When CISA issues an emergency directive, the message to every federal agency and every security team paying attention is to patch now. For CVE-2026-50751, a CVSS 9.3 authentication bypass in Check Point Remote Access VPN, that directive landed on June 21. despite exploitation beginning in early May. That, six-week active intrusion gap is not a footnote. It is the entire story.

The flaw itself is straightforward in the worst possible way. A logic error in the certificate-validation process, triggered when the deprecated IKEv1 key-exchange protocol is enabled, allows a remote attacker to establish a fully authenticated VPN session without a valid password. No phishing. No credential theft. No lateral movement required to reach the perimeter. The attacker walks through the front door, and the door logs it as a legitimate entry.

By the time Check Point disclosed the vulnerability on June 8, a Qilin ransomware affiliate had already used it to compromise a few dozen organizations worldwide. The post-access playbook was efficient, including Rclone for data exfiltration, the Tox protocol for command-and-control communication routed through disposable VPS infrastructure. Quiet, fast, and designed to complete the job before detection had a chance to matter.

The security product became the attack vector

There is a particular irony to CVE-2026-50751 that the industry needs to sit with. The device that was breached is not an unpatched workstation or a misconfigured cloud bucket. It is the VPN gateway, the product sold specifically to keep attackers outside the perimeter. The control designed to prevent unauthorized access became the mechanism of it.

This is not unique to Check Point, and it is not a criticism of any single vendor. It reflects a structural problem with perimeter-dependent security architecture. When the perimeter device is the trust anchor, compromising that device does not just breach the perimeter. It inherits the perimeter’s authority. Every downstream control, every identity verification, every behavior-based detection tool is now reasoning about a session it believes is legitimate, because the VPN said so.

That is the condition Qilin exploited. And patching the vulnerability, while absolutely necessary, does nothing to change the position of organizations that were breached during the May-June window. For them, the attacker is already operating as a trusted user. The CISA directive is not a remedy for those organizations. It is a message to everyone else.

Why the standard response falls short

The standard sequence after a disclosure like this is one we’ve all heard before—patch the affected systems, update detection signatures, review logs for indicators of compromise. While each of these steps is good practice, none of them solves the underlying problem.

Patching closes the door for future attackers, but it does not evict the ones already inside. Detection signatures help identify known post-exploitation behavior, but ransomware affiliates have demonstrated consistent operational discipline, using legitimate tools for exfiltration and standard protocols for command-and-control precisely because these approaches blend into normal traffic. Log review is valuable, but the attackers who exploited the vulnerability had weeks of access before anyone was looking.

The detect-and-respond model assumes that detection arrives before the damage is complete. Against a weaponized zero-day with a six-week head start, that assumption does not hold. By the time an alert fires, the data has moved. The ransomware is staged. The ransom clock has started.

Making the endpoint harder to exploit

The Check Point vulnerability forces a critical question: how do you stop payload execution when an attacker has already succeeded at authentication and bypassed every other defense?

It requires moving the defensive layer to the endpoint itself, at the point of execution, where the ransomware payload has to operate regardless of how access was obtained. Techniques that morph the runtime memory environment, transforming the structures that malware needs to find and use at execution time, stop the payload deterministically. The attacker can have authenticated credentials, a legitimate session, and weeks of undetected access. If the target environment does not look like what the payload expects, the payload fails.

This is not a replacement for patching. Organizations should apply the Check Point fix immediately, and they should treat any system with IKEv1 enabled during the May-June window as potentially compromised. But patching is the beginning, as the organizations that were inside the six-week exploitation window need a control that works after the perimeter is gone.

The lesson before the next directive

CISA will issue another emergency directive. There will be another authentication bypass, another perimeter device turned attack vector, another financially motivated threat actor with a head start measured in weeks. The patch-and-detect cycle will play out again, and organizations that had their exposure managed entirely at the perimeter will find themselves in the same position.

The lesson here is not that Check Point failed or that VPNs are over. It is that any architecture where a single authentication bypass gives an attacker operating authority over the entire environment has a structural problem that no patch resolves. Closing the door is necessary. Making sure the ransomware cannot detonate even after the attacker is inside is the part the industry still has not solved at scale.

That is the conversation the CISA directive should be starting, and mostly is not.

The post Why patch directives only go so far appeared first on CyberScoop.

The digital battlefield is expanding and changing faster than ever before. Washington must confront mounting threats to critical networks and systems. But there’s one challenge that stands out above the rest: artificial intelligence. The nation’s cyber experts need to be ready to face this new reality.

The CyberCorps: Scholarship for Service program is a federal initiative that has done just that for 25 years, contributing nearly 5,000 cybersecurity professionals to the federal workforce. The program is a success story, but the Trump administration has put this program at risk by attempting to drastically cut its funding. Fortunately, Congress has intervened, and will continue to fund the program. The administration should follow Congress’ lead and support it in the future.

The CyberCorps program was developed as an equivalent to the Reserve Officers’ Training Corp (ROTC) for civilian cybersecurity professionals, awarding student participants full scholarships and stipends for their cybersecurity education in exchange for an obligation to serve the federal government after graduation. Participants also receive specialized instruction and summer internships in addition to their coursework, providing the federal government talented, security-vetted, and well-educated employees to defend the United States from cyberthreats. 

AI is changing cybersecurity, creating both new opportunities and new dangers. CyberCorps is adapting to stay ahead. The situation is driven by three clear trends: AI is expanding rapidly across all sectors, threat actors are using it for more advanced attacks, and the newest AI models can find software vulnerabilities quicker than ever before.

In a report released last month, Google researchers said they discovered a previously unknown security vulnerability developed by AI capable of initiating a large-scale cyberattack. Experts estimate that there is now a three-to-five month window in which adversaries will start to outpace organizations using AI-driven attack methods for discovering cyber vulnerabilities. Jen Easterly, the former Director of the Cybersecurity and Infrastructure Security Agency wrote last year that cybersecurity as we know it is becoming a relic of the past — and that AI is the path forward.

Cyber threats are advancing faster than ever, and our workforce must keep pace. CyberCorps is stepping up to meet the moment. This year, program participants must have an educational background in AI or plan to develop one. The new guidelines require expertise in two critical areas: using AI in cybersecurity operations and securing AI systems themselves. We need experts who can use AI to defend us and people who can protect AI tools from being weaponized. Program graduates will have both skillsets, equipped to handle today’s threats and adapt as they evolve.

To facilitate this effort, the CyberCorps program is supporting existing participant schools by providing AI training. CyberCorps is also allowing schools to dedicate a portion of the money they receive through program membership to creating their own AI training or providing training from other institutions for students and instructors. 

These changes accomplish two important things. They prepare participants as capable cyber professionals while addressing a workforce crisis the government can no longer ignore. The Pentagon alone estimates it needs 25,000 more cyber experts. By aligning the CyberCorps program with the Trump administration’s AI workforce priorities, the government is finally putting resources behind a solution that matters.

President Trump and the National Science Foundation deserve credit for such agile footwork in adapting to this challenge. But that clear recognition makes the current budget situation even more galling. The greater emphasis on AI in the CyberCorps program could support government expertise in AI for years to come, but only if the program is properly resourced.

The Trump administration’s 2026 budget request included a 65 percent cut in funding for CyberCorps at only $21.7 million, which Congress rectified by appropriating $63 million. Despite this clear congressional signal, the president’s 2027 budget again requested $21.7 million, a drastic cut. 

Again, Congress is stepping in to fix things. The congressional funding report for fiscal year 2027 recommends adding between $60 million and $70 million of funding to the program. The report also encourages the inclusion of “AI in activities funded by the program to maximize the learning potential in both fields” and advises an increase in the number of scholarships offered. To fully institute these recommendations, the program will require even more funding. Congress is right on target.

America needs strong cyber defenders ready for the AI era. CyberCorps must lead the federal government forward. With the right support, the program will deliver the cyber success our nation demands.

Rear Admiral (Ret.) Mark Montgomery is the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies where Sophie McDowall is a research associate. 

The post CyberCorps is adapting to AI. The budget isn’t keeping up. appeared first on CyberScoop.

AI models such as Anthropic’s Claude Mythos and OpenAI’s Daybreak represent a fundamental inflection point in security. These advances are not only reshaping technology but also redefining trust, risk, and the relationship between humans and intelligent systems. As innovation accelerates, AI governance and responsible deployment are becoming strategic priorities for every organization.

Historically, governments have played a stabilizing role during moments of transformational technological change. Yet the pace and scale of the AI era demand a new model, one built on partnership rather than control, balancing societal responsibility with the need to sustain innovation and global competitiveness.

The White House’s executive order on AI governance signals that collaboration between the industry and policymakers will increasingly shape the future landscape. Proposed frameworks that promote transparency and responsible development point toward a more coordinated approach to risk management.

Effective governance of AI models should balance clear safeguards with the speed of innovation, aligning organizations, policy makers, and technology leaders around a shared goal: advancing AI in ways that strengthen trust, security, and long-term value. The path forward is not defined by heavy-handed oversight, but by building an ecosystem of accountability.

Three key points substantiate this approach.

First, the industry should recognize Anthropic’s release of Mythos as an example of responsible innovation. Company leaders recognized the model’s risks and deliberately delayed broader deployment, allowing early testing to surface vulnerabilities before widespread adoption.

The broader lesson extends beyond a single model release. Responsible leadership means prioritizing decisions that build trust and enable sustained innovation. As AI capabilities accelerate, the most successful organizations that lead will be those that weave accountability through their ambitious pursuits, rather than treating them as competing priorities.

