The Federal Communications Commission approved new rules Thursday that boost cybersecurity regulations for the nation’s emergency alert systems and update security rules for the nation’s undersea cables.

The new rule would overhaul two national emergency systems, the Emergency Alert System and Wireless Emergency Alerts, to better protect against hijacking attacks from malicious actors.

The EAS is a national public warning system that state and local authorities use to disseminate information related to weather events, AMBER alerts and other emergencies via radio and television broadcasting stations. The WEA handles much of the same messaging via text.

A compromise of either system by a foreign government, cybercriminal group or other rogue actor could be used to sow chaos and disinformation in calmer times, or impede coordination efforts in the face of a genuine emergency. Any vulnerability in systems like the Emergency Alert System “can have serious consequences,” said FCC Commissioner Olivia Trusty in a statement after the vote.

“That is why it has been appropriate for the Commission to conduct a comprehensive review of the EAS framework by focusing on the security of the system itself,” Trusty continued. “As cybersecurity threats continue to evolve, EAS participants must take appropriate steps to safeguard the infrastructure that supports the delivery of life-saving alerts.”

The new rules amount to basic – but still critical – cyber hygiene practices for users accessing and updating the EAS and WEA systems. They must use strong passwords, quickly install security patches from vendors and use firewalls to limit access to their equipment.

The rule also creates a new authentication ID system to verify alerts before they’re submitted and avoid duplicate or unauthorized alerts from spreading.

Another rule passed by the Commission Thursday provided the first comprehensive update to the FCC’s submarine cable regulations in decades, and moves to tighten cybersecurity requirements in some areas while loosening them in others.

It exempts some undersea cable providers from submitting to stringent national security licensing reviews needed to land and operate cables that touch U.S. territory.

The review, called “Team Telecom,” is an interagency body led by the Department of Justice’s Foreign Investment Review Section and other federal agencies that advise the FCC on the national security implications of their telecom policies.

The new rules would presumptively exempt applications for undersea cable licensees when the provider can self-certify to “high security standards” that are “structured to increase certainty, predictability, and faster timelines for the licensing process.”

“Currently, all submarine cable applications get referred to Team Telecom…the changes adopted would exempt applications from applicants that have operated cables without incident, can certify to the highest national security standards, and agree to ongoing oversight and monitoring,” the FCC said in a release.

Other parts of the rule give the FCC greater oversight of critical functions within undersea cable operations. Owners and operators of submarine line terminal equipment, who connect submarine cables to land-based facilities in the U.S., will be subject to a new licensing requirement.

The rule also moves to update safeguards meant to address vulnerabilities related to principal equipment, third-party service providers, and other areas of concern in the undersea cable supply chain.

The post FCC passes new cybersecurity rules for emergency systems, undersea cables appeared first on CyberScoop.

A federal judge in Massachusetts struck down major sections of a Trump administration executive order  that would have restricted mail-in ballots through the U.S. Postal Service and required states to adopt federally approved voter lists.

The ruling Thursday from Judge Indira Talwani of the U.S. District Court of Massachusetts found those parts of the order were unconstitutional, while declaring another section that directs federal law enforcement agencies to investigate and prosecute noncompliant state and local officials legally nonbinding.

Talwani wrote that the U.S. Constitution empowers States and Congress in different roles but “does not grant the President any specific power over elections.”

While the White House has cited the 2002 Help America Vote Act (HAVA) and Civil Rights-era voting laws as justification, Talwani found those laws do not authorize the government to regulate state voter registration practices.

“Notably, nowhere in HAVA does Congress prescribe who should be included on State voter lists,” Talwani wrote. “Further, neither in HAVA nor any other federal statute does Congress authorize the federal government to create their own voting database. Instead, Congress, consistent with the Constitution, has left that authority to the States alone.”

Talwani also declined to remove President Trump and Commerce Secretary Howard Lutnick as named defendants in the suit, rejecting the administration’s argument that the court could not regulate or intrude upon the president’s’ constitutional authority “in the performance of his official duties.”

“Contrary to Defendants assertion, Presidential action is not inherently unreviewable,” Talwani wrote.

The order, issued in March, instructs the Homeland Security secretary, the director of U.S. Citizenship and Immigrations Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systemic Alien Verification for Entitlements (SAVE) database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be sent to states, most of which have already refused similar Trump administration efforts to control voter registration.. The order instructs the Department of Justice to investigate  and prosecute  state and local election officials who issue  ballots to ineligible voters. 

The order also requires mail-in ballots to be sent in special barcoded envelopes for tracking. Crucially, it demands states provide lists of voters eligible for mail-in voting, and threatens to deny ballots to states that refuse. It also claims the attorney general is entitled to withhold federal funding from noncompliant states.

Talwani found that states have shown they already have a rigorous voter registration and verification process to ensure non-citizens and other ineligible voters aren’t able to vote in U.S. elections, and have laws in place to investigate and prosecute those who do.

Executive branch lawyers argued the order was merely an internal federal directive that does not impedestate authorities. But Talwani noted that states like Connecticut were already pulling staff from critical activities, such as translating election materials required under the Voting Rights Act, to develop compliance plans for the order.

Nearly half of the states in the lawsuit have already purchased mail-in ballots for this election cycle that are out of compliance with the Postal Service’s envelope and design standards.

Despite a string of losses in the courts and Congress, the White House has continued to assert broad authority over the way states and localities administer elections.

The Department of Justice has sued dozens of states to force them to hand over sensitive voter data. In the 10 cases decided so far, states have won every one.

In their opinions, judges cited the executive branch’s lack of inherent authority to create state voter lists. Others accused the DOJ of misusing Civil Rights-era laws designed to protect Black and minority voters,  creating an “unreliable” database that would disenfranchise  legitimate voters.

The Massachusetts ruling comes to the same conclusion, with Talwani writing “it is clear that the federal agencies charged with compiling Confirmed Citizen Lists lack the ability to create complete and accurate lists of the U.S. citizens residing in every State.”

On Wednesday, Trump canceled a signing ceremony for a bipartisan housing bill in an attempt to pressure  congressional Republicans to pass the SAVE America Act, which would implement many of the same changes to U.S. elections. In a Truth Social post, Trump said he considered passage of the bill to be a “National Emergency.”

The post Federal court rules Trump election-focused executive order illegal appeared first on CyberScoop.

An epidemic of cyberattacks on open-source software has mounted in recent months, making clear how uniquely difficult it is to protect the publicly available code, from both a policy and a technical perspective, that serves as the foundation for so much of the digital world.

While open-source software security got a boost in attention under President Joe Biden — whose administration grappled with the fallout from the potentially catastrophic Log4j flaw that emerged in 2021 — a number of open-source experts say that government protection efforts have suffered setbacks under President Donald Trump. Many also say companies that heavily rely on open-source software, which is basically all of them, haven’t shouldered enough of the responsibility for safeguarding it.

“What we’re seeing is years of lack of investment sustainment in open-source software that is finally starting to catch up to us, where it seems like every week there’s a new supply chain compromise,” said Jack Cable, who held a role at the Cybersecurity and Infrastructure Security Agency where he worked on open-source security before departing under Trump.

The advancements of frontier artificial intelligence models stand to exacerbate the risk further, while simultaneously illustrating what makes defending open source difficult: Project Glasswing said shortly after its announcement that it had uncovered 6,202 high- or critical-severity vulnerabilities in a scan of more than 1,000 open-source projects, but that it had disclosed only 502 of them to open-source project maintainers and only 75 had been patched as of May 22 (albeit some due to typical patching lagtimes).

At the same time, there are questions about how much the government can help, even as overseas governments seek to focus on open-source security.

The evolution of open-source risk 

There are a series of factors contributing to the current threat to open-source software, experts say.

One is simply that attackers go to the area where they can get the highest return on their work. Compromising open-source software gives them the chance to get into the supply chain and exploit additional targets.

“Twenty years ago, open source was still fairly niche,” said Æva Black, who also worked on open-source security at CISA but left when Trump came back into power. “The potential blast radius if you managed to compromise open source was relatively small, because back then the world didn’t run on open source. Now almost everything runs on open source,” she said, from modern cars to satellites.

Another part is the nature of open-source software itself.

“It’s a symptom [of having] lots of open source [that] is a little bit under-maintained or not cared for enough, so that we spend too little effort and money and infrastructure on them,” said Daniel Stenberg, who is the creator and maintainer of cURL, a popular open-source project. “Lots of open source is being maintained by small teams, lots of volunteers, and I think that that’s a tough situation.”

That doesn’t mean the maintainers are to blame, Stenberg said. The companies that rely on open-source need to be diligent about using it, Black said.

“What we’re seeing in that realm right now is not new; it is more advanced and far more widespread,” she said. “The problem remains that companies who use open source — because open source is by far the most efficient way to collaborate on non-product value features — most companies are not implementing a responsible and safe utilization pathway.”

