In a novel maneuver for a disruption operation against cyber attackers, industry and law enforcement teamed up to conduct a court takedown of two widely-used criminal tools at once rather than individually, Microsoft said Tuesday.

The takedown simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer. Cybercriminals often use them in conjunction and they rely on the same infrastructure, Microsoft said.

“When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”

Microsoft had been tracking Amadey with ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Meanwhile, Europol had been investigating StealC alongside law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police as well as IBM X-Force and Proofpoint.

They then joined forces and turned to the Racketeer Influenced and Corrupt Organizations (RICO) Act, used to help authorities go after organized crime, to disrupt more than 200 command-and-control servers. Microsoft said it gained insights from its artificial intelligence product Copilot that “allowed the legal team to treat both malware families as part of a single criminal conspiracy.”

Microsoft regularly leads court-authorized disruption operations, but the industry and law enforcement partnerships combined with AI to expand data collection and identify connections beyond what one company could normally do, it said.

Amadey and StealC were linked to more than 140,000 infected computers around the globe in the first week of May alone, the company said. StealC has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.

Amadey dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.

Their interaction shows the assembly line-like structure of modern cybercrime, Microsoft said. Even if the cybercriminals behind both tools never coordinate, their tools are designed to work together, it said.

“StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote in a separate blog post. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.”

The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.

Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.

The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.

Dragos, founded in 2016 by former intelligence specialists and based in Hanover, Maryland, has built what the industry regards as a leader detecting threats in OT environments. Its proprietary dataset of industrial threat intelligence has made it a trusted partner to critical infrastructure operators globally.

RunZero specializes in asset discovery and attack-surface intelligence — essentially mapping what is connected to a network and identifying where it is exposed. NetRise focuses on firmware-level visibility and software supply chain security, areas that have drawn increased scrutiny since high-profile incidents revealed how deeply embedded vulnerabilities can propagate through industrial device ecosystems.

Dragos co-founder and CEO Robert M. Lee will continue leading the combined entity, which will operate as an independent business under Accenture’s ownership. The CEOs of runZero and NetRise, HD Moore and Tom Pace, respectively, along with NetRise’s chief technology officer Michael Scott, will join Dragos as senior executives.

The acquisitions are not Accenture’s first move in OT security. The company acquired Cimation in 2015 and Revolutionary Security in 2020, along with several other OT-focused firms. 

Thursday’s deal, however, is of a different scale and ambition. Where previous acquisitions built out Accenture’s services capabilities, the addition of Dragos, runZero and NetRise moves the company firmly into OT cybersecurity software, a market it had not previously entered at scale.

Accenture and Dragos describe this expanding environment — which also encompasses Internet of Things devices, cloud-connected sensors and related IT infrastructure — as “xOT.” The concern is that as AI is integrated into industrial decision-making, the attack surface grows. At the same time, adversaries are using AI to shorten the window between compromising an IT network and pivoting to OT systems underneath it.

Despite that convergence, most cybersecurity budgets remain concentrated on traditional IT, leaving critical infrastructure comparatively exposed. The OT cybersecurity services market is estimated at roughly $7 billion in 2026. The broader OT cybersecurity market, which includes software, is estimated at $27 billion this year and projected to reach nearly $59 billion by 2031, growing at approximately 16% annually.

“Our energy and water systems, manufacturing plants, data centers and other operational environments need cybersecurity built from the ground up for xOT and designed to keep pace as threats evolve. The consequences of getting it wrong become societal threats,” Lee said in a release. “Organizations need solutions, not a patchwork of software and services. The addition of runZero and NetRise will allow the Dragos Platform to be a unique end-to-end platform for global defense, and Accenture will bring its decades of trusted relationships and deep expertise to help us scale and secure more critical infrastructure and physical operations globally.”

The transactions are expected to close in August or September, pending customary regulatory approvals.

The post Accenture shells out $4.18B on three companies in big industrial cybersecurity push appeared first on CyberScoop.

House Democrats criticized a draft Republican Department of Homeland Security spending bill Thursday that they said would cut funding for the Cybersecurity and Infrastructure Security Agency by $250 million.