Second, innovation rarely thrives under rigid frameworks. History has shown that many compliance regimes, while well-intentioned, incentivize organizations to optimize for requirements rather than outcomes. Security is strengthened through systems designed for resilience and trust, which goes beyond mere compliance.

Third, slowing U.S.-based AI innovation risks weakening long-term competitiveness. The U.S. remains a leader in AI but maintaining that position will require balancing responsible safeguards with continued investment and progress. Overly restrictive approaches risk slowing domestic advancement while other nations continue accelerating development and capability.

An effective AI governance approach would encourage further responsible AI model development, as demonstrated by Anthropic. It would avoid direct government regulation and instead enforce accountability for companies that are irresponsible with AI development.

Hopefully, the partnership and collaboration between government entities and industry will continue beyond the White House order. Policymakers and industry leaders should create incentives that reward AI vendors for considering societal implications before releasing new solutions. This framework would highlight responsible providers as models for the industry while imposing meaningful consequences based on demonstrated societal harm that direct affects business and technology decisions.  

AI models such as Mythos and Daybreak underscore a broader reality: the future of AI will be shaped by the trust around innovation, not merely by its development pace. The next era of AI leadership will require a new model of collaboration between industry and policymakers that maintains the speed and adaptability that innovation demands while establishing meaningful accountability for real-world outcomes.

The objective should be to guide progress responsibly. The organizations and nations that lead in the AI era will be those that demonstrate how innovation and accountability work together to strengthen trust, security, and long-term value creation.

Art Gilliland is CEO of Delinea, a cybersecurity company focused on human, machine and AI identity protection.

The post The AI security race needs accountability, not overregulation appeared first on CyberScoop.

There’s this old proverb that’s stuck with me over the years: “Dig the well before you are thirsty.”

It really means you should prepare for the crisis before it arrives. In cybersecurity, it’s a mentality that’s long underpinned investment, strategy and board-level conversations. And by many measures, organizations appear to have already ‘dug’ that well. They feel ready.

New research even emphasizes how nearly eight in ten organizations (79%) are confident they’re prepared to handle a cyberwarfare attack, while a further 76% believe they’re ready to mitigate an AI-driven threat if it came their way.

Yet, reality tells a more complicated story. Confidence alone doesn’t translate into readiness. With the constant advancement of AI alongside ongoing geopolitical escalations, many enterprises are finding that traditional preparedness markers simply don’t translate into real resilience.

What we have is a readiness paradox forming within the industry. Organizations are realizing that the ‘well’ they believed was already dug isn’t quite as deep as they thought. So, where are they going wrong?

The real cost of mistaking preparedness for resilience

The root cause can be traced back to generative AI’s rapid rise and adoption. It’s a tool that dominates boardroom discussions, and, while defenders are racing to adopt it, attackers have already weaponized it at scale. The challenge is that ambition on the defensive side is still outpacing operational reality.

More than half of organizations (54%) that participated in our research recently admitted they lack the budget and resources required to fully invest in AI-powered security solutions. A further 55% say they don’t yet have the expertise needed to implement and manage those technologies effectively. In other words, most teams are still building the capabilities required to support the very tools they’re being encouraged to adopt.

At the same time, generative AI is accelerating the scale and size of the attack surface security teams are expected to defend. Modern enterprises now operate across sprawling ecosystems – everything from cloud infrastructure to third-party integrations – with each new connection introducing a potential entry point into an enterprise’s environment, creating a growing web of complexity.

That complexity is exactly what attackers exploit. Organizations are facing an average of 960 security alerts a day, creating an environment of constant triage where excessive alerts. These often lack the context needed to prioritize them, leading to slower responses, missed signals and general unpreparedness. It’s why we increasingly see headlines like China-linked hackers breaching numerous companies and government agencies in different countries or a single compromised account giving hackers access to millions of banking records.

Part of the problem ultimately comes down to how preparedness is often measured. For many organizations, readiness is still closely tied to compliance – passing audits, implementing required controls or meeting regulatory benchmarks. But compliance success doesn’t always translate into technical resilience.

The deeper challenge lies in how exposure continues to accumulate across increasingly complex digital environments. Until organizations develop a clearer understanding of how risk forms and concentrates across their digital ecosystems, preparedness will remain difficult to translate into genuine resilience.

From confidence to resilience

If organizations are to close the gap between perceived readiness and operational reality, they need a clearer understanding of where risk actually exists. This is where cyber exposure management comes in. At its core, it shifts the focus from reacting to incidents toward continuously understanding how exposure forms across the enterprise.

Consider a typical large enterprise with thousands of connected assets, spanning employee laptops, printers, operational equipment and more. A single phishing email could land in an inbox and compromise a user’s laptop. On its own, that device may seem like a low-priority alert. But, if that laptop had access to key shared drives, internal applications or operational systems, the attacker now has a pathway to move deeper into the environment and potentially reach sensitive data or critical services.

Without awareness of how every asset and system connects, security teams are left prioritizing alerts based on technical severity rather than operational consequence. And that’s what makes cyber exposure management so critical. Instead of treating vulnerabilities as isolated technical issues, it continuously maps assets, connections and dependencies across the environment to reveal how risk actually concentrates.

This awareness is built through continuous visibility. When organizations can identify assets in real time, understand their behavior, and analyze how they connect across the broader ecosystem, they gain a contextual overview of risk that traditional security tools simply struggle to provide.

Teams can prioritize exposures by business impact and address them quickly to protect the environment. This clarity helps them invest where it reduces risk the most, identify the systems most critical to operations, and focus defenses before disruptions occur

Digging deeper on preparedness

Modern digital ecosystems are simply too interconnected, too dynamic and too exposed for risk to ever be fully eliminated. It’s all about understanding where exposure truly exists and how quickly it can evolve. For leaders, this requires a shift in mindset, because preparedness is rarely revealed in moments of calm – it’s tested when pressure arrives.

So, before that moment comes, make sure the “well” is dug deep enough to withstand what lies ahead.

The post The readiness paradox: Why a false sense of cyber confidence is becoming a liability appeared first on CyberScoop.

Earlier this month, ShinyHunters breached Instructure’s Canvas platform twice within a single week — stealing 3.65 terabytes of data from approximately 275 million users across more than 8,000 institutions. The group defaced login pages at hundreds of schools during final exam periods, forced Canvas offline, and extracted a ransom payment before Congress opened a formal investigation. The attack did not require exotic malware or zero-day exploits. Attackers entered through compromised “Free-For-Teacher” accounts, escalated rapidly, and exfiltrated sensitive data at scale before Instructure could contain them.

That sequence — entry through weak identity controls, rapid lateral movement, mass exfiltration, extortion, disruption — is now the standard playbook. It will happen again, unless the priority for security and technology leaders becomes reducing the blast radius of every intrusion before it happens.

The problem with how enterprises think about SaaS risk

Modern organizations have consolidated critical operations inside shared SaaS platforms, creating enormous concentrations of risk in single points of failure. When Canvas went down, thousands of students could not access coursework, faculty lost contact with their classes, and administrators scrambled to postpone exams. The scale of disruption came from how deeply institutions depended on Canvas, not from the vulnerability alone.

That asymmetry is the defining feature of SaaS risk in 2026. A single compromised account at a shared platform can trigger sector-wide operational failure. Yet most enterprise security frameworks still treat SaaS platforms primarily as availability problems — measured by uptime, recovery time objectives, and business continuity plans. Canvas exposed the gap in that thinking. Availability means nothing when the platform is operational but the data inside it has already been stolen.

Resilience in SaaS environments requires a harder and more honest premise: treat compromise as continuous and expected. Attackers will reach critical systems. The real test is how much they can take, how far they can move, and how long they can persist before detection and containment.

Identity is the perimeter now

The Canvas attack followed a pattern that has repeated across sectors for years. By compromising legitimate accounts with excessive standing privileges, the attackers moved laterally through Canvas infrastructure, maintained persistence, and exfiltrated data at a scale that took days to quantify.

Too many organizations still operate with fragmented identity controls, inconsistent privilege management, and limited visibility into how accounts interact across SaaS integrations. When attackers compromise a legitimate account, they inherit whatever access that account holds — and in most environments, that access far exceeds what the user actually needs. The result is that identity has become the most reliable attack surface in the modern enterprise, and most organizations are still treating it as a secondary concern.

Strong passwords and multifactor authentication are necessary but no longer sufficient. Enterprises need continuous identity verification, tightly scoped privileges, aggressive governance over third-party integrations, and real-time visibility into anomalous access patterns across SaaS systems. Identity governance cannot be a compliance checkbox. In cloud-native environments, it should be the primary control that determines how far an attacker can travels if they manage to get inside.

Data protection cannot stop at the application layer

Even organizations with strong identity controls face a second, underappreciated problem: the data stored inside SaaS platforms is often far less protected than the credentials used to access it.

Enterprises accumulate vast repositories of sensitive information inside SaaS environments — private messages, accommodation requests, financial records, personal disclosures — while relying almost entirely on application-level access controls to protect it. When those controls fail, as they did at Canvas, the data is immediately readable, searchable, and monetizable. 

Attackers do not need to crack anything. They simply take it.

Cryptographic protections — including encryption strategies that preserve organizational control over sensitive data even after it leaves the platform — directly reduce the value of a successful exfiltration. Stolen data that cannot be read or used is far less valuable as an extortion instrument. That distinction matters significantly in today’s threat environment, where the leverage attackers extract from stolen data often outlasts the breach itself.

The threat does not expire when the incident ends 

The “agreement” between Canvas’s parent company and attackers illustrates a risk that most organizations have not yet fully priced in. While Instructure received digital confirmation that the stolen data was destroyed, Congress opened an investigation anyway. The Instructure CEO has been called to testify before the House Homeland Security Committee. Affected institutions — many of which had no visibility into Instructure’s security posture or incident response capabilities — remain accountable for protecting student data they can no longer control.

