone of modern efforts to stop cyberattacks — should also continue, he said, though he argued the process should be streamlined given the number of existing groups.

But one executive said they expect the U.S. government will ultimately find ways to involve private contractors in offensive cyber operations, even as the administration publicly draws limits.

“I believe that the government will contract for cyber operations under carefully crafted contracts,” said Kevin Spease, president at ISSE Services. “It simply depends on how you define it.”

He pointed to past U.S. conflicts where private firms supported offensive missions, arguing cyber operations could follow a similar path.

The rationale, Spease added, comes down to capability. The government, in both civilian and defense agencies, already predominantly relies on technology made by the private sector for day-to-day operations.

“The private companies have far better expertise,” he said. “Sometimes it’s easier to have a contractor do it.”

]]>

Treasury debuts effort to share cyber threat intel with crypto firms

David DiMolfetta — Thu, 09 Apr 2026 16:25:00 -0400

The Treasury Department said Thursday it will begin sharing cyber threat intelligence with cryptocurrency firms following a string of incidents in which hackers siphoned off millions of dollars in customer funds.

The department’s Office of Cybersecurity and Critical Infrastructure Protection announced the effort to “provide timely, actionable cybersecurity information to eligible U.S. digital asset firms and industry organizations, helping them better identify, prevent, and respond to cyber threats targeting their customers and networks.”

Under the program, qualifying U.S. digital asset firms and industry groups that meet agency criteria will be able to access the same threat intelligence the department already distributes to traditional financial institutions at no cost.

The move signals Treasury is increasingly treating cryptocurrency firms as part of the nation’s core financial infrastructure, folding them into existing cyber threat-sharing channels as officials grow more concerned about the scale and sophistication of attacks targeting the sector.

“Cyber threats targeting digital asset platforms are growing in frequency and sophistication,” said Cory Wilson, deputy assistant secretary for cybersecurity at the Treasury Department. “This initiative expands access to actionable threat information that helps firms strengthen defenses, reduce risk, and respond more effectively to incidents.”

Cryptocurrency is becoming increasingly central to U.S. entities seeking to go after hackers, as such bad actors often seek to steal cryptocurrency or use it as a payment method to exchange stolen data.

North Korea has built a reputation for installing shadow workers in firms around the world to steal cryptocurrency and other financial assets to fund their regime, especially its missile program. Earlier this month, DPRK-aligned hackers stole some $285 million from Drift Protocol, a Solana-based decentralized derivatives exchange, in a breach that wiped out more than half of the platform’s total value in the system.

]]>