Republicans said the bill provides $2.4 billion for CISA, and that among its focuses are “improving cybersecurity resilience,” in the words of House Appropriations Chairman Tom Cole, R-Okla.

But Democrats decried it as a funding reduction. The panel’s subcommittee on homeland security is set to vote on the bill Friday.

The fiscal 2027 funding measure “dramatically cuts funding for cybersecurity and infrastructure protection despite an increasing number of sophisticated attacks from foreign adversaries against U.S. businesses, health care systems, utilities, schools, and state and local governments,” Democrats said in a fact sheet.

They also said it limits DHS’s ability to counter foreign propaganda seeking to undermine U.S. democracy, and to protect states against foreign groups during the elections.

The second Trump administration has sought deep cuts in CISA’s personnel numbers and budget in both fiscal 2026 and 2027, drawing concerns from both sides of the aisle.

Congress last year sought to implement some, but not all, of Trump’s proposed cuts for the agency, advancing legislation to set its budget at $2.6 billion.

In their fact sheet, Republicans said they were reallocating $100 million from past appropriations to fund CISA’s core missions.

They acknowledged some cutbacks, saying that the bill “Includes strategic reductions to redundant, unauthorized, or duplicative contracts, positions, and programs.”

Despite the cutbacks at CISA over the last year and a half, officials have talked about wanting to hire additional personnel. The fiscal 2027 bill includes “$31 million to hire mission critical positions to counter threats from foreign adversaries, such as China,” according to the GOP.

The GOP also highlighted other cyber funds in the DHS bill. DHS’s management director would get $11.3 million for “enhanced cybersecurity protections,” while the Homeland Security Investigations division of Immigration and Customs Enforcement would get $5 million for the Cyber Crime Center.

Neither panel Republicans nor Democrats responded to requests for comment seeking more detailed numbers for the fiscal 2027 bill.

The post Hill Dems hammer GOP for $250M CISA budget cut appeared first on CyberScoop.

Department of Homeland Security Secretary Markwayne Mullin told Congress Wednesday that the Cybersecurity and Infrastructure Security Agency would ideally have 2,800 personnel, up from approximately 2,200 now and down from 3,400 before the second Trump administration began.

President Donald Trump has pushed to dramatically reduce personnel numbers at the agency, something that has drawn criticism from both Democrats and Republicans on the Hill. Trump has proposed hundreds of millions more in cuts for fiscal 2027.

House Homeland Security Committee Chairman Andrew Garbarino, R-N.Y., asked Mullin at a hearing Wednesday about further proposed CISA budget cuts, saying he was “concerned” about personnel numbers and funding for education programs and whether the fiscal 2027 blueprint would “negatively impact those efforts.”

Mullin said DHS funding lapses have made the department rethink CISA, although the deep CISA personnel reductions predate the recent spate of government shutdowns. 

“We had to readjust the way we’re looking at CISA and better lean on public partnerships,” he said. The agency can work well with 2,800 people “If we can actually have the partnerships we need with states and be able to use the grants, the monies that [we] saved with CISA to be able to invest with local and state municipalities. … We’re not going to fail on the mission we have in front of us.”

CISA personnel figures are in a constant state of flux. The CISA staff figure of 2,200 Mullin gave is down even from December. In March, acting director Nick Andersen said CISA was looking to hire 300 people.

There’s been no proposal from the Trump administration to-date to take funds formerly allocated to CISA and shift them to state governments for cybersecurity. State officials have said CISA budget cuts have made their jobs harder, and most experts have said the Trump administration’s approach to shift cyber responsibilities to states is badly misguided.

Congress has yet to permanently reauthorize the State and Local Cybersecurity Grant Program that expired last year before it got a temporary extension and is due to expire again in September.

CISA has gone without a Senate-confirmed director for the entirety of the second Trump administration. Mullin said “we’ve got a person soon to be nominated that will be running CISA that has the ability to recruit and focus on the authorities we have.”

Mullin said CISA has “unique” authorities that haven’t “been completely utilized.” 

“We want CISA to be the leader in cybersecurity,” he said. “They should be and they will be.”

A House Appropriations subcommittee is set to consider a DHS funding bill Friday.