That accountability gap will not close after Congress concludes its inquiry. Sensitive data stolen during incidents like Canvas retains value long after the breach itself. Adversaries increasingly collect encrypted data today with the expectation that it can be decrypted later as cryptographic standards age or quantum computing capabilities mature. This “harvest now, decrypt later” approach means that encryption protecting data only in the present still leaves organizations exposed downstream.

Strong cryptographic protection must therefore be paired with crypto-agility and post-quantum readiness. Security leaders should assume that any sensitive data exfiltrated during a SaaS breach may remain a target for years, not days. If stolen data remains immediately usable, attackers retain leverage indefinitely. If it does not, the economics of extortion shift.

What the Canvas breach actually demands

The lesson from Canvas is not that SaaS platforms are inherently insecure. They remain foundational to how modern organizations operate and scale. The lesson is that the assumptions underlying most enterprise security strategies — that prevention is the primary objective, that access controls are sufficient data protection, that recovery means restoring uptime — no longer match the realities of today’s threat environment.

Attackers have already internalized this. They target SaaS platforms precisely because the concentration of data and operational dependency makes them extraordinarily high-value targets. They exploit identity weaknesses because those weaknesses are pervasive and reliable. They apply extortion pressure because stolen data retains leverage long after technical remediation.

The organizations that close this gap — by treating identity governance as mission-critical infrastructure, implementing cryptographic protections that survive exfiltration, building recovery discipline alongside prevention, and planning for post-quantum exposure — will be significantly better positioned when the next breach arrives. And it will arrive. The only variable is how much it costs.

Rishi Kaushal is the CIO of Entrust, a company that helps organizations fight fraud and cyber threats with identity-centric security.

The post The Canvas breach proved that prevention is no longer enough appeared first on CyberScoop.

If you had time to walk the expo floor at this year’s RSA Conference, it was impossible to miss the shift in our industry. Artificial intelligence has moved from an emerging layer to the foundation of what powers cybersecurity companies. But from our vantage point as investors who work closely with founders and operators, the bigger shift is how AI is changing how these companies are formed, funded and scaled.

The past year marked an inflection point. A surge in venture funding and headline acquisitions underscored a market moving faster than many expected. Startups that once spent years iterating toward product-market fit are now emerging from stealth with mature products and raising large early rounds almost immediately. Meanwhile, the traditional progression from seed to Series A is compressing into a much shorter, higher-stakes window, and legacy companies are being forced to move faster than ever to stay relevant in today’s landscape.  

Venture funding is concentrating around fewer, larger AI bets

The acceleration reflects real capability. AI has cut the time and cost of building and iterating on cybersecurity products, allowing small teams to move at unprecedented speed. But faster development doesn’t change the basics: durable businesses still require clear differentiation, strong go-to-market execution and proven customer demand.

What has changed is how capital is being deployed. Venture funding in cybersecurity is increasingly concentrated into fewer companies, with larger rounds and higher valuations. The market is increasingly binary: startups are expected to either secure AI systems or use AI to deliver clear, measurable improvements in security outcomes. Companies that can’t clearly stake out one of those positions are finding it harder to attract attention from both investors and acquirers.

Higher valuations can accelerate momentum, but they also raise the bar for performance. When growth does not materialize as expected, the path forward becomes more difficult, particularly in a market that is moving as quickly as this one.

AI-native startups are operating with smaller, more technical teams

AI is also reshaping how cybersecurity companies are staffed and operated. The most effective teams today are smaller and more technical, relying heavily on automation to extend their capabilities. Engineers are increasingly focused on orchestrating AI systems rather than building every component from scratch, shifting the nature of technical work toward higher-level problem solving and system design. They can iterate faster than ever before, putting pressure on fast-paced innovation and high-capacity outputs. 

This is creating a widening gap between companies that are built around AI from the start and those trying to retrofit it into existing models. For newer startups, this approach is often foundational. For incumbents, it can require significant changes to both technology and culture, leading to an upcoming M&A wave that’s already in the early innings.  

Threat actors are using AI to scale attacks and lower barriers to entry

At the same time, the threat landscape is evolving. AI is lowering the barrier to entry for offensive cyber capabilities, enabling less sophisticated actors to execute attacks that previously required significant expertise. This is increasing both the volume and complexity of threats facing organizations. We’re seeing early responses to that with things like Anthropic’s Project Glasswing, which aims to bring together leading organizations to protect critical software.

The expansion is not limited to traditional network or endpoint attacks. AI is introducing new attack surfaces, from machine identities to autonomous agents and decision-making systems. It is also unleashing new forms of risk, including more advanced disinformation campaigns and other narrative-driven attacks that can impact markets and corporate reputations as much as technical systems.

Cyber defense is shifting toward autonomous, machine-driven models

As attackers scale their use of AI, defenders are being forced to do the same. Cybersecurity is moving toward a model where machine-driven systems play a central role in both detecting and responding to threats. In many cases, the dynamic is moving from human vs. machine, to machine vs. machine.

This shift is driving innovation across the market. New categories are emerging around securing AI systems and workloads, while established areas like endpoint security, data protection and vulnerability management are being rebuilt with AI at their core. These changes are enabling new capabilities but also increasing the pace of competition across the industry.

M&A and platform strategies are accelerating alongside AI innovation

The speed of innovation is also reshaping consolidation across cybersecurity. Larger platforms are moving to incorporate AI capabilities more quickly, while startups are building toward platform strategies earlier in their lifecycle. This is compressing timelines for both growth and acquisition. When incumbents can’t innovate quickly enough, they can buy instead.

Capital continues to play a central role in this dynamic. Strong funding environments are enabling companies to scale quickly, but they are also introducing risk when valuations outpace underlying performance. Some of the largest rounds are functioning as signals of market leadership as much as sources of operating capital.

There is growing awareness that not all these companies will meet expectations. The same conditions that enable rapid growth can also expose weaknesses quickly, particularly if customer adoption and revenue do not keep pace.

What founders and investors are watching for the rest of 2026

The defining characteristic of the current market is speed. The gap between companies that can adapt to these changes and those that cannot is widening quickly.

For founders, that means balancing urgency with discipline – building AI-native products while staying focused on real customer problems. For investors, it means identifying teams that can execute in a rapidly changing environment and build companies that endure beyond the current cycle.

The cybersecurity landscape has always evolved alongside technology and threat activity, but the pace of change today is different. The companies that emerge as leaders in the next phase of the market will be those that can operate effectively in that reality, where AI is foundational, competition is global, and the timeline for success is shorter than ever.

The post AI is separating the companies built to scale from the ones built to sell appeared first on CyberScoop.

Missile and drone attacks that took out cloud data centers in the Middle East underscored a critical vulnerability in the modern economy: reliance on digital infrastructure that sustains competitive advantage and operational continuity for corporations, nations, and militaries. 

The outages and downstream disruption were a preview of a new form of strategic and operational risk. Data centers have long been the backbone of the digital economy. What is changing is the scale of dependence as AI workloads dramatically increase the compute power required to run businesses, supply chains, and national security systems. 

Artificial intelligence has moved beyond business applications and into the core of warfare and national security. Last month, The New York Times reported that AI is “totally integrated” into the collection of intelligence and its use in strategic decision-making and military operations. Even if AI models are not directly firing weapons, AI-enabled analysis now plays a central role in how modern militaries gain visibility, find insights, and drive action.

That matters because it changes what should be considered critical infrastructure. If AI is a competitive advantage for companies and a battlefield advantage for warfighters, then the infrastructure that trains, hosts and runs AI becomes a high-value target. Attacks on the digital infrastructure organizations rely on can do more than inflict financial damage. They can slow decision-making, degrade logistics and reduce military effectiveness without ever engaging a conventional force.

Historically, nation-state campaigns targeting data centers and service providers focused on cyber intrusions for espionage or pre-positioning. What is different now is the emergence of physical attacks on digital infrastructure during active conflict. Russian military intelligence has been linked to campaigns aimed at digital infrastructure and managed services, often as part of a supply chain attack to compromise organizations at scale. Iran-aligned groups have repeatedly demonstrated willingness to target private sector entities to advance geopolitical goals. In many cases, the objective was access: steal data, implant persistence, map networks, and maintain a foothold that could be used later for espionage or disruption. 

What’s clearer now than ever before is that data centers and the AI workloads they support have become so vital to modern society, our adversaries will seek to degrade or destroy their efficacy as a tactic of both kinetic and cyber warfare.

We have already seen how quickly a digital incident can become real-world disruption. On March 11, reports surfaced of thousands of servers and endpoints wiped inside Stryker, a U.S.-based medical device manufacturer. A hacktivist group sympathetic to Iran, known as Handala, claimed responsibility. The incident reportedly halted Stryker’s global production after attackers accessed its Microsoft environment and issued a wipe command via Intune. Even without a single missile, the outcome looked like a strategic disruption: operations stopped and downstream customers felt it.

For business leaders, the imperative is clear: treat operational resilience as a board-level priority in the AI era.

In the world of corporate IT, cybersecurity prioritizes confidentiality: preventing theft of sensitive information. Resilience is a different discipline. It is the ability to sustain operations when systems are degraded, disrupted or actively under attack. For data centers and the businesses that depend on them, resilience comes down to preventing cascading failures and reducing the consequence when something inevitably goes wrong.

These developments carry an important implication for the private sector. Digital infrastructure is increasingly a strategic target, making resilience a core business priority rather than a narrow IT issue. For business leaders, the impact of data center disruption extends into multiple, often overlooked areas of cybersecurity risk.