Open-source projects lack a systematic way to handle coordinated vulnerability disclosures, unlike companies or industry groups with formal processes, said Dan Lorenc, CEO and co-founder of Chainguard. Project maintainers sometimes aren’t reachable, and those who are available are flooded with reports, many of them unverified findings from AI tools that waste their time without adding value..

Of course, some of those vulnerability reports turn out to be legitimate. “Mythos and AI models have contributed to an uptick in the number of vulnerabilities and things that we’re able to find” in open-source software, said Alex Zenla, chief technology officer for the cybersecurity company Edera.

All of that leaves more room for companies, non-profits and world governments to improve open-source security.

A moment of momentum

While open-source software security isn’t a new issue, the 2021 discovery of the Log4j flaw sounded alarms within the cybersecurity community. Jen Easterly, then the director of CISA, called it “one of the most serious I’ve seen in my entire career, if not the most serious,” with the potential to affect hundreds of millions of devices given the ubiquitous nature of the popular open-source logging library.

A year later, the Cyber Safety Review Board released its report on the incident, concluding that swift action from industry and government averted a disaster. But the incident “called attention to security risks unique to the thinly-resourced, volunteer-based open source community,” it wrote. “This community is not adequately resourced to ensure that code is developed pursuant to industry-recognized secure coding practices and audited by experts.”

The U.S. government actions after included some steps focused specifically on open-source software such as creation of the Open-Source Software Security Initiative and hires of well-regarded open-source security experts at CISA such as Black, but also some steps that could be applied more generally and still help with open-source security, such as greater promotion of secure-by-design, memory-safe languages and software bills of materials (SBOMs).

Some of the Biden administration work on open-source security started before Log4j, such as provisions from an executive order he issued in 2021 that directed CISA along with the Office of Management and Budget and General Services Administration to issue guidance to agencies. 

The administration’s 2023 cybersecurity strategy also stepped into the long, thorny discussions over software liability, with a mention of open-source security: “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software nor on the open-source developer of a component that is integrated into a commercial product.“ The Biden administration always indicated that addressing software liability would take a prolonged battle ahead.

Under Trump, many of the Biden administration’s efforts have languished. CISA’s splashy hires on open-source are gone, including Black, Tim Pepper and Anjana Rajan. Also departed are leading figures on secure-by-design and SBOMs, with CISA personnel cutbacks slicing deep. 

No one has seen any sign that the national cyber director-led Open-Source Software Security Initiative is active, with few participants remaining in government today. The Trump administration cyber strategy doesn’t mention open-source.

“The loss of open-source experts at CISA “is unfortunate, and it will be hard for the government to try to rebuild capacity, but I do think now more than ever CISA has a core role to play to secure open source software,” Cable said.

The pressure is mounting

It’s not that the issue is getting zero attention from those in a position to make a difference. Nick Andersen, the acting director of CISA, said last month that open-source security was an area of particular concern for him.

Andersen responded to concerns about CISA staffing levels on open-source security and spoke more broadly on the topic in a statement to CyberScoop.

“As artificial intelligence and other technologies have the power to transform how vulnerabilities are discovered and exploited, CISA recognizes that the open source software (OSS) that underpins much of the nation’s critical infrastructure will need to be hardened,” he said. “CISA actively collaborates with our partners on shared priorities, including OSS security, to ensure time and resources are spent where they matter the most.  We have an immensely talented team, but are also accelerating our hiring in critical areas, to strengthen the nation’s defenses against cyber threats.”

The Office of the National Cyber Director did not respond to requests for comment.

There’s been some activity on Capitol Hill, too. The Securing Open Source Software Act, which Cable worked on during a stint as a Senate staffer, would direct CISA and other agencies to take actions to mitigate open-source software security risks, but the legislation has stalled since its introduction in 2022. A portion of the bill, however, was included in the Department of Homeland Security funding law Trump signed in April, directing CISA to brief Congress on the value of establishing something like an open source program office, which some companies use to manage open source within a given firm.

Senate Intelligence Committee Chairman Tom Cotton, R-Ark., has pushed the executive branch to improve its awareness of foreign adversaries playing roles in open-source software used by national security-focused agencies.

The annual defense policy bill in the House calls on the Defense Department’s chief information officer to report to Congress on a plan to secure open-source software supply chains, saying lawmakers are “concerned that the Department lacks sufficient visibility into the origins, maintenance, and security of OSS applications and software dependencies.”

That defense authorization bill language is “really beneficial, and I think it signals acknowledgement of this changing of culture” around open-source security risks, said Hayden Smith, founder of HuntedLabs, whose company won a contract with the Space Development Agency on supply chain security — agency work that the defense bill singled out.

“The report language is the first time the Hill is trying to get a true handle on foreign influence in open source code where they have oversight,” he said, saying it was a “piece of the puzzle” along with Cotton’s letter and a memo from Secretary of Defense Pete Hegseth last year about foreign influence in the Pentagon supply chain. “It’s good and would trickle down into everyone who provides software to the department.”

Zenla, though, believes trying to isolate China from open-source systems isn’t in and of itself a good idea. 

“I don’t think that that makes a lot of sense, because they’re actually pretty good things that people contribute to open source,” she said. “Not everyone is malicious, and what are we going to do, spy on every single open source maintainer?” It’s more about doing things like making sure that highly-classified systems are set up in a separate way, she said.

Europe is also taking action to secure open-source software that the United States doesn’t seem ready or willing to do right now. Germany, for instance, devotes grants to the security of open-source projects, although Stenberg pointed out that sometimes money doesn’t equate to maintainers being able to fix flaws more quickly, depending on the project’s size.

The Cyber Resilience Act (CRA) adopted by the Council of the European Union in 2024 could offer another road on open-source security. The CRA requires those who use open-source software products as part of any commercial activity to take certain security measures. 

Black said that when she was at CISA, there were discussions between the agency and European counterparts about finding compatible ideas on open-source security, but that momentum died with the Trump administration.

But “Europe kept rolling, and now has in place a new legal framework that is set to really reshape open-source security for potentially the whole world, but certainly for anyone who wants to work with Europe on open source,” she said.

Lorenc recently wrote that “open source isn’t governable.” He said an organization like a neutral nonprofit, possibly using some government funding, should take responsibility for things like coordinating vulnerability disclosure into one pipeline. He also said there needs to be one authority in charge of “forking” — that is, taking a project and assigning stewardship elsewhere — when a maintainer isn’t responsive to vulnerabilities. 

There are differing opinions on how much past government warnings, advisories and guidance have helped. Smith gave some credit to government agencies that “have all responded to open source attacks using the means they have.”

Stenberg said that “I don’t think they make any big dent at all in the big scheme of things.” They might get some attention initially, “then two years later we all forgot about them, and they actually didn’t change much.”

Ideally, everyone could get on the same page, Zenla said. “The best way to do this is if people actually collaborated on a global scale on some sort of regulation around this, but that seems nearly impossible at the current moment,” she said. (The United Nations’ Open Source Week runs all this week.)

But if there’s an upside to the spate of attacks on open-source software, it’s the energy it gives to how better to secure it, Lorenc said, invoking the political saying to never let a good crisis go to waste.

“Everyone knows the industry has to change,” he said. “This is a really good crisis, and the right things are happening in the right places, and organizations are rethinking their culture around software development, and they know what they have to do. It’s just something that’s never been top of the priority list for the last 10 years. Now it is, and they’re doing it, and it’s, ‘Can we do it fast enough?’”

The post Open-source security is posing challenges governments can’t easily solve appeared first on CyberScoop.

A federal court ruled Monday that the Trump administration’s national voter database violates federal privacy laws, interferes with Americans’ right to vote, and must be dismantled.

In the ruling, Judge Sparkle L. Sooknanan of the District Court of Washington D.C. wrote that records reviewed by the court show federal agencies knew that the SAVE voter database violated federal laws like the Privacy Act, the Social Security Act and the Administrative Procedure Act, but were “scrambling” to comply with President Trump’s executive order to create a system for mass voter verification.

That pressure resulted in agencies “haphazardly” combining and repurposing the personal information of millions of Americans from different government databases, including citizenship data they knew was unreliable.

“The Court therefore sets aside and vacates the 2025 SAVE modified system and the related notices because they were contrary to law, arbitrary and capricious, in excess of statutory authority, and without observance of procedure required by law,” Sooknanan wrote.

The League of Women Voters, its local affiliate groups and the Electronic Privacy Information Center filed the lawsuit last year. They argued the administration violated privacy laws that restrict the government’s ability to collect or combine private data without congressional authorization.