The post DHS Secretary Markwayne Mullin pinpoints optimal CISA staffing levels appeared first on CyberScoop.

Sean Plankey, most recently the nominee for director of the Cybersecurity and Infrastructure Security Agency, is joining defense technology company UFORCE as its U.S. chief executive officer.

The London-based company created out of nine Ukrainian-based firms announced Plankey’s move Monday less than a month after he withdrew his nomination amid difficulties overcoming objections from senators who had placed a hold on it.

Plankey’s a cyber veteran of the first Trump administration but also had been serving as senior adviser on the Coast Guard at the Homeland Security Department, retiring from the Coast Guard this year.

UFORCE makes combat drones for air, land and sea and plans to have its first U.S.-made unmanned surface vessels hitting the water by this summer. The startup reportedly brought its valuation to $1 billion earlier this year.

“The United States and its allies are looking for defense technology partners that can move

quickly, innovate continuously and deliver systems already proven across theaters of combat,” Plankey said in a statement. “UFORCE is uniquely positioned to meet that demand and we will do that by manufacturing these capabilities in America.”

Said Oleg Rogynskyy, co-founder and CEO of UFORCE: “Sean’s decision to join UFORCE reflects the strength of our platform and the growing recognition that the future of autonomous defense will be shaped by companies able to combine real combat validation with scalable Western deployment,” 

CISA has gone without a permanent director for the entirety of the second Trump administration, and the president has yet to put forward a nominee for the position since Plankey’s withdrawal last month.

Former Oklahoma senator Markwayne Mullin took over as DHS secretary in late March.

The post Former CISA nominee Sean Plankey named US CEO of defense startup appeared first on CyberScoop.

Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.

“At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”

Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.

“The Nation and Department of Homeland Security Secretary MarkWayne Mullin requires a confirmed director of CISA without further delay,” Plankey wrote, adding thanks to Trump himself. “While I humbly request the removal of my nomination, I wholeheartedly support President Trump’s upcoming nomination for CISA and look forward to the continued success of the United States of America.”

Plankey’s nomination was considered dead by most at the end of last year. His renomination this year caught many by surprise, with CBS reporting the paperwork filing was an accident. The White House denied that.

Numerous senators had placed holds on his nomination, including GOP senators who held him up over matters unrelated to cybersecurity. Most prominently, Sen. Rick Scott, R-Fla, had placed a hold on his nomination over a Coast Guard contract with a Florida company that DHS had partially canceled.

Plankey had been serving as an adviser to then-DHS Secretary Kristi Noem on Coast Guard matters. He retired from the Coast Guard last month.

While Plankey awaited confirmation, Bridget Bean, then Madhu Gottumukkala, served as acting director. Gottumukkala recently left the position for another at DHS amid widespread complaints about his leadership. Nick Andersen is currently serving as acting director.

Plankey told CyberScoop he had discussed withdrawing his nomination with Mullin. He said he has a “positive relationship” with Mullin and supported his leadership of DHS. And Plankey called Andersen “one of the most competent cybersecurity people in the country.”

Politico first reported Plankey’s withdrawal request. The White House and CISA did not respond to an official request for comment. When asked for a comment, a DHS spokesperson said the department doesn’t comment on personnel matters.

Plankey’s plans leave the agency with yet more upheaval. Trump has dramatically cut personnel and budget at CISA, with many top officials pushed out or otherwise departing. He has proposed deeper budget cuts still for fiscal year 2027.

Updated 4/22/26: to include DHS response.

The post CISA director pick Sean Plankey withdraws his nomination appeared first on CyberScoop.

Congress is grappling with renewal of a surveillance law set to expire at the end of this month that critics say is a mystery on how much of a difference it has made for controversial government spying authorities — for better or worse.

The 2024 law reauthorized so-called Section 702 powers of the Foreign Intelligence Surveillance Act (FISA), which authorizes warrantless surveillance of electronic communications of foreign targets. Most controversially, the law allows U.S. officials to search (“query”) those communications databases using Americans’ personal information, as long as the American is  in contact with someone overseas, which raises significant privacy concerns.