For example, AI’s growth is colliding with a power wall in many regions where grid capacity cannot scale fast enough. That is driving facilities toward new power dependencies, including on-site generation through distributed energy and renewables, yielding more complex power management environments. This power infrastructure becomes a pressure point as interruptions to power supply or management systems can quickly force a data center offline. Russia has on several occasions demonstrated the ability to target and disrupt power generation and distribution in Ukraine in both 2015 and 2016.

Building management and automation systems, including HVAC and physical access controls, are another. These systems are essential to creating safe and supporting operational environments, but they typically have long capital depreciation cycles and inconsistent security safeguards. Frequently exposed to the Internet, and commonly misconfigured and not properly secured, they can become a pathway to outages by an attacker.

With an increasing density of computing infrastructure, thermal management has become a core environment control in data centers. As the industry adopts liquid cooling for dense AI loads, interference with cooling is no longer a niche technical issue. It is a risk vector that can cause downtime and potential equipment damage if breached by attackers.

Remote access creates another major exposure. Data centers rely on vendors, contractors, and systems integrators for maintenance, monitoring, and support, and each remote connection can become an entry point if it isn’t tightly controlled, centrally managed, and well secured. Adversaries often target these trusted access routes because they can be easier to compromise than a well-defended perimeter, allowing attackers to bypass standard controls and safeguards.

All of this has broader economic implications because data center disruption does not stay inside the technology sector. It cascades into the industries that keep society functioning and supply chains moving: hospitals, electric utilities, chemical production, food and beverage, oil and gas, and transportation. An extended outage becomes missed shipments, halted production, delayed care, safety concerns and lost trust.

What should leaders do now?

Start by defining resilience targets that match business reality: what must stay running, what can degrade, what cannot fail. Then invest in the controls that limit the impact of an incident. Segmentation between IT and OT assets should be non-negotiable. Remote access should be treated as a critical risk pathway with least privilege, strong authentication and continuous monitoring.

Manage facilities systems such as building management systems, power, and cooling controls as critical operational technology, with asset inventories, vulnerability management, logging, and incident response plans that anticipate disruption.

Finally, train to operate under degraded conditions. Tabletop exercises should include scenarios like loss of a cloud region, partial failure of a facility, or compromise of a management plane. Use these exercises to validate that the organization can maintain essential operations and recover quickly when disruptions occur. 

Policy is moving in this direction as well. Governments are increasingly treating data centers as critical infrastructure. Policies and frameworks such as the National Cybersecurity Strategy, CISA’s Secure by Design principles, and international standards like IEC 62443 all reflect a growing recognition that digital infrastructure is a national security issue. Companies that get ahead of this shift will not only reduce risk, they will build competitive advantage in a world where downtime can become a strategic weapon.

In the AI era, data centers are essential infrastructure for modern economies and national security. Their rising importance also makes them attractive targets in cyber and physical conflict. Protecting them is no longer just about safeguarding company operations, it is about protecting the systems society depends on every day. 

Grant Geyer is the chief strategy officer at Claroty.

The post Why data centers now belong on the critical infrastructure list appeared first on CyberScoop.

Anthropic recently announced that it would not release Mythos, its most powerful AI model, to the public. The model discovered thousands of previously unknown software vulnerabilities — flaws that had sat undetected in major operating systems and web browsers for as long as nearly three decades. Anthropic said the model was too dangerous to deploy broadly because the same capabilities that let it find and fix security flaws could let attackers exploit them. A single AI agent, the company warned, could scan for weaknesses faster and more persistently than hundreds of human hackers. 

That decision tells you something important about where we are. The same AI systems that companies are racing to deploy as autonomous assistants — scheduling your appointments, writing your code, managing your workflows — are also capable of probing digital defenses at a speed and scale no human team can match. And most of the systems they’d be probing still rely on a security model designed for an era when a person sat behind every keyboard. 

Think of it like a building where every door has a lock, but the locks were all designed to recognize human hands. Now the building is full of robots — some of them authorized couriers, some of them intruders — and the locks can’t tell the difference. 

Not long ago, you could sit at your desk, glance at the sticky note on your monitor for your username and password, type them in, and grab a cup of coffee while your browser opened a doorway to the rest of the world. Every layer of security that followed — passwords, security questions, biometric scans, two-factor authentication — grew out of a single bedrock assumption: a person was on the other end. 

AI agents break that assumption from two directions at the same time. Legitimate agents need credentials to act like a human. OpenAI’s Operator navigates websites on your behalf. Google’s Gemini can plan your next family vacation while you sleep. Visa recently unveiled Intelligence Commerce Connect, a platform that lets AI agents do the shopping for consumers. These aren’t demos or hot takes from a tech conference floor. They’re shipping products that act on behalf of real people—and to do that, they need your identity. 

At the same time, adversaries can fake humanity at scale. The same AI that can act like a helpful assistant convincing can also be a malicious impersonator. They don’t break in, they log in—through shared credentials, hiring pipelines, vendor onboarding portals, and collaboration tools. Most organizations still treat identity as a login problem—something IT handles with stronger passwords or additional authentication steps layered on top of existing systems. The harder challenge now is knowing who, or what, you’ve already let in. 

That distinction is collapsing just as digital systems become more autonomous. 

When that distinction blurs, the damage is concrete. If a procurement workflow cannot distinguish between a human manager and an AI impersonator, purchase orders go out under false authority. When compliance logs cannot determine how a decision was authorized — by a person or a bot — the accountability chain falls apart. Regulators and customers will not accept “we’re not sure” as an explanation. 

The economics have tilted sharply toward the attacker. Sophisticated fraud once required coordination, with people researching targets, crafting messages, and adjusting tactics in real time. AI agents eliminate those constraints. One person can now supervise an army of autonomous systems, each running a valid persona across multiple interactions simultaneously. A single operator can field a hundred synthetic employees for the cost of one real salary. The barrier to large-scale impersonation is no longer skill or manpower. It is access to a capable model and a set of stolen credentials. 

Stronger identity controls do carry a cost. Every additional verification step is a moment when a customer might abandon a transaction, or an employee might lose patience with a security protocol. The goal is not to shut down automation. It is to make sure the systems acting in your name are authorized to do so. 

Some organizations are adapting. They are treating AI agents less like software and more like new employees, cataloging every agent in their environment, limiting permissions, requiring human approval for sensitive actions. They are moving beyond passwords to phishing-resistant authentication that binds access to a known device and a verified user. They are building behavioral baselines so that when a customer service bot suddenly queries a financial database, or a new hire accesses source code on day one, alarms go off. 

Nobody keeps their password on a sticky note anymore (I hope). But the assumption behind the sticky note, that a human hand would type it in, still underpins most of the systems we depend on. These systems hold your medical records, process your mortgage, and let an AI assistant rebook your flight. In a world where AI agents act faster, more persistently, and more convincingly than any person, that assumption is the vulnerability. 

The organizations that can verify identity continuously — not just at the door, but at every action, for every actor, human or machine — will have a durable advantage. The ones that cannot will find out what ambiguity costs. 

Devin Lynch is Senior Director of the Paladin Global Institute and a former Director for Policy and Strategy Implementation at the Office of the National Cyber Director. 

The post Everyone’s building AI agents. Almost nobody’s ready for what they do to identity. appeared first on CyberScoop.

Mythos matters. It is a significant step forward in AI-assisted vulnerability discovery. But it does not mean cybersecurity changed overnight, nor does it mean enterprises are suddenly facing fully automated exploitation at internet scale tomorrow.

It does mean the offensive side of AI is continuing to improve. The defensive side needs to catch up now.

Mythos is the latest step in a longer trend. Over the next several years, expect the same pattern to repeat: incremental progress, then a jump; incremental progress, then a jump. Models will get more capable and cheaper with each cycle, and each jump will put more pressure on security teams still operating at human speed.

Mythos demonstrated that AI can find software vulnerabilities with unprecedented depth. That is real progress and should be taken seriously. However, this was not a case where AI suddenly made enterprise compromise cheap, easy, or automatic. Even in Anthropic’s own examples, the cost of discovering a critical vulnerability was significant. One example cited roughly $20,000 in token costs to identify a significant OpenBSD issue. 

Mythos made vulnerability discovery cheaper to scale by replacing bodies with dollars. But finding a vulnerability is only one part of the operational reality.

An attacker still has to determine whether that vulnerability is exploitable in a specific enterprise, identify a viable attack path, gain the necessary access, and successfully operationalize the exploit in a real environment. None of that became easy just because a model found a software bug.

And on the defensive side, Mythos does not yet solve the much harder enterprise problem: How do I know whether this vulnerability is actually exploitable in my environment, and what is the most efficient way to remediate it without breaking the business?

The real enterprise problem is not discovery. It is prioritization and action. Security leaders do not struggle only because vulnerabilities exist. They struggle because the operational cost of deciding what matters, what is exploitable, what can wait, and what can be fixed safely is enormous.

If a large enterprise learns that a critical vulnerability has been found in widely used software, the next step is not magic. It is a painful chain of operational questions focused on where they run the software, what version it is, whether there is a realistic attack path, and many more.

Mythos leaves the defensive cost of answering those questions inside a real enterprise largely unchanged. The right lesson is preparation.

One of the mistakes the market often makes with AI is assuming every new capability is the moment everything changes. The right move is to start now with defensive AI systems that are useful today and positioned to improve over time. For most enterprises, that means looking for AI products that help improve alert investigation, threat hunting, and vulnerability management, offer full audit capabilities, connect to enterprise data and reason to provide organizational context, and evolve as the model landscape matures.

The goal is to build the operational foundation now for a future in which more of the work can be automated safely.