Sooknanan wrote that the SAVE database violates a prohibition in the Social Security Act against the disclosure of Social Security numbers and other related SSA records as well as substantive and procedural protections in the Privacy Act, which prevent the non-consensual disclosure of certain information both by federal agencies and between federal agencies and require notice and comment.

The court also ruled that SAVE violates the Administrative Procedures Act, which governs how the federal government develops regulations and makes official decisions to ensure they’re fair and impartial.

Sooknanan had earlier declined to rule the database illegal under the Administrative Procedures Act, saying the plaintiffs had failed to prove the data would cause  irreparable harm. In her final ruling, she changed course, writing that the states have since run their voter rolls through the federal government’s modified SAVE system, and some voters have been wrongfully identified as non-citizens and had their voter registrations canceled.

“All in all, the federal government has knowingly trampled on the privacy rights of American citizens in a manner that threatens the sacred right to vote,” Sooknanan wrote. “This Court cannot stand idly by while that happens.”

The ruling reinforces longstanding objections from former government officials and privacy experts over the past year, who have said Congress has repeatedly passed privacy laws explicitly to prevent the executive branch from using Americans’ data in ways not proscribed through law. That is what DHS did last year when it took SAVE, a database meant to process government benefits for legal immigrants, and combined it with data from the Social Security Administration and other agencies to create a new massive database of American voters and their citizenship status.

John Davisson, deputy director of enforcement at EPIC, celebrated the decision in a statement, saying the ruling “underscores that government agencies must follow the law, defend privacy and remain accountable to the public they serve.”

 “Today’s decision is a victory for us all. By halting the illegal consolidation of sensitive personal data across federal agencies, the court has safeguarded not only our privacy rights but also the bedrock of our democracy: the right to vote,” said Davisson. 

The post Court rules SAVE database illegal, orders it dismantled appeared first on CyberScoop.

President Donald Trump signed two executive orders Monday to accelerate the federal government’s transition to post-quantum encryption and reprioritize government financing to support the domestic quantum computing industry. 

The orders, which CyberScoop first reported on last year, direct the government to throw its weight behind the quantum computing industry. They are part of a broader effort by the Trump administration to put its stamp on the development of another key emerging technology.

In May, the Department of Commerce announced letters of intent for more than $2 billion in federal financing incentives for nine quantum companies under the CHIPS and Science Act. Last year, the administration did something similar with its AI-focused executive orders and action plan that created special federal export programs for AI technology and equipment, directed federal agencies to mobilize federal financing tools to support the industry, and cut or curtail regulations that the administration said may impede domestic growth. 

Ahead of the signing, sources previewed details of those orders to CyberScoop. Per one of those sources, who spoke on condition of anonymity to discuss pending administration actions, a “whole of government approach is used to empower research and development into quantum computing, as well as quantum sensing [and other resources].”

They described the Trump administration’s attitude for propping up industry as “don’t let us miss out on prioritizing the feeders for the research or the development of quantum.” 

The second order requires federal civilian networks to adopt quantum-resistant encryption faster than the current 2035 deadline. The new encryption algorithms, vetted by the National Institute of Standards and Technology, will protect against future quantum computer attacks. 

Agencies that miss the new deadline must report to the Office of Management and Budget explaining why. 

On hand for the signing were Department of Energy Undersecretary for Science Darío Gil, Department of Commerce Secretary Howard Lutnick, National Cyber Director Sean Cairncross, Defense Secretary Pete Hegseth, Federal Chief Information Officer Greg Barbaccia, and Office of Science and Technology Policy Director Michael Kratisos.

Multiple executives from technology companies were also on hand for the order’s signing, complimentary of the government’s efforts in boosting the industry.

“IBM applauds the Administration for taking this important, timely step forward,” said IBM CEO Arvind Krishna in a statement. “Sound policy, sustained investment and public-private partnership are vital to sustaining U.S. quantum leadership and technological resilience. We’re proud to keep building on this foundation — strengthening U.S. competitiveness and bolstering national security as we shape the quantum future together.”

“At Google, we are proud of our sustained breakthroughs in quantum computing and post-quantum cryptography,” said Google President and Chief Investment Officer Ruth Porat. “Quantum computing is a transformational technology that can advance national security, drug discovery, energy solutions and more.”

Update; 6/22/26; 5:20 p.m.: This story was updated after the signing with details about the orders, signing ceremony attendees, and comments from IBM’s Arvind Krishna and Google’s Ruth Porat.

The post Trump executive orders speed up post-quantum migration, boost industry appeared first on CyberScoop.

The Senate Judiciary Committee approved a new bill this week that seeks to prevent unauthorized deepfakes of American artists, performers and public figures. While the bill sailed through a committee voice vote, both Senators and outside groups say they’re worried it could become a tool for the powerful to quash free speech. 

The NO FAKES Act, introduced by Sens. Chris Coons, D-Del., and Marsha Blackburn, R-Tenn., would give Americans near-exclusive rights to their own digital AI replicas, and those rights live on, passing to heirs, executors and estates for at least 70 years after an individual dies.

While living, creators would be able to essentially license their likeness and image to others, over 10-year contracts for adults and 5 years for minors.

It would also permit individuals to sue anyone who uses their AI-generated image without permission, and pay up to $750,000 for violations. Blackburn submitted letters of support for the bill from more than 40 groups, including the Screen Actors Guild – American Federation of Television and Radio Artists, the American Medical Association, Creative Artists Agency, the Broadcasters’ Associations and the Human Artistry Campaign.

“It is imperative that we put this national standard in place for voice and visual likeness protection of creators, to protect from proliferation of harmful AIgenerated deepfakes that are created without their consent,” said Blackburn in a Thursday markup of the bill.

The introduction of consumer-grade AI tools has made it trivial to create convincing deepfakes of real individuals and public figures. The harms are well documented: bad actors have used them to create nonconsensual pornography or sexualized media of people they know, create child sexual assault material (CSAM) , and blackmail or humiliate individuals.

Artists have faced real challenges in the AI era when it comes to controlling their digital likeness. Last year, the Better Business Bureau warned that its Scam Tracker had been flooded with complaints about AI-celebrity endorsement scams. These included  deepfakes of Oprah Winfrey promoting weight loss products, Kim Kardashian pleading for donations to fight California wildfires, and pop star Taylor Swift and celebrity chef Gordon Ramsay endorsing cookware.

In the political arena, candidates now create deepfakes of their political opponents, putting words into their mouths or placing them in embarrassing or humiliating situations. Online, disinformation actors have repeatedly spread AI-generated videos and images of politicians like Donald Trump, Kamala Harris, and even regional or local politicians saying or doing scandalous things.

The bill represents one of the most aggressive attempts by U.S. policymakers to protect the digital commercial rights of artists and public figures. New York, for instance, passed a law this month that requires film and television advertisers to publicize when they’re using deepfakes in ads, but does not create a similar copyright regime for artists’ likeness. A Tennessee law, The ELVIS Act, that prohibits the unauthorized use of an individual’s voice and likeness and creates secondary liability for large platforms that publish or distribute the content.

The NO FAKES Act faces opposition from an alliance of tech business and digital rights groups. They argue the bill  fails to balance the commercial rights of artists to control their own image with longstanding First Amendment constitutional rights to free speech and parody.

Amy Bos, vice president of government affairs at NetChoice, a trade association for online businesses, said that while her group supports legislation that prevents unauthorized AI generated deepfakes, “good intentions do not make good law.”

“As written, this bill creates a dangerous financial incentive for platforms to aggressively over-remove lawful content, burdens creators with an unworkable counter-notification system, and fails to deliver the uniform national standard its sponsors promised,” Bos said in a statement.

Many digital civil groups agree with that view. A broad coalition of policy groups – including the American Civil Liberties Union, the R-Street Foundation, the Center for Democracy and Technology, the Electronic Frontier Foundation and others – wrote to the Senate Judiciary Committee this week to urge members to oppose the bill in its current form.

They argued the current bill creates a “Heckler’s veto” over most online content, allowing artists, public figures and advocacy groups to flood the notification system with takedown requests for content they don’t like. Similar to a law already on the books, the Digital Millenium Copyright Act, virtually all the incentives in the bill push platforms to be overaggressive in taking down content, regardless of whether it violates the law or not.

This approach could end up quashing not just unauthorized ads but also scores of other likely First Amendment protected uses, such as education, humor, satire and parody.

In 2023, a humorous AI-generated image of Pope Francis in a puffy Balenciaga jacket went viral. Under the NO FAKES Act, the coalition says that post would be illegal for anyone to post until nearly 2100.

In the political arena, both Republicans like Trump and Democrats like California Governor Gavin Newsom have used AI deepfakes to skewer their political opposition.