Backers of the 2024 law, known as the Reforming Intelligence and Securing America Act (RISAA), point to 56 changes it made to deal with criticisms of Section 702, following a period where abuses came to light, including hundreds of thousands of improper searches. At the same time, the law made changes that some feared could actually expand Section 702 powers.

The House voted to extend the law as-is for 10 days early Friday. The Senate then did the same. The Trump administration has sought a 180-day “clean” reauthorization.

As Congress weighs potential extensions of the 2024 law without making changes to it, “I don’t think we know” what good has come of it, said Elizabeth Goitein, senior director of the Brennan Center for Justice’s liberty and national security program. By the same token, it’s difficult to know whether some of the expansion fears have come to fruition, she said: “We don’t have reliable information on this.”

Added Jake Laperruque of the Center for Democracy and Technology: “There’s a lot of black boxes here.”

Examining Past Changes

Both Goitein and Laperruque are skeptical of any positive change from RISAA, though, and have long advocated for a warrant requirement for U.S. person searches. Intelligence agencies have resisted that addition, claiming that it would dramatically slow down time-sensitive national security investigations.

By contrast, Glenn Gerstell, former general counsel at the National Security Agency, said RISAA constituted “the most significant set of reforms to the statute since its adoption in 2008.” and that “those reforms have had a dramatic effect.” 

One major point of dispute is to what degree the number of U.S. person searches dropped, particularly because of a conclusion in last year’s Justice Department inspector general report finding that an “advanced filtering tool generated queries that were not tracked by the FBI.” 

As the report outlines, an FBI system has an “‘advanced filter function’ that allows users to select a specific FBI casefile number or ‘facility’ (e.g., a phone number or email address), using a drop-down menu or search bar, to review communications with targeted facilities.

“This functionality enables users to select from lists of ‘participants’ in communication with targeted facilities and review communications of those participants.In or around August 2024,” the report continues. The National Security Division of the Justice Department “became aware of the participants filter function in [the system] and was concerned that searches conducted through use of the participants filter constituted separate queries that must satisfy the query standard and comply with all query procedural requirements.”

By the intelligence community’s count, the number of U.S. person searches has otherwise mostly declined even going back to before the 2024 law’s passage: 119,383 in 2022, 57,094 in 2023, 5,518 in 2024 and 7,413 in 2025.

“It is quite clear that the searches that were run using this filter function met the statutory definition of queries, and yet the FBI for some significant period of time decided to not count them as queries,” Goitein said.

Laperruque, deputy director of CDT’s security and surveillance project, said an audit mandate in the 2024 law was potentially useful, but hasn’t proven to be in reality.

“At least it should mean that it should help try to detect abuse if it is happening,” he said. “The problem there, though, is you’re still relying on the FBI to properly log all of its quarries and hand them over for DOJ to be checked, which hasn’t happened. You’re trusting DOJ and the executive to engage in self-policing, and that’s something where folks rightfully have a lot of skepticism based on how DOJ has conducted itself recently.”

Gerstell, a senior adviser at the Center for Strategic and International Studies, points to numerous reviews — including a staff report from the Privacy and Civil Liberties Oversight Board (PCLOB) — that indicate a drop in U.S. person searches. It’s the biggest change of RISAA, he said.

“The most significant one is a very substantial drop in the number of queries of the database for U.S. person information, which has been a big focus for privacy advocates, and there’s been a dramatic drop, so much so that both the Inspector General for the Department of Justice and the staff of the PCLOB have said, ‘I wonder if we’re overdoing it.’ … Every single one of them presents those numbers, without caveat.”

On the advanced filter function count, Gerstell acknowledged the ambiguity, but referred to reports that said, as he summarized, “If they had been considered queries, it appears that most would have been compliant anyway… because they were a subset of something that was already compliant. But we don’t know if any of them were noncompliant, and we don’t have the data.”

On the other side of the RISAA debate, critics argued that its revised definition of “electronic communications service provider” could dramatically expand surveillance to include businesses like coffee shops or landlords. The reported, but formally undisclosed, real target of the change was data centers.

“That was a pretty big expansion with a lot of potential abuse,” Laperruque said. But “we don’t really know much about how it’s changed” anything, he said.