Today, defenders need systems that let humans remain involved while the machine helps them scale. Over time, that involvement will change. Analysts will spend less time doing repetitive work themselves and more time orchestrating, reviewing, and improving how automated work gets done.

Eventually, some workflows will need to be reviewed in bulk rather than one action at a time. When response moves at machine speed, a human may not approve every individual remediation action. Instead, they will need a control center view into patterns: what the system did today, what worked, what did not, and what should be adjusted tomorrow.

That is a very different future from the simplistic idea of “replace the analyst.”

The real future is one where humans move from doing every task manually to supervising systems, shaping policy, reviewing patterns, and controlling how increasingly capable agents operate.

Mythos is a warning. Not because it means the sky is falling. Because it shows where the offensive side is heading. Defenders should move accordingly and with urgency.

Alex Thaman is the chief technology officer at Andesite. Over a 20+ year career, Alex has been an engineering leader at Microsoft, Unity Software, and Scale AI.

The post Mythos can find the vulnerability. It can’t tell you what to do about it. appeared first on CyberScoop.

Two weeks ago, a suspected North Korean threat actor slipped malicious code into a package within Axios, a widely used JavaScript library. The immediate concern was the blast radius: roughly 100 million weekly downloads spanning enterprises, startups, and government systems. But beyond the sheer scale, the attack’s speed was just as worrisome – a stark reminder of the tempo modern adversaries now operate at.

The Axios compromise was identified within minutes of publication by an Elastic researcher using an AI-powered monitoring tool that analyzed package registry changes in real time. The approach was right: AI classifying code changes at machine speed, at the moment of publication, before the damage compounds. By any standard, it was a fast response. The compromised package was removed in about three hours. But even in those three hours, the widely-used package may have been downloaded over half a million times.

This underscores a new reality. Enterprises and the public sector are being overwhelmed with attacks that are increasing in both speed and complexity, driven in part by AI. Adversaries are probing every link in the supply chain, and they are doing it at a pace that human-speed defenses cannot match.

This project is one example of using AI to tackle a security problem, but it also makes a broader case: AI-powered security can dramatically improve SOC efficiency especially when organizations across the public sector and beyond are drowning in attacks.

The direct threat to the public sector

Government agencies increasingly rely on the same open-source JavaScript frameworks as the private sector, so a poisoned package can give an adversary access to sensitive systems before anyone realizes the supply chain has been poisoned. This is a direct threat to national security and critical infrastructure, especially when the payloads are cross-platform, affecting macOS, Windows, and Linux.

What is most critical now is understanding and correctly preparing for the frequency and speed at which these attacks occur.

AI has fundamentally lowered the barrier to sophisticated cyber operations, granting relatively unsophisticated bad actors and small nation-states capabilities once reserved for elite criminal groups and countries. Adversaries now leverage AI to automate reconnaissance, craft convincing social engineering, and develop evasive malware. With a new vulnerability discovered every few minutes, the pace is accelerating.

For the public sector, the threat model has expanded. Defending against known nation-state playbooks is no longer sufficient—that’s just the baseline. Groups that couldn’t execute at nation-state levels five years ago now operate with comparable sophistication, while state-sponsored actors operate with unprecedented speed and automation. Staying ahead means moving beyond traditional defense to meet a threat landscape that is increasingly automated and ubiquitous.

AI is not optional

Adversarial AI is the defining threat of the current operating environment. Automated reconnaissance. AI-generated obfuscation. Machine-speed deployment across multiple vectors simultaneously. The adversary has implemented AI faster and more aggressively than most defensive teams.

It is rapidly becoming unquestionable in security: if you are not using AI to battle AI, you will lose.

That does not mean buying into the autonomous SOC fantasy. That approach treats AI in isolation, as if defenders are the only ones with access to the technology. Defensive AI is not a win button, but the minimum entry fee to stay level with the attacker. You still need business context, mission knowledge, and human judgment.

The agentic SOC transformation

The Axios compromise should serve as a clear signal. Nation-state actors are targeting the software supply chain with increasing frequency and sophistication. The government agencies and organizations that will defend successfully against these threats are the ones building security operations that can move just as fast as the threat actors they face.

AI-driven security operations that can match the speed of modern threats, like agentic workflows that automatically triage, investigate, and contain suspicious activity are operationally necessary. Having an agentic SOC mindset and approach to how these centers work will empower analysts’ activity. Agents will operate on behalf of the analyst automatically and transparently.

The traditional SOC pyramid puts humans at the bottom doing the highest-volume work. A wide analyst tier triaging alerts, feeding a narrower senior tier handling investigations. Adversarial AI has made that base layer untenable. The volume is too high, the speed too fast, the surface area too broad. The pyramid inverts into a diamond – AI takes the base while analysts rise to become threat engineers: managing, validating, and improving the agents working on their behalf.

AI agents handle the high-volume work of alert correlation, investigation enrichment, and initial containment while human analysts focus on strategic decisions and mission context. These agents amplify the expertise that government security professionals bring, delivering pre-investigated, correlated findings rather than a flood of disconnected alerts.

The rapid acceleration of sophisticated attacks calls for this essential change across the SOC. The public sector and industry are undergoing a significant transformation, shifting away from eyes-on-glass alert triage toward a high-impact era of threat engineering. In doing so, public sector teams will have the ability to greatly reduce mean time to detect/respond, in turn reducing SOC analyst fatigue and compressing investigation timelines.

Mike Nichols is the GM of Security at Elastic.

The post Why the Axios attack proves AI is mandatory for supply chain security appeared first on CyberScoop.

A company wakes up to a news story claiming it has suffered a major data breach. The details are specific, technical and convincing. But the breach didn’t happen. No systems were compromised. No data was taken. A language model generated the entire story, filling in plausible details from scratch. And before the company can figure out what’s going on, a reporter at a reputable outlet picks up the story and requests comment. Within hours, the company is drafting statements and mobilizing its communications team to address a fictional event.

A second incident begins with something real. Years earlier, a company had suffered a genuine breach that received wide media coverage. The incident was investigated, resolved and closed. Then one of the outlets that originally reported on it redesigned its website. Old articles received new URLs and updated timestamps, and search engines re-indexed them as fresh content. AI-powered news aggregators picked up the signal and flagged it as a developing story. The company found itself fielding inquiries about an incident that had been resolved years before.

[Ed. note: The authors are withholding full specifics about the incidents because full disclosure could cause harm, yet CyberScoop confirmed with the authors that the incidents did in fact take place].

A third incident introduces yet another dimension. A cybersecurity publication ran a story about a business email compromise attack that cost a UK company close to a billion pounds. The article quoted a well-known security researcher, yet in reality, he had not spoken to the publication. AI generated the quotes, assigned them to him with full confidence, and the publication ran them as fact.

Together, these three cases expose a threat that most organizations have yet to prepare for. AI has developed the ability to fabricate convincing security incidents from nothing, complete with technical detail, named sources, and enough credibility to trigger full-scale crisis responses. Any organization that treats this as a distant or theoretical problem risks learning the hard way just how fast AI-generated fiction can become a real-world emergency.

The assumption that no longer holds

Cyber crisis response has always been built on a simple premise: something real happens, then you respond. That premise is breaking. AI systems now generate, amplify, and validate claims before security teams have confirmed anything. Once a narrative enters the ecosystem, it can be ingested into threat intelligence feeds, risk scoring platforms, and automated workflows. Fiction becomes signal.

For security teams, this creates a new class of false positive. Not a noisy alert from a misconfigured tool, but a fully formed external narrative that appears credible. A hallucinated breach can trigger internal investigations, executive escalation, and defensive actions. Time and resources get diverted toward disproving something that never happened.

Worse, it can influence real attacker behavior. Threat actors can weaponize fabricated breach narratives as pretext. Phishing emails referencing a “known incident” become more believable. Impersonation of IT or incident response teams becomes more effective. The narrative becomes part of the attack surface.

What this means for security teams

Security teams are used to monitoring for indicators of compromise. They now need to monitor for indicators of narrative. Open source intelligence pipelines are increasingly automated. If those pipelines ingest false information, downstream systems will act on it. That includes SIEM enrichment, third-party risk scoring, and even automated containment decisions in some environments.

The practical implication is that security teams need visibility into how their organization is being represented externally, not just what is happening internally. This is not traditional threat intelligence, but it behaves like it. Early detection changes outcomes.

There is also a need for tighter integration with communications. When a false narrative emerges, the technical reality and the external perception diverge. Both need to be managed in parallel.

What this means for communications teams

For communications teams, the timeline has collapsed. The first signal of a “breach” may not come from the SOC. It may come from a journalist, a customer, or an automated alert.

Silence is no longer neutral. If a narrative exists, AI systems will fill gaps with whatever information is available. That can reinforce inaccuracies with each iteration. Responses need to be designed for machine consumption as well as human audiences. Clear, declarative language. Verifiable facts. Structured statements that can be easily parsed and reused. The goal is to establish a competitive presence in the information supply chain.

Preparation becomes critical. Pre-approved language that can be deployed quickly. Established coordination with legal and security before something surfaces.

Shared implications

Both security and communications teams are now operating in the same environment, whether they recognize it or not. A hallucinated breach can trigger real operational disruption. Vendor relationships may be paused, connections to third-party systems may be severed, regulators may take interest, and markets may react. None of that requires an actual compromise. And this creates a feedback loop. External narratives drive internal actions. Internal actions, if visible, reinforce external narratives.

Breaking that loop requires speed, coordination, and clarity.

AI audits as a control mechanism

One of the most effective controls in this new environment is systematic AI auditing. Regularly testing how AI systems describe your organization, your security posture, and any alleged incidents. This provides visibility into what machines “believe” before that belief spreads. It allows organizations to identify and correct false narratives early, before they propagate into tooling, decision-making, and attacker behavior. It also highlights where accurate information needs to exist. Not just anywhere online, but in sources that AI systems prioritize.