“A law that undermines free expression will struggle to survive constitutional review,” the groups wrote. “In the meantime, it can do lasting damage, both to lawful speech and to the autonomy of the people it claims to protect. We urge the Committee not to advance the NO FAKES Act in its current form, to examine how existing state and federal law already addresses the legitimate harms the bill seeks to address, and to pursue narrowly tailored solutions only where a genuine gap remains. We would welcome the opportunity to assist.”

While the bill passed by voice vote and with broad support, multiple Republican and Democratic members of the committee said they had similar concerns and expressed a desire to continue tweaking the bill further before passage into law.

In the Senate meeting, Coons appeared to dismiss those charges, arguing that changes made to the bill ahead of markup adequately address any First Amendment concerns.

“I want to be clear, NO FAKES includes features that protect free speech,” Coons claimed. “Parody, satire documentaries, biopics, newscasts, they’re all protected and we built in appropriate counter notification processes and exempted research libraries and archives.”

The post Congress tees up No FAKES Act, aiming at AI-generated deepfakes appeared first on CyberScoop.

Last Friday, the Trump administration sent a shock through the tech ecosystem when the Department of Commerce levied export controls on Anthropic’s new AI model Fable 5.

Anthropic has taken steps to limit the risks around the commercial sale of its Mythos model, including declining to release it publicly, funneling it to organizations for cyber defense and developing guardrails for Fable 5 that would default its answers to older, less powerful models around sensitive topics like cybersecurity and biological warfare.

But the Trump administration was reportedly alarmed by recent reports from Amazon and another cybersecurity researcher claiming to have jailbroken Fable 5 within days of its public release, and determined that if researchers in the U.S. could jailbreak the model, so could America’s foreign adversaries.

The Commerce Department’s decision spurred Anthropic to shut off the models for all users as they attempted to convince the White House to change course.

But some cybersecurity and AI experts have sharply disagreed with the White House’s actions, saying the research has not demonstrated that anyone has been able to circumvent Fable 5’s safeguards and access the kind of dangerous new capabilities that have worried officials.

Katie Moussouris, a well-known cybersecurity expert, said Monday that Anthropic provided her with a copy of third-party research on guardrail bypass techniques for Fable 5.

According to Moussouris, the researchers asked three Claude models – Fable 5, Mythos and Claude Opus – to review batches of known, vulnerable open source code for security issues. Fable 5 initially refused the request, but the researchers were able to use “a multistep and manual process” to get Fable 5 to turn the output into automated scripts that could test patches for the vulnerability.

Third-party research since Fable 5’s release has not found ways to bypass its safeguards around hacking. The capabilities researchers have demonstrated are foundational to what makes Fable 5 and other frontier models valuable for cybersecurity defense.

“Defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works,” she wrote. “That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day.”

Moussouris previously provided technical expertise to the Waasenaar Agreement, a voluntary multilateral security agreement around controlling exports for both munitions and dual use technology that includes the U.S. and dozens of other countries.  Based on the research she’s seen, she called placing export restrictions on all foreign sales of Fable 5 “heavy handed” and “misguided.”

Some lawmakers who in favor of higher regulations and scrutiny on the national security implications of AI were nevertheless critical of the White House decision. Senator Mark Warner, D-Va., told CyberScoop in a statement that while “there may be circumstances where restrictions on the export of frontier AI models are warranted,” those decisions must be “grounded in a transparent, risk-based process with clear rules and consistent standards.”

The Trump administration’s approach, he argued, has been the opposite, and he called for Congress to pass a statutory framework for testing and approving frontier AI models based on transparency, predictability and fairness.

“This administration has repeatedly shown a willingness to weaken export controls designed to protect our national security and maintain our technological edge over adversaries, while also making no secret of its hostility toward Anthropic,” said Warner. “That raises serious questions about whether this effort is being driven by objective national security concerns or something else.”

Anthropic said it subjected Fable 5 to 1,000 hours of testing from internal and external red team, reporting that no universal jailbreaks were found that would remove those guardrails or allow the model to access Mythos for cyber and biology work.

Moussouris is far from alone. She is one of dozens of cybersecurity experts who signed an open letter Monday calling on the Trump administration to “Free Fable.”    

The researchers say that while Mythos-class models are “quite good” at identifying and exploiting vulnerabilities in software code, they “are not uniquely good” compared to other frontier models they use every day for cybersecurity defense.

For example, despite OpenAI’s Daybreak model offering similar vulnerability discovery and patching capabilities. It was not included in the Commerce Department’s restrictions.

The researchers also note that Fable 5’s guardrails have been notoriously oversensitive compared to other frontier models used by red teamers, becoming “a source of humor in the cyber community on launch day” as IT and cyber workers reported online that they couldn’t get the model to perform basic defensive cybersecurity tasks.

The letter questions whether the issues found in the jailbreaking reports would even qualify as offensive capabilities, and note they can be reproduced in other commercial and open-source models, including GPT 5.5, Claude Opus, Claude Sonnet and Chinese models like Kimi 2.7.

“The justification for this unprecedented action was that Fable provides a unique ‘uplift’ of capabilities beyond other AI models, but AI has been finding bugs and generating working exploits at superhuman levels since last year,” they wrote.

The White House decision comes as AI companies face increasing backlash from a public that is now overwhelming calling for more robust government intervention.

A Johns Hopkins University poll in May found broad, bipartisan support for AI regulations, with 73% calling for bans on AI-generated images and video, 68% calling for labels on AI content, 75% wanting disclosure laws around when they interact with AI chatbots and 70% calling for “the right to interact with a human rather than an AI in medical, legal, educational and government settings.”

Another global survey of 18,000 people released this week found that the top four concerns most people have around AI all revolve around the tool’s ability to spread misinformation, create deepfakes to embarrass or hurt others, making it easier for criminals to hack into victim networks and helping terrorists create new weapons.

Senior reporter Tim Starks contributed reporting for this story.

The post Cybersecurity experts don’t think Anthropic’s Fable 5 presents a unique threat  appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency on Wednesday ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”

Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.

CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday, framing it as a rethinking of vulnerability management more broadly.

“This Directive provides clear definitions, timelines and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” Andersen said in a statement. “CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change.”

BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 

More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.

The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last week.

BODs aren’t mandatory for anyone outside of federal agencies, but CISA encourages the private sector to embrace them. CISA officials said in a blog post about the need to “patch smarter, not harder” that “defenders are already struggling to keep up.”

“Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered,” wrote Chris Butera, acting executive assistant director for cybersecurity, and Jonathan Spring , senior technical adviser. “Per Verizon’s 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year’s 38%. The median time for full resolution rose to 43 days.”

The move from weeks to days for agencies to patch the most urgent vulnerabilities is something CISA has discussed with some agencies to see if it’s doable, Butera told reporters Wednesday. At one large agency CISA analyzed, just 1% of vulnerabilities fell into the 3-day window, while 60% could be deferred to the next system upgrade.

“We’ve engaged with a few federal agencies ahead of this directive and tried to socialize some of these new time frames,” he said. “We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower risk vulnerabilities.”

Patrick Garrity, a security researcher at VulnCheck, said the CISA directive joins similar guidance out of India and the United Kingdom.

“It’s clear the momentum is growing and pushing in the right direction,” he told CyberScoop. “The new directive aligns exactly with the approach we’ve been taking with customers for years, leveraging exploit intelligence to focus on the subset of vulnerabilities that enterprises, governments and vendors really need to address. While it’s mandated for federal organizations, it’s something the private sector should pay attention to as well.”

Tod Beardsley, vice president of security research at runZero and former KEV section chief at CISA, wrote on LinkedIn that there are several noteworthy potential impacts of the BOD, among them that he thinks three-day deadlines will end up being frequent.

“I remain dubious that a three day deadline spread across more than a hundred agencies is an achievable patch cadence today, but we’ll all find out together,” he said.

Updated 6/10/26: Includes Chris Butera comments on timelines, and comments from Patrick Garrity and Tod Beardsley.

The post CISA directive orders agencies to prioritize vulnerability patching in a new way appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency wants to fundamentally reevaluate how it prioritizes risks and vulnerabilities, both for privately-owned critical infrastructure and within the federal government, acting director Nick Andersen said Tuesday.

The plans include a binding operational directive for federal agencies set to be published Wednesday and getting more specific with critical infrastructure owners and operators about which assets they need to protect most and how, Andersen said while speaking at an event hosted by Axonius in Washington, D.C. and talking with reporters afterwards.

The binding operational directive looks to revise how federal agencies do vulnerability management, he said. “Overall, our approach to date has been ‘A patch is released, apply this patch as quickly as you can,’” he said.

“We’re really asking people to take more of a focus on risk associated with each vulnerability. Is it with an asset that is internet-exposed? Does it align to a KEV entry?” he said, referring to CISA’s list of known exploited vulnerabilities. “Is it automatable in its exploitation? Really, we need to be able to highlight that some patches just aren’t as important as others, and plugging the holes for some vulnerabilities is simply not as important as others.”