Virginia Sen. Mark Warner, the top Democrat on the Intelligence Committee, sought to advance clarifying language about that subject after RISAA’s passage, and the Biden administration said it would confine the provision’s use to the kind of undisclosed businesses that prompted the provision in the first place. Laperreque noted that the Trump administration has made no such promises, and Warner’s clarifying language never became law.

The Foreign Intelligence Surveillance Court (FISC) has issued its annual opinion re-certifying the Section 702 program for another year. However, the court reportedly took issue with the program’s f filtering systems, saying that when such a system is used to look for information on Americans it must be counted as a query, subjecting it to additional restrictions. The Trump administration plans to appeal the ruling.

Other critiques of the 2024 law include that many of its biggest changes weren’t changes at all, but instead codifications of changes that then-FBI Director Christopher Wray had implemented. Abuses continued after those changes, Goitein said.

Gerstell said enshrining those changes into law wasn’t a bad thing. “The statute expressly codified some but not all of Wray reforms — and some went beyond that in many ways,” he said. Those changes included requiring FBI deputy director approval of U.S. person queries that target elected officials, government appointees, political candidates or organizations, or media. Those were some of the more criticized prior targeting abuses.

The fight still ahead

Republicans remain divided over extending the law. Some who had reservations about a clean reauthorization have come on board, such as Senate Judiciary Chairman Chuck Grassley, R-Iowa, who had taken issue with limitations on congressional attendance of FISC proceedings but since has had that concern resolved.

Others may have been swayed by direct lobbying from the Trump administration, including a social media post from Trump himself this week, where he wrote, “I am willing to risk the giving up of my Rights and Privileges as a Citizen for our Great Military and Country!” Still others have had their position against a clean extension hardened by the FISC court opinion and additional concerns.

Other issues have become enmeshed in the reauthorization debate, such as calls to block government agencies from purchasing information from data brokers. But “this has nothing to do with this authority,” said George Barnes, former deputy director of the NSA. 

But lawmakers of both parties have complained for months that the administration was silent for too long as the law’s expiration loomed.

Only recently did the Trump administration share new examples of the law’s successes, including that it had thwarted a 2024 terrorist attack on a Taylor Swift concert. Barnes said releasing such examples might offer a public case for the law, but has its downsides, too.

“I was always understanding but frustrated by the need to release examples just because they choreographed to the adversary what we could do,” said Barnes, now Red Cell’s cyber practice president. 

Reauthorizing Section 702 is urgent, though, for cybersecurity purposes, he said.

“A lot of the impact that I saw the authority having over my time was in cybersecurity as well,” he said. “And so when you have foreign entities that are targeting the U.S., or U.S. interests overseas, that authority can be positioned to help eliminate those activities.”

The post The surveillance law Congress can’t quit — and can’t explain appeared first on CyberScoop.

Cybercrime remains a booming business. 

Annual cybercrime losses amounted to almost $20.9 billion last year, reflecting a 26% increase from 2024, the FBI’s Internet Crime Complaint Center (IC3) said in its annual report Tuesday.

The comprehensive study exposes a worsening digital crime environment that is driving financial losses, with momentum moving in the wrong direction and compounding at an alarming rate. Annual cybercrime losses have jumped almost 400% from $4.2 billion in 2020, and cumulative losses in that five-year period surpassed $71.3 billion.

The FBI’s IC3, which formed as the country’s central hub for cybercrime reporting in 2000, is busier than ever. “We now average almost 3,000 complaints per day,” Jose Perez, the FBI’s operations director for its criminal and cyber branch, wrote in the report. 

The annual internet crime report highlights growing and sustaining trends. Yet, the scope of the study is limited and relies entirely on cybercrime incidents submitted to the FBI. 

The full impact of cybercrime remains murky, as an unknown number of victims suffer in the shadows and never report the crimes they endure.

The FBI received more than 1 million complaints last year, with victims aged over 60 reporting the largest amount of crimes that also resulted in the greatest amount of total losses by age group. Victims at least 60 years old filed 201,000 complaints with losses totaling nearly $7.75 billion, or about 37% of all cybercrime-related losses last year.