The mindset shift

This marks a shift from incident response to narrative response. Security teams need to treat every alert as potentially fabricated. Communications teams need to prepare for narratives that form independently of what actually happened. Both must operate with the understanding that perception alone can trigger real consequences. In this environment, the ability to detect and respond to false narratives matters as much as the ability to detect and respond to actual breaches.

Mary Catherine Sullivan, who holds a Ph.D. in political science from Vanderbilt University, is a senior director of Data Science for Digital & Insights, within FTI’s Strategic Communications segment. She is a communications and data science leader specializing in message testing, audience research, digital communications analytics, and reputational risk assessment. As part of FTI Consulting’s Data Science team, she develops state-of-the-art artificial intelligence, natural language processing, machine learning, and statistical models to analyze media ecosystems, stakeholder discourse, and audience response—supporting informed, defensible decision-making for clients navigating complex reputational environments.

Brett Callow is a senior advisor in the Cybersecurity and Data Privacy Communications at FTI Consulting. With more than two decades of cybersecurity policy and legislation understanding and extensive cybersecurity communications experience, Brett’s expertise is widely recognized within the industry, by policy makers and the media. He has been involved in some of the most high-profile ransomware incidents and has participated in panels and policy-related discussions, including at the Office of the Director of National Intelligence and the Aspen Institute, and has served on the Advisory Board of the Royal United Services Institute’s Ransomware Harms project.

The post Ghost breaches: How AI-mediated narratives have become a new threat vector appeared first on CyberScoop.

Last year, Nvidia CEO Jensen Huang repeatedly denied that China was obtaining America’s most advanced chips. ‘There’s no evidence of any AI chip diversion,’ he said, dismissing such reports on another occasion as ‘tall tales.’

Federal prosecutors would beg to differ. They’ve charged six men over the past three weeks with smuggling billions of dollars’ worth of AI chips to China. The indictments, while a tactical victory, are a warning of how pervasive the problem has become, thanks both to loopholes in federal law and a failure to support existing laws with serious enforcement.

Both Washington and Beijing have tried to reshape AI chip supply chains to bolster their respective national security agendas ahead of an expected trade-focused summit in May. While the United States has imposed export controls on advanced chips to cut off China’s military modernization efforts, China has pushed its firms to adopt domestically produced components to secure its self-reliance.

But neither side can fully avoid the Willie Sutton rule. Why smuggle chips? Because that’s where the profit is — particularly without enough resources dedicated to enforcement. 

A closed Chinese market grasping for more powerful alternatives to their own products offers a prime incentive for American firms to provide components to Beijing. Smuggling has also transformed an emerging network of data center infrastructure across Southeast Asia into a source of illicit computing power for U.S. adversaries.

The recent cases highlight these features in detail. In March, prosecutors charged three people connected to Super Micro Computer, an American computing firm, with smuggling an estimated $2.5 billion in chips to Chinese customers by shipping servers to the company’s offices in Taiwan and elsewhere in the region. In the meantime, the trio designed warehouses full of fake products to fool U.S. authorities. A week later, prosecutors unveiled charges against another three individuals accused of conspiring to ship advanced chips to China via business contacts in Thailand.

This string of prosecutions suggests that despite some high-profile successes, smuggling remains a pervasive issue across the industry. While this is partially a problem of professed ignorance, it can also be solved with a combination of policy, personnel, and policing. 

The United States must strengthen controls over emerging technologies at the factory floor rather than the airport gate. While Washington has strong export control laws, these regulations are intended to prevent components from leaving the country. They do not, however, block Chinese firms from purchasing these technologies inside the country.

This divergence in intentions produces difficulties for prosecution, as smugglers are often solely indicted for evading customs enforcement rather than charged with illicitly obtaining the components while still on American soil. However, Congress can close this loophole via stronger due diligence laws that require greater scrutiny of potential customers ahead of the customs enforcement process.

Washington is also in an arms race with AI firms to properly fund enforcement mechanisms, a race it is currently losing. While one smuggling case alone involved $2.5 billion, federal spending on policing export controls amounted to $122 million in all of 2025.

Moreover, this surge of investment in computer hardware is increasingly global in scope, magnifying the current shortage of federal agents responsible for enforcing export controls at the exact moment both allies and adversaries are seeking to purchase ever larger batches of advanced chips.

Even with stronger policies and more personnel, prosecuting AI chip smuggling must also remain a policing priority for federal law enforcement. While these cases are often complex due to a range of technical and jurisdiction challenges, as well as an array of shifting export control regimes, the FBI and the Commerce Department should remain committed to tracking and disrupting these smuggling networks.

It will be key for the administration to separate enforcement actions from its ongoing diplomatic exchanges with Beijing — dropping domestic prosecutions should not be used as a bargaining chip to deliver trade concessions during the President Donald Trump’s upcoming travels to Beijing.

We need stronger enforcement so that the next billion-dollar smuggling case marks real progress, rather than exposing just how much slipped through.

Jack Burnham is a senior research analyst at the Foundation for Defense of Democracies’ China Program, focusing on China’s military, emerging technologies, and science and technology policy. Follow Jack on X @JackBurnham802.

The post We’re only seeing the tip of the chip-smuggling iceberg appeared first on CyberScoop.

On March 23, the Senate confirmed Senator Markwayne Mullin as the next homeland security secretary, marking an important step in strengthening leadership during a critical moment for our nation’s security.

But only half of the job is done.

The Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s main civilian cyber defense agency, still lacks a Senate-confirmed director. As global cyber threats escalate,  this prolonged leadership gap poses a growing national security risk.

As Executive Director of the National Technology Security Coalition (NTSC), I represent Chief Information Security Officers who are responsible for protecting the systems that sustain America’s economy and critical infrastructure. In every sector, energy, healthcare, financial services, manufacturing, and transportation, there is a common concern: the threat landscape is growing more aggressive, and our defenses must stay ahead.

Our enemies are not waiting.

Since the start of the conflict with Iran, cybersecurity experts have reported increased malicious cyber activity targeting U.S. and allied systems. Iran-linked actors have shown their ability to disrupt operations and exploit vulnerabilities. Meanwhile, China continues its long-term effort to infiltrate American networks and position itself for possible disruption of critical infrastructure. Russia and its affiliated groups remain persistent, probing Western systems for weaknesses and exerting constant pressure.

This is the reality of modern conflict. Cyber operations have emerged as a primary domain of competition. In some cases, they can rival the effects of traditional military action, disrupting economies, communications, and public safety through code alone. 

Leadership is important in this environment.

CISA plays a key role in coordinating federal cyber defense, sharing threat intelligence with the private sector, and supporting state and local governments. It serves as the link between government and industry in protecting the nation’s digital infrastructure. Without a Senate-confirmed director, the agency’s ability to set priorities, coordinate efforts, and respond quickly is limited.

That challenge is growing more urgent. The President’s fiscal year 2027 budget plan proposes significant cuts to CISA’s funding. At a time when the agency faces increasing operational pressure, fewer resources make strong, steady leadership even more crucial.

This is the moment when Secretary Mullin’s leadership is critical.

As a former member of the Senate, Secretary Mullin understands the institution, its dynamics, and how to build consensus. He is uniquely positioned to connect with past colleagues and help advance Sean Plankey’s nomination as Director of CISA.

Plankey is highly qualified and widely respected in the cybersecurity community. His experience in the U.S. Coast Guard, at the Department of Energy securing the nation’s energy infrastructure, and in the private sector provides him with a clear understanding of both the threat landscape and the importance of public-private collaboration. At a time when coordination between government and industry is vital, these qualities are essential.

The Senate has already signaled that it takes cyberthreats seriously. It recently confirmed Lt. Gen. Joshua Rudd to lead U.S. Cyber Command and serve as director of the National Security Agency, ensuring strong leadership of America’s military cyber defense team.

Now it needs to do the same on the civilian side.

Confirming Plankey matters because the country’s main civilian cyber defense agency needs established leadership to combat adversaries who are already inside our networks, probing our systems, and preparing for the next phase of conflict.

The leadership gap at CISA has gone on long enough.

Secretary Mullin must engage. The Senate needs to act. And Sean Plankey should be confirmed without further delay.

America’s cyber defenses depend on it.

Chris Sullivan is the executive director of the National Technology Security Coalition, a nonprofit, non-partisan organization that serves as an advocacy voice for chief information security officers across the nation.

The post Secretary Mullin must help finish the job: Urge the Senate to confirm Plankey appeared first on CyberScoop.

Our nation has entered a new fraud arms race fueled by AI.

With billions of dollars in fraud losses mounting in both the private and public sectors, it’s clear the old ways of deterring fraud aren’t working. That’s why we need a new playbook that starts with understanding how fraudsters operate, evolving our defenses, and shifting to a proactive posture that doesn’t just fight fraud but actively hunts it down. 

In the AI era, treating fraud as just a front-door problem won’t work. This moment requires industry, government, and consumers to work together, reduce silos, and share real-time intelligence. The goal is to move beyond reactive detection by understanding the lifecycle of a threat—from its formation to its spread—so we can intervene before it establishes a foothold.

For decades, fraud has been treated like a series of isolated incidents. This false assumption has underpinned nearly every past effort to crack down on it. Those efforts, while well-intentioned, have missed the mark. 

Now, in light of the Trump Administration’s Cyber Strategy for America and accompanying executive order, it’s critical to understand the modern fraud landscape and the central role that digital identity exploitation plays within it.

New research from Socure reveals just how dramatically the landscape is evolving. 