Andersen said he has made setting the right priorities the focus of his tenure.

“We have to be okay with saying there are some systems that are less important than others, there are some elements of critical infrastructure that are less important than others,” he said. “Those things are very easy for us to rationalize [for] physical crises, but we need to start wrapping our minds around how we’re going to do that during cyber crises.”

Andersen said artificial intelligence-enhanced threats have fueled the directive in part, based on “a recognition that we’re a different dynamic environment with the shorter timeline to weaponization and exploitation,” but the discussions on the directive have been going on for months, before the splashy announcements about frontier AI models and the risks they might deepen. Wednesday’s directive is unrelated to the AI-focused executive order released by the Trump administration last week.

The idea of prioritizing certain potential hacking targets over others isn’t a new one in critical infrastructure, with concepts like “Section 9” designations under a 2013 executive order for entities whom an attack upon could have catastrophic effects; “systemically important critical infrastructure” designations, as recommended by the Cyberspace Solarium Commission; or the creation of the National Risk Management Center established during President Donald Trump’s first term but now the subject of proposed budget cuts.

Andersen said past concepts haven’t worked well, citing Section 9 designations as an example.

“We would sit here and say, ‘Congratulations, you’re with this company, and you’re a Section 9 entity, isn’t that fantastic?’” he said. “That’s really not the level of fidelity that we have to be able to get to to have a real measurable conversation about risk. I need to be able to go to a company and say, ‘Here’s the specific function you’re supporting that makes you more critical. Let’s have a conversation about the specific assets that support that function, and how do we get to a measurable level of resilience for those assets?’”

Those discussions need to get down to a “fine grain,” Andersen said.

“If I’ve got a major bank that I’m talking to, is it as important to me that the bank’s process that supports the bulk payment system is resilient, or is it just as important to me that the branch location two blocks away is continuing to operate?” he said. “Those things just are apples and oranges, even though it’s the same entity that might be affected.”

CISA’s capabilities under the Trump administration have drawn considerable scrutiny, given deep budget cuts at the agency, with more planned. The administration is now making moves to hire back personnel.

Andersen said the agency is working to hire 329 people, and will have job offers out to 182 of them by the end of June. He said the emphasis of the first tranche of hires under the hiring sprint is operational capabilities, meaning areas like emergency communications, infrastructure security and regional personnel.

The agency also has had some of its work hampered by the government shutdowns, such as the delay in plans for town-hall meetings about implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require key owners and operators to report major incidents within 72 hours.

Andersen said he couldn’t set a date for finalization of regulations related to the law — which had already been delayed prior to any funding lapses — with those town halls now scheduled to begin next week.

“We could have a lot of comments that come to us and really radically change our way of thinking about what the need is here,” he said. “But our focus is just on what’s the original congressional intent behind CIRCIA. what is the greatest need that we’re going to be able to serve, and how it’s going to be able to further the mission that we have for the nation.”

The post CISA is rethinking how it prioritizes risks and vulnerabilities for feds, private sector appeared first on CyberScoop.

The Pentagon is focusing on integrating cyber into all its operations, and wants to make sure it integrates security into artificial intelligence usage from the outset, the Defense Department’s top cyber policy official said Tuesday.

Recent conflicts have made clear how important cyber is, said Katherine Sutton, assistant secretary for cyber policy and principal cyber adviser at DOD — especially when it’s paired with physical force.

Defense officials have noted that there’s been a cultural shift on the importance of cyber at the department since the war in Iran and the capture of Venezuelan leader Nicolas Maduro.

“Information is becoming more and more important on the battlefield, so having the ability to integrate space, cyber and other non-kinetic effects to be able to degrade that information advantage is something that’s going to be critical and foundational to any future conflicts going forward,” she said at the GDIT’s Emerge: Battlespace of the Future conference, hosted by Scoop News Group. “We have to fully pull cyber out of its silo, which means not just integrating the effects, but starting the integration from day one with operational planning … and built in from the beginning, and not something that we strap on as we’re going to execute.”

Brandon Pugh, principal cyber adviser for the Army, backed up that message at the same conference, saying that cyber “being considered in a silo is not where it’s most effective,” and is more effective “when we see cyber blending in the kinetic operations while still being an option in its own right.”

Army Secretary Dan Driscoll has made Pugh Army secretariat lead for all its defense critical infrastructure, both physical and cyber, which Pugh said emphasizes how the Army sees the two linked. The Army brought agencies together last month for an exercise to contemplate threat scenarios across domains.

By the same token, security needs to be interlaced with artificial intelligence, Sutton said. It’s a truism in the cybersecurity world that the internet wasn’t built with security in mind. As advanced AI models grow in usage at the Defense Department, Sutton said the Pentagon can’t make similar mistakes.

“As we adopt these new tools, we’re also creating a new threat landscape for adversaries to attack us and to exploit these new capabilities, so we need to start thinking about how we’re going to secure them,” she said. “One of the challenges we have often had with tools is we adopt them, and security is an afterthought, or we realize that we didn’t think about security from the front. I just don’t think we have that luxury with AI going forward.”

CORRECTED 6/3/2026: to clarify Pugh’s role on defense infrastructure within the Army.

The post DOD wants to integrate cyber in all operations, and integrate security into AI appeared first on CyberScoop.

The Trump administration issued a revised executive order Tuesday focused on artificial intelligence, offering a significantly pared-back vision for the federal government’s role vetting AI systems compared with a draft version that was spiked weeks ago.

The order keeps in place the administration’s largely voluntary framework for companies to engage with the federal government around testing new models before release, but appears to considerably weaken or loosen provisions that had been opposed by industry.

Under the order, AI companies would voluntarily provide the federal government access to frontier models before release, but now it will be for “up to” 30 days instead of the 90-day timeline included in previous drafts.

It also explicitly states that nothing in the program will be construed as mandatory or part of a federal licensing or permitting regime, and gives AI companies significant influence to help define what models would and would not be covered under for testing.

It also states that all federal testing and access to the models would be subject to “confidentiality, cybersecurity, insider-risk, and intellectual-property protection, use, and nondisclosure requirements.”

Section one of the order highlights the central friction that has plagued the Trump administration’s AI policy since assuming power: While the White House increasingly sees national security implications in the rapid release of frontier models from the private sector, it has also been one of the loudest critics of regulating the technology for fear it could harm American businesses.

“The United States continues to lead the world in Artificial Intelligence (AI) because of the enormous talent and innovation of our AI industry, and because we refuse to stifle this innovation with overly burdensome regulation,” the order reads.

That argument was bolstered in recent days as industry members and top advisers to Trump, like tech investor and AI czar David Sacks, lobbied against previous draft language, arguing it would put too much of a regulatory burden on U.S. businesses.

On X, Sacks called the revised EO, including changes reducing the government’s access from 90 days to up to 30 days “a game changer” because it would allow frontier labs to comply without delaying new model releases. He also said the discussions he’s had with the White House indicate that not all new model releases would be subject to even that level of scrutiny.

The White House characterization that the order is not a program for conducting oversight of all new AI models “is completely consistent with the discussions that I have participated in, where it was agreed that the EO is intended to apply only to models that represent a meaningful step-change in cyber capabilities (eg Mythos), not to incremental version numbers of existing models,” Sacks wrote.

The order also puts the Department of Treasury at the head of a new interagency cybersecurity clearinghouse on AI, where the private sector, critical infrastructure operators and federal agencies voluntarily collaborate to coordinate and deconflict scanning for software vulnerabilities, discovery and validation and remediation activities, like patching.

Treasury, the Cybersecurity and Infrastructure Security Agency, the NSA, the Office of the National Cyber Director and other agencies would also be responsible for developing classified benchmarks that would be used to identify or flag the kind of advanced cyber and hacking capabilities that agencies are interested in testing.  

Questions linger over implementation, politicization

Consisting of less than 1200 words, the directive is vague in many areas about exactly how implementation will work.

“On frontier capability access, vulnerability discovery for critical infrastructure, and sharing with trusted partners, many questions remain,” wrote American Enterprise Institute fellow Ryan Fedasiuk.

Senator Mark Warner, D-Va., said the order would help the White House “begin to grapple” with the threats that new frontier models and their hacking capabilities pose to critical infrastructure and praised certain provisions, like putting the NSA in charge of classified testing of new models. But he was also sharply critical of the administration’s about face on the need for federal scrutiny of emerging AI technologies.

“Once again, the Trump administration has belatedly discovered the need to redo something it hastily dismantled in its first year,” Warner said in a statement. “While this course correction – a rehash of proposals contained in the last administration’s 2023 executive order, bipartisan congressional legislation, and each of the last three years of intel authorization bills the Senate Intel Committee has passed – can begin to grapple with widespread impacts that new frontier models will have on our critical infrastructure, it can’t undo the years wasted on dismantling some of the most vital pillars of our nation’s cybersecurity response, including key information sharing initiatives and the federal agency established to protect the security of U.S. critical infrastructure.”