Investment-related fraud remained the largest component of cybercrime losses in 2025, reaching almost $8.65 billion. Business email compromise took the No. 2 spot with almost $3.05 billion in losses, followed by tech support scams at more than $2.1 billion. 

Cryptocurrency was the primary conduit for fraud linked to investment and tech support scams last year, while wire transfers composed the bulk of fraud resulting from business email compromise, according to the report.

Phishing was the most commonly reported type of cybercrime last year, followed by extortion, investment scams and personal data breaches. The FBI tallied losses amounting to $122.5 million from extortion and $32.3 million from ransomware last year.

The FBI also received more than 75,000 reports of sextortion last year, including more than 5,700 submissions that were referred to the National Center for Missing and Exploited Children.

The top five cyber threats reported to IC3 in 2025 included data breaches at 39%, ransomware at 36%, SIM swapping at 10%, malware at 9% and botnets at 7%. 

The FBI received more than 3,600 complaints reporting ransomware last year. The five most reported variants included Akira, Qilin, INC, BianLian and Play.

Each of the 16 critical infrastructure sectors reported ransomware attacks last year, and the most heavily targeted included health care, manufacturing, financial services, government and IT.

The IC3 primarily receives complaints from U.S. residents and businesses, but it also received complaints from more than 200 countries last year, which accounted for nearly $1.6 billion in total losses. 

While losses and the sheer amount of cybercrime continued to climb last year, “the FBI continues to disrupt and deter malicious cyber actors — and shift the cost from victims to our adversaries,” Perez wrote in the report.

“It has never been more important to be diligent with your cybersecurity, social media footprint, and electronic interactions,” he added. “Cyber threats and cyber-enabled crime will continue to evolve as the world embraces emerging technologies such as artificial intelligence.”

The post Cybercrime losses jumped 26% to $20.9 billion in 2025 appeared first on CyberScoop.

President Donald Trump’s fiscal 2027 budget would slash the Cybersecurity and Infrastructure Security Agency’s total by $707 million, according to a summary released Friday, which would deeply chop down an agency that already took a big hit in Trump’s first year.

Another budget document suggests a smaller — but still substantial — hit of $361 million, with the discrepancy possibly due to the comparison points amid budget uncertainty for CISA’s parent agency, the Department of Homeland Security. DHS and CISA did not immediately respond to a request for clarification.

“At the time the Budget was prepared, the 2026 appropriations bill for the Department of Homeland Security was not enacted, and funding provided by the last continuing resolution it had been operating under (Continuing Appropriations Act, 2026, division A of Public Law 119-37, as amended by division H of Public Law 119-75) had lapsed,” the budget summary notes. “References to 2026 spending in the text and tables for programs and activities normally provided for in the full-year appropriations bill reflect the annualized level provided by the last continuing resolution.”

By either measurement, the proposed budget would cut deeply into an agency that started the Trump administration at roughly $3 billion, and would be substantially below that if Congress enacts the latest blueprint. The budget appendix says CISA would end up with slightly more than $2 billion in discretionary funding under Trump’s plan. For fiscal 2026, appropriators sought to mitigate some of Trump’s proposed CISA reductions.

The 2027 budget summary recycles identical language from the 2026 budget summary, and makes references to ending programs that CISA has already shuttered.

“The Budget refocuses CISA on its core mission — Federal network defense and enhancing the security and resilience of critical infrastructure — while eliminating weaponization and waste,” the summary states in both the 2026 and 2027 documents.

It makes references to getting rid of things that have already been cut, like “external engagement offices such as council management, stakeholder engagement, and international affairs.” It talks about ending programs focused on censorship, something CISA under the Biden administration said it never had, and on “so-called” misinformation, which CISA said it ended during the former president’s term.

Mississippi Rep. Bennie Thompson, the top Democrat on the House Homeland Security Committee, criticized the budget proposal for CISA.

“Like the President’s cyber strategy, the President’s CISA budget reflects his utter lack of understanding of the urgency of the cyber threats we face and how to mobilize the government to help confront them,” he said in a statement to CyberScoop. “As of 2023, CISA was spending $2 million on countering information operations, an effort initially launched at the behest of Congressional Republicans during the first Trump Administration.