Fraud has become industrialized, with organized crime syndicates running operations that are global, systemic, automated, and powered by AI. No organization, service, or program is safe. Fraudsters target government programs, banks, fintech platforms, telecom companies, and more, blurring the lines between public sector fraud, financial crime, and cybercrime.

It used to be that fraud could be detected through the reuse of identity elements across multiple applications: the same email, device, phone number, or IP address used over and over. 

But the data is clear: these links are declining fast. Today’s sophisticated fraudsters are now engineering their attacks to avoid traditional fraud detection patterns. Our research demonstrates that emails will be completely unique within fraud populations as soon as 2027, so we won’t be able to rely on email to identify patterns.

Speed is another defining feature of modern identity fraud. Fraudsters use AI to create clean, durable, synthetic and stolen identities at scale. In one observed campaign, 24,148 synthetic identities were built and launched in under a month, with many attacks occurring within 48 hours. What once took weeks or even months can now be completed in days. 

The rapid rise of identity farms is another indicator of the industrialization of fraud. Identity farms are operated by crime rings to systematically create synthetic or stolen identities over time in order to closely resemble legitimate identities. Matured identities are used to open bank, credit, and money-movement accounts, siphon government benefits, launder funds, and more. These identity farms focus on durable identities that can bypass traditional verification controls.

So what should we do? Simply put, we must go on offense. 

This means treating identity as critical infrastructure and implementing strategies that track how identities were created before the moment of application; expanding signals monitoring to include elements like residential proxies, ISP behavior, and domain registration activity; evaluating velocity and orchestration in real-time; and treating continuous measurement, rapid model iteration, and cross-industry intelligence as core capabilities.

Additionally, given the rapid scaling of fraud, we need more analysis of the complete ecosystem, including dynamic factors like device information, digital footprints, and behavioral biometrics so organizations can effectively distinguish genuine humans from machines. Ultimately, this layered and interconnected approach makes it significantly harder for malicious actors to recreate or steal identities at scale.

Fraud is no longer a series of isolated acts. It is a coordinated, global enterprise built on the exploitation of identity. Until our efforts reflect this new reality, we will continue to fight an imminent and ongoing threat with outdated tools and fall further behind. 

Now is the time to make this strategic shift and finally put fraudsters on their heels. 

Mike Cook serves as head of fraud insights at Socure, the identity and risk platform for the AI age.

The post Don’t just fight fraud, hunt it appeared first on CyberScoop.

The recently released executive order targeting cybercrime, fraud, and predatory schemes uses language the federal government has often avoided. Now, for the first time, the Trump administration is echoing what the cybersecurity industry has been shouting for years: cyber-enabled fraud is a product of transnational organized crime.

That distinction matters because organized crime requires an organized response.

Cybercrime is now the world’s fastest-growing criminal economy, built on stealing from everyday people. It is no longer a loose collection of hoodie-wearing hackers in basements or misfits trading malware in online forums. It is a mature global industry operating at scale. In the entirety of human history, there has not been a transfer of wealth of this magnitude since the era of pillaging empires. We have just gotten so used to it that it feels like background noise.

Modern cybercrime groups look less like street gangs and more like corporations. They run structured operations, complete with HR departments, training pipelines, performance metrics, and technology stacks that rival most enterprise companies. Their attackers don’t rely on sophisticated exploits — they think like expert investigators, systematically probing for weaknesses, exploiting psychological pressure, manipulating insiders, and using deception to move through gaps that defenders left open. They operate around the clock, in every time zone, and increasingly use AI to automate attacks at a scale that once required highly skilled operators.

Worse yet is that many of these operations rely on forced labor. Scam compounds in Southeast Asia run like factory floors, with rows of trafficked workers carrying out romance scams, cryptocurrency fraud, and impersonation schemes under threat of violence.

Their goal is to make fraud faster and more profitable. The result is a global criminal ecosystem that extends far beyond online scams. It fuels human trafficking, weapons smuggling, political corruption, compromised organ systems, and even nuclear programs.

If the federal government is ready to recognize what the industry has known — that cybercrime truly operates like an organized global industry — then responding to it solely through traditional law enforcement is not enough. The question goes beyond how governments apply sanctions, coordinate investigations, or pressure jurisdictions that harbor these operations. The greater question is whether the private sector is willing to help dismantle the infrastructure that allows this industry to thrive.

One word changes everything

I want to be specific about why this executive order is different, because the language is not accidental.

The order doesn’t just call these groups “hackers” or “organized crime.” It calls them transnational criminal organizations (TCOs). That word carries legal and operational weight that most coverage has glossed over. Transnational is the jurisdictional framing that authorizes an entirely different class of response. It is the same threshold that moves a case from local law enforcement to federal jurisdiction and beyond.

Pair that with what follows – “law enforcement, diplomacy, and potential offensive actions” – and you are reading something that goes well beyond a policy memo. Notice the sequence: diplomacy before offensive action is proportionality doctrine. But the administration did not rule out offensive action. The document also calls for deploying the “full suite of U.S. government defensive and offensive cyber operations” and uses the word “shape” as its first pillar of action. In military doctrine, shaping an adversary’s behavior does not mean gentle persuasion. It means force is part of the calculus.

This is not the language of a consumer protection policy. Whoever wrote this has studied the opposition.

An organized threat demands an organized response

The executive order draws a line in the sand: cybercrime has outgrown its origins as a consumer protection issue. It’s now a fundamental threat to economic stability and national security. But tackling an industry operating at this scale requires more than government action alone. The order’s answer is to mobilize the private sector – giving companies the green light to identify and disrupt adversary networks.

That framing matters.

The private sector sees the machinery of cybercrime every day. Security vendors, major platforms, and infrastructure providers spot the command-and-control servers, malicious domains, and payment pipelines that keep these operations moving. Too often, that intelligence is used only to defend commercial interests, when in reality, it should also be used to disrupt the networks behind the attacks. When criminal groups lose core infrastructure, they have to rebuild. That costs time. That costs money. That creates pressure.

At the same time, the order puts a question squarely before the private sector: How far is it willing to go, and under what terms? I spent my career believing “minimal force” matters. Precise, proportionate action prevents escalation and avoids creating cascading problems. As we move beyond a defense-only approach, those principles matter more than ever.

There is another question that sits underneath all of this: How far does “potential offensive actions” actually go? Does it stop at cyberspace? Financial sanctions? Asked bluntly, “Will leaders and shareholders know whether providing threat intelligence ends with a measured network take-down or an all-out drone strike on the fraudulent call center?”

Organizations need to fix the security weaknesses criminals are exploiting for profit. Most attacks in 2026 do not succeed because criminals are brilliant. They succeed because the basics are missing. No multifactor authentication. Weak Identity controls. Unpatched vulnerabilities sit open for months. Criminals don’t care about your industry or company size. They go where it’s easiest.

When organizations ignore basic security controls, they are doing more than accepting risk. They’re subsidizing the criminal infrastructure that exploits those gaps.

Governments must keep pressure on nations that harbor these operations. Large-scale cybercrime thrives where enforcement is weak or non-existent. The order specifically calls out “nations that tolerate predatory activity”—a signal that safe havens won’t be ignored. Stronger coordination across governments, law enforcement, and private industry can make it much harder for criminals to operate at scale.

The order also targets “foreign TCOs and associated networks,” with “associated networks” being a deliberately broad phrase. Defining who qualifies will be critical. Draw the lines too narrowly and the policy won’t work. Too broadly and you risk dangerous escalation.

Simply put, cybercriminal groups are disciplined because discipline pays. Disrupting them will require the same. It will demand pressure on countries that act as safe havens. It will take dismantling the infrastructure behind these schemes. It will require better basic security across every organization that criminals target.

The executive order is right – Cybercrime is organized. It is industrial. It is ruthless. For the first time in a long time, the response looks like it might be, too. Whether the government, private sector, and public can align around what this actually demands, and what it risks, are still unanswered questions.

After years of watching policy documents gather dust while victim numbers grow, I will take action over perfection every time.

Kyle Hanslovan is a former NSA cyberwarfare operator and CEO of Huntress Labs.

The post Washington is right: Cybercrime is organized crime. Now we need to shut down the business model appeared first on CyberScoop.

Washington has rediscovered consequences. Just not consistently.

The March 6 executive order rests on a simple, correct idea: cyber-enabled fraud persists because it is profitable, scalable, and too often tolerated. So the government’s answer is to raise the cost. More coordination. More disruption. More prosecutions. More diplomatic pressure on the states that shelter these operations.

Good.

But weeks ago, an OMB Memo rescinded earlier federal software supply chain memos issued during the Biden administration. In practice, that pulled back from the prior attestation-centered model and made tools like the Secure Software Development Attestation Form and SBOM requests optional rather than durable expectations.

Put plainly, we are getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit.

The executive order gets something important right. Cyber-enabled fraud is not a collection of random online annoyances. It is an industrialized form of predation: ransomware, phishing, impersonation, sextortion, and financial fraud that’s run as repeatable business models, often transnational and sometimes protected by permissive states. The order responds with a more centralized federal posture built around disruption, coordination, intelligence sharing, prosecution, resilience, and international pressure.

That is directionally correct. Criminal ecosystems do not retreat because we publish better guidance. They retreat when the cost of doing business rises.

But then we arrive at software.

The critique of the old federal assurance regime is not entirely wrong. Compliance can become theater. Bureaucracies are very good at turning legitimate security goals into rituals of form collection and checkbox management. Some skepticism was warranted. OMB says as much explicitly, arguing the prior model became burdensome and prioritized compliance over genuine security investment.

Still, the failure of bad compliance is not proof that accountability itself was the problem.