Warner also said he will be “watchful” for indications the administration may politicize any testing regime, for instance, such as using the partnerships “to pressure U.S. firms into making changes to their products or Terms of Service to suit partisan or legally questionable objectives of the president and his allies.”

The administration’s lighter touch approach around voluntary testing yielded approval from some experts who have traditionally been more in favor of regulation, but who also expressed similar worries about the downsides of putting the federal government in charge of vetting AI models.

Samir Jain of the Center for Democracy and Technology, said that while AI models pose real cybersecurity threats to critical services, the order “attempts to avoid the deeply concerning implications of a mandatory licensing regime for release of new models.”

“Testing and benchmarking programs are important to promote cybersecurity and address other risks,” Jain said in a statement. “However, the EO should not become a mechanism for the Administration to punish companies for political or other arbitrary reasons, and so we will be closely monitoring the details of its implementation as they emerge.”

You can read the full order on the White House’s website.

The post Trump administration releases scaled-back AI executive order appeared first on CyberScoop.

The order establishes a framework for the federal government to vet the national security risks of the most advanced AI systems for up to a month before their public release.

The post Trump Signs Executive Order That Invites Vetting of Top AI Models for National Security Risks appeared first on SecurityWeek.

The U.S. Postal Service is moving forward with mail-in ballot restrictions, following a court’s rejection of a request by voting rights groups to immediately block an executive order from President Donald Trump ordering the changes.

A new regulation proposed last Friday seeks to apply “uniform standards for the mailing of absentee ballots to and from voters,” including new ballot envelope standards with unique barcodes, election mail logos and other changes that would allow the federal government unprecedented abilities to track – and halt – the movement of mail-in ballots across the country.

Trump has long argued that mail-in ballots facilitated election fraud in 2020 that cost him the presidency, though election experts, election officials and even some Trump allies have dismissed those claims as baseless.

According to the proposed rule, these changes would allow USPS to follow ballots at a granular and individual level, something critics have said will make it easier for the Trump administration to meddle with their delivery.

“Uniquely serialized [barcodes] facilitate the tracking of individual pieces of Ballot Mail to and from individual voters as the barcodes are scanned on the Postal Service’s mail processing equipment,” the proposed rule states.

Trump’s executive order, issued in March, would require states to send the federal government a list of all voters eligible to vote by mail prior to USPS mailing them ballots. The federal government has indicated that it plans to cross-check those voters with data from the Department of Homeland Security and the Department of Justice.

The proposed rule says that after states submit their list of eligible mail-in and absentee voters, USPS will “compile” the information and then provide a “Mail-In and Absentee Participation List” back to them. The Postal Service said it “would not change the information provided by states” when compiling the return list. 

Further, the proposed regulation also includes new “verification” procedures that could potentially place USPS above states in deciding which voters are eligible to receive ballots. This would include having the USPS “confirm that a state submitted a list consistent with the conditions laid out in the proposed rule, and that the outbound ballot mail, and thus the blank ballot that could be returned by mail, is destined to individuals on the list, by checking the barcodes.”

The rule claims that USPS “would not verify whether individuals should be included” on state lists and that states retain “full control over the content of that list.”

However, the White House’s March order also instructed the Department of Justice to prioritize the investigation and prosecution of state and local officials or any others involved in the administration of federal elections who issue federal ballots to individuals not eligible to vote in a federal election.

That order was immediately challenged through lawsuits in multiple federal courts, where many of the White House’s plans to take greater control of elections have fallen short. That includes a lawsuit brought by Democrats and nonprofits in Washington.

While Judge Carl Nichols declined to halt the order, that decision was made on strictly procedural grounds, and he indicated the plaintiffs could be in a better position to prove their case later.

“The Court recognizes that the Postal Service may ultimately issue a final rule that directly affects Plaintiffs or their members, or that the Government may develop State Citizenship Lists that omit specific individuals due to particularized flaws,” Nichols wrote. “Plaintiffs may, of course, renew their motions if and when those future actions occur. Until then, however, Plaintiffs cannot show that preliminary injunctive relief is warranted.”

A separate federal lawsuit challenging the order in Massachusetts remains ongoing.

Alexandra Chandler, director of Free and Fair Elections at nonprofit Protect Democracy, noted that USPS and the federal government have no constitutional authority to regulate how states administer their elections, including micromanaging voter roll maintenance.

While the proposed regulation claims USPS will not overrule states on a voter’s eligibility to receive mail-in or absentee ballots, it’s also peppered with caveats and exceptions that could allow USPS to do just that if they determine it is part of their obligation to uphold federal laws or assist law enforcement investigations.

The rule states that USPS “assumes no responsibility for any outbound ballot mailing” until its accepted into the mail, and is “not responsible for service delays” whenever preparation or entry standards aren’t met.

Chandler called the proposed rule a clear attempt to disrupt election processes, sow distrust in elections among voters and lay “the groundwork to disrupt ballot delivery in real time, create fodder for false investigations and prosecutions, and to contest the midterms after the fact.”

“The administration is trying to turn postal workers into de facto election auditors with the power to decide whether people’s votes get counted while at the same time building an entire federal voter data and technical infrastructure it has no legal authority to create,” Chandler said.

The post USPS moving forward with mail-in ballot changes as courts weigh Trump’s election order  appeared first on CyberScoop.

A House subcommittee will hold an open hearing next week on how frontier artificial intelligence models are shaping the cybersecurity landscape, for good and for ill.

The June 4 hearing will be the second the Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection has held that was focused at least in part on the subject, following a similar hearing held in December. But unlike at that joint subcommittee hearing, where members also examined other emerging technologies, AI takes center stage next week.

It caps a series of closed-door meetings of the Homeland panel where members and staff have been evaluating the intersection of AI and cyber. CyberScoop is first to report details on the hearing.

The witnesses will be Sandra Joyce, vice president of Google Threat Intelligence; Chris Meserole, executive director of the Frontier Model Forum; Jack Cable, a former top official at the Cybersecurity and Infrastructure Security Agency and now chief executive officer and co-founder of Corridor Security; and Matthew Guariglia, senior policy analyst at the Electronic Frontier Foundation.

“Communist China is moving aggressively to control the technologies that will define the future of economic and military power, and few technologies are more consequential than artificial intelligence,” subcommittee chairman Andy Ogles, R-Tenn., said in a written statement. “Adversaries are already working to steal American AI capabilities, weaponize AI-enabled tools, infiltrate critical systems and undermine our national security.”

“AI is the America First mission of the future, and it is becoming our number one offensive and defensive weapon against cyber terrorists,” he continued. “I look forward to hearing from our witnesses on how we can stay ahead of AI-enabled cyber threats, protect the services Americans rely on and win this AI arms race.”

The hearing is the latest response from Capitol Hill to the spate of news about the capabilities of advanced AI models to uncover cyber vulnerabilities. Earlier this month, for instance, lawmakers wrote to National Cyber Director Sean Cairncross asking for a plan to deal with the potential surge in vulnerability discovery stemming from such models.

Last week, the Trump administration postponed a draft AI executive order. It’s something lawmakers are likely to ask about at next week’s hearing.

The post House panel poised to hold hearing centered on AI impact on cyber appeared first on CyberScoop.

Artificial intelligence is an “unstoppable force” that allows tech to be “weaponized just below the threshold of traditional warfare,” including in cyberspace, the head of a U.K. intelligence, security and cybersecurity agency said Wednesday.

We live in a world “where the latest frontier AI is rapidly unearthing fault lines in technologies our society relies on every single day,” said Anne Keast-Butler, director of the Government Communications Headquarters (GCHQ) spy agency. “The ground beneath our feet is shifting, and shifting fast. Which means cybersecurity has never been more important.”

She added; “we need to reimagine cybersecurity in the AI world.”

Keast-Butler said her agency has spent the last few months developing defensive capabilities that are integrated with agentic AI, and embedding it into its operations “responsibly and ethically.”

Her speech offered the view of one of the world’s cyber superpowers about how AI is evolving both cyber offense and defense. The GCHQ is the largest of the U.K.’s spy agencies and home to the National Cyber Security Centre.

The U.K.’s AI Security Institute recently reported on how advanced AI models have surpassed prior benchmarks for autonomously uncovering vulnerabilities. At the same time, government officials in Europe, the United States and elsewhere have warned about how AI will exacerbate cyber risks.

Keast-Butler said Wednesday that “warfare is being reconfigured; increasingly data-driven, AI-enabled, and automated in conflicts from Ukraine to Iran.”