“There is nothing that justifies a reckless $700 million cut to CISA, particularly at a time of heightened tensions with Iran and an increasingly aggressive China,” he continued. “I am committed to working with my colleagues to push back against these cuts and ensure we can protect government and critical infrastructure networks.”

The post Trump budget proposal would cut hundreds of millions more from CISA appeared first on CyberScoop.

Leaked iOS spyware has some cybersecurity professionals raising urgent alarms about potential mass iPhone compromises, a development that pairs ominously with the recent discovery of two sophisticated iOS exploit kits.

At the same time, some other experts say Apple’s defensive features for iPhones remain elite. But several factors have created unprecedented circumstances: the public accessibility of a version of DarkSword, shortly after the discovery of the original version of DarkSword and the earlier discovery of a similar kit known as  Coruna, and a  growing market for iPhone exploits driven by their high value as targets.

Allan Liska, field chief information security officer at Recorded Future, said he was worried about what the leaked DarkSword version could do to “democratize” iPhone exploits.

“Right now, iPhone exploitations are among the most expensive to research/implement so they have been, largely, the realm of nation-states,” he said. “If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface.”

Google, iVerify and Lookout released research last week on DarkSword’s discovery, centered on Ukraine. Google also said it saw targeting in Saudi Arabia, Turkey and Malaysia. And that was before a version turned up on GitHub, a development TechCrunch first reported and Google and iVerify have analyzed. (The week before, iVerify and Google uncovered Coruna. Google declined to comment further for this story.)

“It’s extremely alarming that this leaked out on GitHub,” said Rocky Cole, co-founder of iVerify. “I would assume that it’s being used all around the world, and including here in the United States.”

Hundreds of millions of iPhones running iOS 18 could be vulnerable to DarkSword.

“I think that the top line issues here are pretty clear: people who have devices that are vulnerable should upgrade ASAP,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. “It is very likely that these vulnerabilities are being used right now to exploit vulnerable devices at scale, which is unusual for Apple products.”

The propagation problem

Coruna was concerning enough for Apple that it took the rare step of backporting security updates to still older versions of iOS, Cole said. The fear, he said, was that it might be wormable — capable of spreading from one device via text message to everyone in a phone’s contact list.

But Cole said Apple hasn’t released similar security-focused updates to iOS 18, for reasons he doesn’t know.

Apple has emphasized the patches it has issued, urged users to update their phones and touted Lockdown Mode as a defense against spyware.

“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and every day Apple’s security teams around the world work tirelessly to protect users’ devices and data,” said Apple spokesperson Sarah O’Rourke. “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products, and devices with updated software were not at risk from these reported attacks.”

IPhones’ widespread use makes them high-value targets, fueling a thriving market for exploits. Coruna and DarkSword are indicators of this growing demand. 

“It’s time for organizations to start thinking of mobile security the way they think about desktop security, which is to say everyone knows how to secure their laptop,” Cole said. And for iPhone exploit hunting in particular, “you’re starting to see people do it at a mass level.” Furthermore, the resale market is such that exploits that once were exclusive are no longer, and AI makes it even easier to customize them in the code, he said. 

DarkSword has drawn federal attention: The Cybersecurity and Infrastructure Security Agency this week added vulnerabilities that DarkSword exploits to the list that federal agencies must patch.

The number of people still using iOS 18 is large, up to 25% of all iPhones. Cole said several factors are contributing to that, such as users being leery of iOS 26’s onboard artificial intelligence or the Liquid Glass interface.

Said Galperin: “There are many reasons why people do not keep their devices up to date, so when I tell people ‘just patch your stuff’ I think it is important to realize that there are circumstances under which this is easier said than done.”

Proven defenses despite expanding risks

Despite the concerns, Cole credited iPhone for its high security standards, in particular for its app store.

For Natalia Krapiva, senior tech-legal counsel at Access Now, a key takeaway is the worrisome proliferation of commercial spyware and cyber intrusion capabilities.

“This is exactly what human rights activists and digital security researchers have been warning governments and companies about: In the absence of effective regulation for the industry, these exploits will get out and end up in the hands of adversaries like Russia, China, Iran, or, as in the case of DarkSword, leaked online for any criminal to use,” she said.