That is where the logic breaks. The administration is clearly willing to believe that criminal actors respond to deterrence. It is willing to use prosecutions, sanctions, visa restrictions, and coordinated pressure downstream. But upstream, where insecure technology shapes the terrain those criminals exploit, the theory suddenly changes. There, we are told to trust discretion. Local judgment. Flexible, risk-based decisions.

Sometimes that is wisdom. Often it is just a more elegant way of saying no one wants a hard requirement.

This is also why my own position has not changed. In a post I wrote in 2024, I argued that the industry did not need softer expectations or another round of polite encouragement. It needed more concrete action and consequences strong enough to change incentives. The problem was never that we were demanding too much accountability. The problem was that insecure software remained too cheap to ship.

That is the deeper issue. Cybercrime at scale does not thrive only because criminals exist. It thrives because the environment rewards them. Weak identity systems, brittle software, sprawling dependency chains, poor visibility, and diffuse accountability all make predation cheaper. The people who ship avoidable risk rarely absorb the full cost of it. Everyone else does.

So these two policy moves, taken together, reveal something uncomfortable. The government seems to believe in consequences for cybercriminals, but not quite in consequences for insecure production. It wants deterrence for the scammer, but discretion for the supplier.

A coherent cyber strategy would do both. It would aggressively disrupt criminal networks and also create meaningful pressure for secure-by-design production and procurement. It would recognize that punishing attackers matters, but so does changing the terrain that keeps making attack profitable.

The administration is right about one thing: cybercrime will not shrink until the costs of predation rise.

The unanswered question is why that logic should stop at the edge of the scam center.

Brian Fox is the co-founder and CTO of Sonatype.

The post If consequences matter, they should apply to vendors, too appeared first on CyberScoop.

According to a recent report, the State Department sent a cable urging U.S. diplomats to oppose international data sovereignty regulations like GDPR, characterizing these guardrails as “unnecessarily burdensome.” 

In the cable, the State Department claims that data sovereignty regulations “disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship.”

Underpinning this argument is both a legitimate concern and a critical misconception.

The truth is that actual data sovereignty is technical, not territorial. 

Data localization is a blunt instrument trying to solve a sophisticated problem. Mandating that data stay within geographic boundaries doesn’t actually ensure that data owners retain control over how their information is accessed, used, or shared. People move; endpoints move; data must move.

European regulators have already defined what digital sovereignty actually requires. Specifically, in the aftermath of Schrems II, the European Data Protection Board made clear that sovereignty is preserved when data is strongly encrypted and the encryption keys remain solely under the control of the data owner in Europe. That clarity is often lost in broader geopolitical debates. 

True data sovereignty requires governments, enterprises, and citizens to retain cryptographic authority over who can access their information, regardless of where it is processed. Forcing data to sit inside national borders accomplishes little if foreign vendors still hold the keys. Sovereignty is fundamentally a technical challenge: it depends on controlling access through encryption and authentication, not simply controlling physical location.

There is a widespread belief that data sovereignty is disruptive to innovation, commerce, and national security. This is a misconception.

The memo presents a false choice: That we must either accept unfettered cross-border data flows with minimal protections in place for the data owner, or implement burdensome localization requirements that stifle innovation and collaboration.

This is simply not true, and the rise of data-centric security proves it: From the U.S., to Five Eyes nations, to the Indo-Pacific, security leaders are embracing this model. Rather than focusing efforts solely on building a strong perimeter boundary, controls and policies must instead follow the data itself, wherever it moves — providing more resilient and contextual security for the data itself. This is the central pillar of the DoW’s own Zero Trust strategy, and the model for agencies across the U.S. federal government and beyond. 

Even the Department of State’s own ITAR (the U.S. International Traffic in Arms Regulations) treat sensitive munitions data with location-specific requirements. There are good reasons for some types of sensitive information to be shielded from external eyes.

Context matters. We should not dismantle well-established data sovereignty standards without clear technical alternatives in place. Instead, we need to evaluate how to more effectively protect and govern sensitive data, without impeding the free flow of information. 

Data-centric security fortifies data sovereignty and liberates secure data flows. 

By shifting the focus from walls — border-specific protections, localization, and perimeters — to the data itself, you can fundamentally transform global data flows. When data is actually governed, tagged, and understood, it can move safely, through trusted channels, to achieve mission success.

In a data-centric security environment, a government agency can leverage cloud services from any provider while maintaining sovereign control over sensitive information by managing and hosting their own encryption keys, additionally providing resilience from third-party breaches with cloud service providers or other partners. 

This isn’t theoretical. Modern data-centric security architectures are in production today, with open standards like the Trusted Data Format enabling platform-agnostic, global data sharing among partners. It’s the antithesis of a data silo, allowing data to travel under very specific conditions and with governance attached to each data object itself. The U.K.’s Operation Highmast is a prime example of the success that comes from dynamic, intelligent data sharing among trusted partners. 

In an era defined by AI acceleration and geopolitical competition, sovereignty and interoperability must be engineered to reinforce one another — not framed as tradeoffs.

Angel Smith is the president of global public sector for Virtru.

The post No, it’s not ‘unnecessarily burdensome’ to control your own data appeared first on CyberScoop.

Flights canceled. Emergency rooms shut down. Centuries-old companies shuttered.

Ransomware and other similar cyberattacks have become so routine that even those serious human and economic consequences are often overlooked or easily forgotten.

This lack of focus is dangerous.

As former leaders of FBI and CISA cyber units, we’ve seen cybercrime ripple through communities – disrupting critical services, destroying jobs, and sometimes costing lives. Today’s ransomware numbers tell a stark story. The Department of Homeland Security reported more than 5,600 publicly-disclosed ransomware attacks worldwide in 2024, nearly half of them in the United States. The FBI found that ransomware incidents increased nearly nine percent year over year, with almost half targeting critical infrastructure. Attacks on these organizations pose the greatest threat to national security and public safety.

Despite this trend, we’re cautiously optimistic about the administration’s new National Cyber Strategy. It focuses on protecting critical infrastructure and stopping ransomware and cybercrime—threats it correctly elevates to top-tier national security threats.

But success requires sustained action across government and industry. Adversaries are evolving faster than defenses: ransomware attacks now average $2.73 million per incident, driving annual losses into the billions. Attackers have compressed their operations from weeks to hours, disabling Endpoint Detection and Response (EDR) tools and leaving defenders almost no time to stop an attack.

Basic cyber hygiene still matters. But it’s no longer sufficient. Attackers steal valid credentials, exploit known vulnerabilities, disable tools, and move laterally at machine speed, now accelerated by AI. They need a stunningly low level of technical expertise to do so, and AI tools are increasing the speed and scale of their actions.

Our defenses must keep pace with evolving threats. Protecting national security requires immediate action. Automating cyber threat information sharing offers clear benefits, but government agencies need significant structural and technological upgrades before they can effectively share data. This requires sustained investment and oversight.

The government does not have to do this alone. Industry and academia possess tools that could mean the difference between progress and revisiting this same conversation four, eight, or twelve years from now. Forums like CISA’s Joint Cyber Defense Collaborative (JCDC), the National Cyber Investigative Joint Task Force (NCIJTF), and NSA’s Cyber Collaboration Center (CCC) have demonstrated that information fusion and joint operational planning can work. But overlapping missions and unclear playbooks leave companies guessing what to share, when to share it, and with whom. These forums and underlying collaboration mechanisms must be resourced, deconflicted, and made predictable.

Despite the noble efforts of government agencies to share behind-the-scenes and interact with industry with one voice, the current structure remains fragile and dependent on personal relationships. We simply cannot afford this fragility or inefficiency, particularly in an era of constrained government cyber resources and escalating threats.

Effective protection of critical infrastructure requires focused collaboration. The administration’s strategy rightly emphasizes this, but narrowing this focus will not be easy. For years, the government has tried to cover sixteen sectors and hundreds of thousands of entities equally—an impossible task. Equal attention for all is unrealistic. Looking back, we wish we had prioritized more strategically during our time in government.

Prioritization is politically difficult, but operationally necessary. When everything is critical, nothing truly is. For the most important critical infrastructure, we must focus on resilience—ensuring systems can withstand attacks and recover quickly—rather than assuming we can prevent every breach.

The government can take concrete steps now to disrupt the ransomware ecosystem. Ransomware has cost American lives; designating certain ransomware actors and their enablers as Foreign Terrorist Organizations could unlock more powerful sanctions, diplomatic action, and intelligence operations. Sensible regulation holding cryptocurrency exchanges accountable for knowingly laundering ransomware proceeds could weaken criminal business models while strengthening legitimate digital asset markets in the U.S. and allied nations.

The technology and cybersecurity industry has responsibilities, as well. Industry must share actionable intelligence where legally permitted, pressure-test government programs with candid feedback, and support reauthorization of the Cybersecurity Information Sharing Act of 2015.

We all must do our part. Every day that passes without us confronting these critical questions is a gift to our adversaries. This will only be exacerbated by advancements in AI. We are hopeful that the release of this administration’s National Cyber Strategy will spark much-needed debate and decisions about the role of the government and industry in advancing our nation’s cybersecurity and resilience.

Cynthia Kaiser is senior vice president of Halcyon’s Ransomware Research Center. She was formerly Deputy Director of the FBI’s cyber division.

Matt Hartman serves as chief strategy officer at Merlin Group, where he is focused on identifying, accelerating, and scaling the delivery of transformative cyber technologies to the public sector and critical industries. Prior to this role, Matt spent the last five years serving as the senior career cybersecurity official at the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security.

The post We’ve seen ransomware cost American lives. Here’s what it will actually take to stop it. appeared first on CyberScoop.