Overall, “AI is an unstoppable force with great opportunity. But it’s also a force with risks,” she said. “As AI gains increased autonomy, we all have an intergenerational duty to harness and secure it for good; to protect our national security, our economy and our way of life.”

She warned about China’s arrival as a tech superpower, which includes its sophisticated cyber capabilities. She said China recognizes the value of AI combined with the availability of massive amounts of data.

And Russia is upping its use of hybrid warfare against both Ukraine and the U.K., Keast-Butler said, with both cyber and physical forces.

The post UK spy chief labels AI ‘unstoppable force’ with offensive, defensive ramifications for cyberspace appeared first on CyberScoop.

The White House has updated rules for federal agencies to keep logs of significant cyber activities in their networks, touting it as a measure to cut back on red tape and focus on how cybersecurity risks have evolved.

The Office of Management and Budget memorandum, released Friday, replaces a 2021 memo signed by then-President Joe Biden. It continues revisions that President Donald Trump has made to federal cybersecurity guidance under his predecessor.

The new memo, M-26-14, nods at the intentions of the earlier memo, M-21-31, saying that “Implementation of that memorandum improved foundational capabilities across agencies” to establish standards for logging and improve agencies’ record-keeping for the purposes of detecting and responding to cyberattacks.

“However, some requirements, such as the retention of vast quantities of logging data without clear utility, proved neither operationally feasible nor cost-effective for most agencies,” last week’s updated memo states. “To address these inefficiencies and the evolving cyber threat environment, this memorandum directs agencies to employ a risk-based, prioritized logging approach.”

There have been calls for the idea of updating the 2021 memo, and one observer praised the new version to CyberScoop. Another analyst, however, questioned how much harm the Trump administration might do by rescinding the earlier memo before having all of the new memo’s directives in place.

One directive is for the Cybersecurity and Infrastructure Security Agency to develop a “logging reference architecture” within 90 days that prioritizes the objectives of conducting continuous event monitoring and enabling investigations of forensic analysis after a known or suspected compromise.

Agencies would have another 90 days to submit a logging plan that adheres to those principles. The memo also establishes a new model for measuring agency progress in implementation. Multiple government watchdogs have concluded that agencies weren’t meeting the prior memo’s benchmarks.

The new memo “sharpens focus on real-time threat detection and the ability to investigate and recover after a cyber attack,” John Harmon, regional vice president of cyber solutions at Elastic, told CyberScoop. “It gives agencies the flexibility to build logging architectures that fit their specific mission.”

Harmon also praised the memo’s recognition of artificial intelligence risks to cybersecurity, and the revised maturity model.

But Nick Leiserson, senior vice president for policy at the Institute for Security and Technology think tank, said the timing of the replacement memo and the rescinding of the previous memo will give agencies a reason not to budget and prioritize logging for a period of time that adds up to six months or more.

“Moving from that to nothing is not ideal, and that’s essentially what this is doing,” Leiserson, who served in the Biden administration’s Office of the National Cyber Director, told CyberScoop. “This is saying ‘We’re rescinding 21-31 right now’ You won’t have any new guidance for at least 90 days, when CISA publishes this logging reference architecture, and it’s not clear to me why you would disaggregate that and not have the two of those things come out at the same time.”

The post White House charts new course for federal agencies and cybersecurity logging appeared first on CyberScoop.

President Donald Trump said he would postpone the release of an executive order that would set up a 90-day testing and vetting regime for frontier AI models, hours before the White House was set to publicly announce the signing. 

Speaking to reporters in the Oval Office Thursday, Trump said he opted to delay the order “because I didn’t like certain aspects of it” and expressed concerns that it could harm U.S. AI industry competition with countries like China. 

According to multiple sources, a draft version of the order circulating in the last 24 hours would have set up a voluntary testing regime between the U.S. federal government and frontier AI companies that would allow the government to study new models for 90 days before they’re publicly released. In addition to the government, the draft order would also facilitate access to the models for cybersecurity testers in critical infrastructure sectors, like finance and healthcare.

The draft order empowered the National Security Agency to conduct classified evaluations of frontier AI models, while the Department of the Treasury would have set up a new information sharing agreement between AI companies and cybersecurity defenders in critical infrastructure.

Other agencies, like the Office of the National Cyber Director, the Cybersecurity and Infrastructure Security Agency and the National Institute for Standards and Technology, would also be involved in defining which models are covered under the vetting regime.

In some sense, the order would formalize an already cooperative relationship between AI companies and governments like the U.S. and UK, where tech-focused agencies and regulators have already been provided access to previous models ahead of their release for testing and evaluation. 

A former federal official who has seen the latest draft circulated before Thursday’s announcement told CyberScoop that based on their conversations with the administration, the order was intended to facilitate more robust testing from government agencies compared to evaluations conducted for previous models. They said that is in part a reflection of the federal government’s maturing understanding of AI technology over the past five years.

“In the past there has been containerized optionality for the intelligence community and others to take a look at things, but it was really a lot of hand holding [from AI companies] and self-explanation of what they expect this thing to do,” said the official, granted anonymity to discuss sensitive conversations with the administration. “And now the government is coming forward and saying now we feel we’re prepared enough for you to just give us your tool…and we’ll go from there.”

But it also represents a stark pivot by the Trump administration, which came into office openly dismissive of AI safety policies and arguing that they would inhibit U.S. industry. Trump’s latest comments in delaying the order echo those same attitudes. 

The former official said that while the Trump White House doesn’t view its mission as telling AI companies “don’t develop AI that can do X, which was perceived to be the previous administration’s role,” they also acknowledged the administration’s early rhetoric on AI regulation has painted them into a corner. 

“I think the biggest challenge the administration has is that their tone was ‘no institution of guardrails’ and they don’t have a better word for making sure that the capabilities of emergent frontier models don’t disrupt security than to say ‘let’s test it and institute guardrails,’” the official said.  

While debate about how best to regulate AI-related harms continues, most agree there are genuine national security concerns around the technology.

Ram Shankar Siva Kumar, founder of Microsoft’s AI red team, told CyberScoop that in 2019, his staff consisted of himself and a few other security and machine learning specialists. Now a much larger staff of technologists are supported by specialists in psychology, linguistics, bioweapons and other fields.

“Because of frontier harms, what we have done has really morphed,” Siva Kumar said.

The United States, along with Israel, Russia, Ukraine and others have already deployed AI in targeted military operations or integrated the technology into their larger command and control structure. AI is being used to supercharge drone warfare, global hacking campaigns, and sophisticated surveillance and targeting of military personnel and civilians, imbuing the engineering choices of frontier AI companies with life and death consequences.

Some congressional members who previously opposed allowing AI to make autonomous kill decisions on the battlefield have been reconsidering their position.

Rep. Don Beyer, D-Va., who co-chaired the Congressional AI Caucus and was appointed to a bipartisan AI task force in 2024. said that while he thinks “we need to guard against dehumanizing” those decisions, he also worries that adversarial countries will use the same technology against the United States.

“It’s like if we say that Americans have to have a human in the loop and the Chinese don’t have to have a human in a loop, the non-human one will beat the human one every time,” Beyer said at an AI conference in Washington D.C. earlier this month.  

Meanwhile, experts have been increasingly concerned about the technology’s impact on cybersecurity, as current models are remarkably good at finding software bugs and vulnerabilities, while newer models like Anthropic’s Mythos and OpenAI’s Daybreak are capable of chaining together multiple exploits to conduct more sophisticated attacks.

While state-sponsored hackers are experimenting with the technology and using it to gain targeted efficiencies in their hacking operations, cybersecurity experts in the private sector and law enforcement agencies say the technology has mostly benefitted cybercriminals and scammers.

The post Trump postpones executive order focused on AI security  appeared first on CyberScoop.

The House Homeland Security Committee is digging into Anthropic’s AI model Mythos in a series of briefings and hearings, as questions proliferate on whether and how the federal government will make use of the technology touted for its ability to autonomously uncover cyber vulnerabilities.

Wednesday brought a closed-door briefing for the House Homeland Security Committee from Anthropic. The chairman of the panel’s cybersecurity subcommittee said he is planning to hold a hearing on the topic. And committee Democrats are requesting a classified briefing with Anthropic.

A committee aide who attended the briefing said it included a live demonstration of Mythos, “allowing members to see firsthand how advanced AI can identify and reason through software vulnerabilities. What we saw reinforced the urgency of ensuring that federal agencies, including our civilian cyber defenders, can responsibly access and deploy the most advanced U.S. models to find and patch vulnerabilities before foreign adversaries or criminal actors exploit them.”

A number of key lawmakers, including top committee Democrat Bennie Thompson of Mississippi and GOP cyber subcommittee chair Andy Ogles of Tennessee, told CyberScoop they weren’t able to attend Wednesday’s briefing. A second source who attended said it was a “productive” meeting.