On the other hand, Apple’s Lockdown Mode and Memory Integrity Enforcement are top-notch defensive measures, Krapiva said. We’ve yet to see a Lockdown Mode-enabled iPhone being infected with spyware, she said.

“I think we’ll keep seeing more attempts to exploit both Apple and Android devices as they improve their software and hardware security,” she said. “It’s the old cat-and-mouse game.”

Adam Boynton, senior enterprise strategy manager at Jamf, said what’s happened with Coruna and DarkSword is evidence of Apple’s success.

“What’s encouraging here is that Apple’s security model works,” he said. “Coruna skips devices running the latest iOS versions and avoids those with Lockdown Mode enabled entirely. That’s a strong validation of the defences Apple has built.

“DarkSword reinforces the same principle,” he continued. “Where Coruna targeted older iOS versions, DarkSword demonstrates that even relatively current releases can be targeted by determined actors. Apple moved quickly to patch the vulnerabilities involved, and devices running the latest iOS are protected.”

The post DarkSword’s GitHub leak threatens to turn elite iPhone hacking into a tool for the masses appeared first on CyberScoop.

SAN FRANCISCO — The Trump administration’s two-week old cyber strategy that aims to promote more proactive, offensive actions while bolstering federal networks and critical infrastructure, is a significant shift that’s already materializing in meaningful ways, a group of experts said Monday at the RSAC 2026 Conference. 

Despite the federal government’s absence from the industry’s largest annual gathering, and the long-anticipated document’s brevity, representatives from a major cybersecurity vendor, consulting, venture capital and law firm were quick to defend and evangelize the administration’s strategic actions in cyberspace. 

The freshly-released strategy puts the federal government on firm footing to move beyond deterrence and into action, said David Lashway, partner and global leader of cybersecurity and national security at Sidley Austin. 

“We are going to take offensive and defensive action with the most powerful cyber capability that the world’s ever seen, and hopefully will ever know,” he said. 

This doesn’t mean, as some industry observers have suggested, that the Trump administration is pushing private companies to hack back. 

The scale and whole of government response is the key difference between the latest federal cyber strategy and what administrations have called for over the past decade, Lashway said. 

Instead of relying on private lawyers to get a nationwide injunction and collaborate with dozens of governments for massive takedowns, or government agencies collaborating with private security companies on a limited basis, the strategy aims to mobilize “the massive infrastructure and capability of the United States in a more coordinated way,” he added. 

This strategic pivot won’t achieve all of its objectives immediately, but it’s already showing signs of impact, according to Lashway. “It’s been different since they issued the strategy,” he said. “We’ve already noticed a difference.”

Wendi Whitmore, chief security intelligence officer at Palo Alto Networks, said she’s also seen more collaboration in the private sector.

“While there’s no doubt challenges related to current staffing and the dynamic environment going on with the government, I have never before seen as much action and cooperation as we are seeing today, and that’s from every government agency that we’re working with,” Whitmore said. 

“There is certainly a tremendous shift in the level of discussion that we get from the government today,” she added. “It’s a very proactive, kind of muscular dialogue that’s different from what I’ve previously seen.”

Experts said that earlier concerns about triggering backlash and worsening already fragile systems had kept the federal government from taking certain actions, but that caution is now being reconsidered.

“The government’s going to start punching people in the face,” said Jamil Jaffer, venture partner and strategic advisor at Paladin Capital Group. 

Trump administration officials have told the private sector it wants their help and they need to be well defended, he added. “If we do live in glass houses, well, everyone’s going to need to start putting more glass up.”

Jaffer expects the Trump administration to prevent and respond to intrusions aggressively and publicly. “Half the problem with deterrence today is we don’t actually practice real deterrence when it comes to the cyber domain. We don’t punch people back,” he said. 

The dynamic and proper response, to him, is akin to a child responding to a bully at school. 

“If you get hit in the face, punch them back in the face,” Jaffer said. “Do it publicly. Everyone sees it. Less people come after you.”

The post Experts insist Trump administration’s cyber strategy is already paying off appeared first on CyberScoop.