“Members on both sides were focused on preserving U.S. advantage in AI, which basically came down to preserving our edge on compute power,” the source said. “They were also asking questions about whether the federal government was using Mythos, including about where CISA is and the impact of the supply chain risk designation.”

The Hill reported that Wednesday’s briefing was led on the Anthropic side by Logan Graham, from the company’s frontier red team, and Josh Tilstra, from the firm’s national security programs and policy team. It follows another recent closed briefing with Anthropic and OpenAI for the House Homeland Security Committee.

Ogles told CyberScoop he plans to hold a hearing of his subcommittee related to Mythos, but wasn’t able to attend Wednesday’s briefing due to scheduling conflicts. The top Democrat on Ogle’s subcommittee, Delia Ramirez of Illinois, also was unable to join due to prior commitments, but she was set to receive a rundown from staff about Wednesday’s briefing, her office said.

There’s a divide on which federal agencies are using Mythos thus far. For example: CISA reportedly isn’t, but the National Security Agency is. 

The federal divide on its use follows a Department of Defense blacklist that labeled the company a “supply chain risk” after Anthropic resisted pressure from the Pentagon to use its Claude AI model in ways the company opposed. The department says it has been using Mythos to identify cyber vulnerabilities despite the blacklist.

A turf battle is brewing within the Trump administration over testing of AI models, The Washington Post reported this week. Connecticut Rep. Jim Himes, the top Democrat on the House Intelligence Committee, said this week that it would be ‘insane” for U.S. spy agencies not to have early access to advanced AI models.

The Mythos briefing came one day after OpenAI announced its own cybersecurity initiative.

The committee aide said that “as the PRC aggressively works to close the AI innovation gap with the United States, the committee remains focused on ensuring that America’s AI leadership translates into a durable national security advantage, not a temporary lead that adversaries can copy, steal, or rapidly commoditize.”

Updated 5/13/26: to include comment from a committee aide who attended the briefing.

The post Closed briefing sets stage for House hearing on Anthropic’s Mythos and cyber risks appeared first on CyberScoop.

The Trump administration released a legal opinion outlining the legal rationale behind its nationwide voter data collection efforts, justifying an aggressive federal role in vetting voter eligibility, a position courts have repeatedly rejected in related litigation.

The memo, released Tuesday by the Department of Justice Office of Legal Counsel, concedes that while election administration is “primarily the purview of the states,” the administration’s efforts are a lawful exercise of federal oversight. 

The Justice Department grounds that rationale in a provision of the 1960 Civil Rights Act, requiring election officials to keep voter records for 22 months after an election so it can investigate potential civil rights violations. Under the memo’s reading, that retention rule also gives the Attorney General authority to obtain copies of those records “upon demand in writing.” 

The memo also cites several other federal election laws – like the Help America Vote Act, the National Voter Registration Act and the Voting Rights Act – as support for the executive branch’s efforts. It argues that those statutes have long required states to modernize and secure voting systems (including accessibility upgrades) and maintain accurate voter rolls by removing ineligible voters.

The memo further argues that the potential presence of one or more non-citizens on state voter rolls is enough to trigger the federal government’s nationwide data collection and sharing efforts with immigration authorities.

“Because illegal aliens are ineligible to vote, these generally applicable laws are also implicated by an illegal alien’s presence on a state’s voter rolls,” the memo states.

Multiple federal courts have come to the opposite conclusion, dismissing half a dozen lawsuits from DOJ and the Department of Homeland Security that would force states to comply. Further, states have repeatedly confirmed through recounts, audits, investigations and lawsuits that the number of non-citizens registered to vote (and who end up actually casting ballots) in U.S. elections is infinitesimal.

David Becker, executive director of the Center of Election Innovation and Research, noted in a post on BlueSky that “6 courts, including 2 judges appointed by the current president, think this ‘opinion’ isn’t worth the paper it’s written on.” Becker, a former DOJ senior trial attorney in the voting section of the Civil Rights Division, has consistently argued that the executive branch and White House have no legal or constitutional role to play in vetting state voter registration. 

Sarah Copeland Hanzas, Secretary of State for Vermont, gave a similar reaction when CyberScoop reached out for comment.

“It’s not worth the paper it’s printed on,” Hanzas said in a statement. “Or the electrons it takes to store and transmit 41 pages of fantasy.”

Election officials have largely resisted the federal government’s demands. Earlier this year, West Virginia Secretary of State Kris Warner told CyberScoop he had no intentions of handing over more information than is already publicly available.

“If they want it, they can have it: $500 dollars for [anyone to buy] the statewide list, but they’re not getting personal information,” Warner said in a January interview. “State law says we’re not sharing that and my job is to carry out the law laid out by the West Virginia legislature.”

The inability of the federal government to point to serious evidence of mass voter fraud or non-citizen voting has led states to rebuff attempts to collect sensitive data on every voter in their state, including names, social security numbers, home addresses, voter history and other details.

The administration says it intends to cross-check state data against immigration records, share that data with DHS and immigration enforcement agencies and ultimately create its own list of eligible voters. An executive order issued by the White House earlier this year sought to deny federal funding to states that did not accept voter lists from the federal government and directed the Attorney General to investigate state election officials for voter roll discrepancies. Voting groups have challenged the order’s legality, and a previous election-related executive order was largely ruled unconstitutional by the courts.

The administration has sued dozens of states who have refused to hand such data over, though it has yet to convince courts of the merit. One judge called the administration’s efforts “unprecedented and illegal” and accused the administration of twisting the Civil Rights Act and other federal laws that were passed “to protect hard won civil rights victories allowing access to the ballot box” in order to obtain unfettered access to state voter data.

The post DOJ releases legal rationale for nationwide voter data collection appeared first on CyberScoop.

A group of international government agencies released guidance Tuesday on what they believe any artificial intelligence “ingredients list” tool should include to make AI more secure.

The concept of such a list, known as a “software bill of materials (SBOM),” is to know everything that goes into a particular piece of software so that any supply chain risks are easier to identify. There’s been a growing focus from cyber experts on how they interact with AI.

The guidance produced by agencies from the G7 group of nations, including the Cybersecurity and Infrastructure Security Agency, is aimed at setting minimum voluntary standards for what SBOMs for AI should look like. It builds on past efforts to produce other kinds of SBOM guidance.

“While not exhaustive or mandatory, the supplemental minimal elements outlined in this guidance reflect the consensus of G7 experts and will expand over time to keep pace with the rapid advancement of AI technology,” CISA stated. (Some refer to SBOMs for AI as AIBOMs.)

The elements include those that fall under the categories of information related to the SBOM for AI itself, on the AI system as a whole, for identifying the models used by the AI system, on datasets used during the whole life cycle of the model, on physical and virtual infrastructure needed for operation and support support of the AI system, on cybersecurity measures that apply to AI models and systems and on the AI system’s key performance indicators. 

A trio of industry professionals who have worked on the topic of AISBOMs told CyberScoop they welcomed the guidance, in each case praising it as a good step that could nonetheless be improved upon.

“Pretty much every piece of software out there is now going to have AI incorporated into it, and when a hospital is buying an AI-enabled medical device, or the Department of War is buying an AI-enabled weapon system, or auto manufacturers are putting AI into cars, we need to be able to trust what AI is in those systems,” said Daniel Bardenstein, CEO of Manifest Cyber. “And the first step to trust is to identify what is this AI, where did it come from? How is it trained?”

“This is a strong, applaudable step towards getting everybody on the same page that this is the future of how we need to think about trusting AI,” said Bardenstein, who has built and AIBOM generator and worked on the topic in the past with CISA and the OWASP Foundation.

Dmitry Raidman, co-founder and chief technology officer at Cybeats — and someone who, like Bardenstein, has built his own AIBOM generator and worked on AIBOMs with CISA and OWASP — said the G7 guidance was “amazing” because it covers 80 to 90% of what’s needed.

“There was no baseline, but it now will put out a clear baseline,” he said.

On the downside, Bardenstein said he had concerns with how easily organizations can implement the guidance, and Raidman said it doesn’t adequately tackle the issue of runtime.

Allan Friedman, sometimes called the “godfather of SBOMs,” said the guidance was a good document, but probably mislabeled because it states that the elements it identifies are not mandatory.

“This document is laying out sets of types of data that could be useful,” said Friedman, who worked on SBOMs in multiple U.S. government roles who is senior technical adviser at the Institute for Security and Technology and technologist in residence at TPO Group. “And so it is a great, great piece to advance AI transparency and AI system transparency, but it lists potential elements. These aren’t the minimum elements.”

Friedman said the next steps could include mapping the guidance into what is being implemented today, and talking about aligning it with policies in the European Union and G7 governments to make sure there are minimal conflicts.

The post Major world economies spell out key elements of AI ‘ingredients list’ appeared first on CyberScoop.