Hackers are increasingly adopting the techniques of the Chinese group that successfully infiltrated major telecommunications providers in attacks that made headlines last year by looking for unconventional weak spots, an AT&T executive said Monday.

AT&T was one of the major providers to fall victim to the sweeping campaign from the group, known as Salt Typhoon, but the company has since said it evicted the hackers from its networks.

“We’re seeing adversaries really change the way they’re doing things, very similar to what Salt Typhoon did,” Rich Baich, chief information security officer at AT&T, said at the Google Cloud Cyber Defense Summit.

There were three things that stood out about the way Salt Typhoon approached its campaign, he said. One was hunting for weak points in the company’s ability to find and track malicious activity on physical devices like phones or laptops, known as endpoint detection and response (EDR).

“Traditionally as practitioners, we focused on putting endpoint detection on our devices to help us provide a certain level of protection” Baich said. “Salt Typhoon’s approach was a little bit different. They said, ‘Well, what about all the other platforms that traditionally don’t have an EDR?’ And those platforms then can be utilized in many fashions, carrying out different types of actions.”

“What we need to think about is this: Do we need to have endpoint protection elsewhere, in different platforms?” Baich added. ”So that’s one: They’re going to the areas of least resistance and not spending time trying to combat traditional security controls.”

Another technique that’s growing in use since the Salt Typhoon attacks is “looking for things where we don’t have logs,” he said. Baich said attackers are “re-engineering and thinking of tradecraft techniques that allow them to circumvent known controls, and things that we may do today, but in certain parts of our networks, we may not have those things enabled.”

Lastly, Salt Typhoon and its mimics have been turning to what’s called “living off the land” attacks, where attackers rely on legitimate tools that already exist in a victim’s networks.

“Third thing that they are doing is using the actual administrative tools that we use to perform those functions, so [a lesson for potential victims is] making sure that those are locked down and you understand all the administrative tools that you have in your environment,” Baich said. “All of that is because they’re actually trying to be part of your network.”

The combination of those techniques, as well as a dedication to covering and wiping their tracks to avoid digital forensics probes, means that “we have to be much more efficient operators,” he said. “We have to think outside the box. It’s not just about just having the technology; it’s understanding how to use the technology and understanding how your technology can be used against us.”

Ironically, network defenders might be a victim of their own success, said Rob Joyce, the former cybersecurity director of the National Security Agency.

Defenses for the most-used technology in society today — from mobile phones to web browsers — have gotten very good, Joyce said at the same conference. Vulnerability management, patch management, threat intelligence — all have bolstered defenses, he said.

Because of that, “it just takes exploits chained together in multiple paths to get to success,” said Joyce, who now runs his own cybersecurity consulting firm.

“All of that has advanced us,” he said. “At the same time, we’ve evolved the attackers through that activity. I think by calling out some of the bad behavior, by highlighting the things that have worked or not worked, we’ve pushed people into new exploit methodology.”

The post Telecom exec: Salt Typhoon inspiring other hackers to use unconventional techniques appeared first on CyberScoop.

FBI cyber division cuts under President Donald Trump will reduce personnel there by half, a top Democratic senator warned Tuesday, while FBI Director Kash Patel countered that arrests and convictions have risen under the Trump administration.

A contentious Senate Judiciary Committee hearing dominated by clashes over political violence, Patel’s leadership and accusations about the politicization of the bureau nonetheless saw senators probing the FBI’s performance on cybersecurity.

“My office received information that cuts to the bureau’s cyber division will cut personnel by half despite the ever-increasing threat posed by adverse foreign actors,” said Illinois Sen. Dick Durbin, the top Democrat on the panel. The Trump administration has proposed a $500 million cut for the FBI in fiscal 2026.

Sen. Alex Padilla, D-Calif., said that as the FBI has shifted personnel toward immigration and politically motivated investigations like the Tesla task force, it has undercut other missions. “It has an impact on other priorities, like nation-state threats and ransomware investigations,” he said.

Padilla was one of several Senate Democrats, like Cory Booker of New Jersey and Mazie Hirono of Hawaii, who said the FBI’s cyber mission was suffering because its personnel were being directed elsewhere.

Patel told Hirono that the FBI’s cyber branch was one of the bureau’s “most impressive” units, and that it had made 409 arrests, a 42% increase compared to the same period last year, and garnered 169 convictions.

As Padilla questioned him about the FBI’s mission to protect against election interference and the Justice Department ending the Foreign Influence Task Force, Patel answered that the FBI did not “in any way divert or reallocate resources from that critical mission set.” He said it was still working on it through its cyber programs, which had seen a “40, 50, 60%” increase in arrests in cyber threat cases involving critical infrastructure and interference with elections.

Patel said he hadn’t shifted any resources away from any critical missions like terrorism toward things like Tesla vandalism or sending federal personnel to cities like Washington, D.C. “They never left their primary job,” he said. “It is a surge in law enforcement.”

Hirono asked Patel to say who had replaced top officials who had exited the cyber division, but he said only that they were “supremely qualified individuals” and wouldn’t give their names “so you can attack them.” Hirono replied, “you don’t know” when he wouldn’t say who they were.

More broadly, Patel said the FBI was taking the fight to Chinese threat groups like Salt Typhoon and Volt Typhoon, and going after ransomware and malware attackers.

Sen. Amy Klobuchar, D-Minn., said she was concerned about a rise in artificial intelligence-generated election interference, including materials directed at her. Patel said the FBI was looking into it, but that the culprits appeared to be “loose groups overseas, without any central cluster.”

The post Senators, FBI Director Patel clash over cyber division personnel, arrests appeared first on CyberScoop.

Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.

U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.

Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).

“We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”

The hackers used to be “noisy,” with an emphasis on hitting a target quickly, stealing data and then escaping, Bilnoski said. But now for nation-backed attackers, “we’re watching exponential leaps” in tactics, techniques and procedures, he said.

Jermaine Roebuck, associate director for threat hunting at the Cybersecurity and Infrastructure Security Agency, said his agency is also seeing those kinds of changes in the level of stealth from sophisticated hackers, in addition to “a significant change” in their intentions and targeting.

“We saw a lot of espionage over the last several years, but here lately, there’s been a decided shift into computer network attack, prepositioning or disruption in terms of capabilities,” he said at the same conference.

The targeting has changed as organizations, including government agencies, have shifted to the cloud. “Well, guess what?” he asked. “The actors are going toward the cloud” in response.

They’ve also focused on “edge devices,” like devices that supply virtual private network connections or other services provided by managed service providers, Roebuck said. Organizations have less insight into the attacks those devices and providers are facing than more direct intrusions, he said.

The post China’s ‘Typhoons’ changing the way FBI hunts sophisticated threats appeared first on CyberScoop.

Jessica Lyons reports: China’s Salt Typhoon cyberspies hoovered up information belonging to millions of people in the United States over the course of the years-long intrusion into telecommunications networks, according to a top FBI cyber official. “There’s a good chance this espionage campaign has stolen information from nearly every American,” Michael Machtinger, deputy assistant director...

Source

China’s reliance on domestic technology companies to carry out large-scale hacking operations—as highlighted by the U.S. government and its allies this week—is a weakness that poses risks for Beijing, a top FBI official told CyberScoop.

Cyber agencies from around the world published an alert Wednesday about what officials have described as an indiscriminate cyberespionage campaign from Chinese Communist Party-backed hackers like the group known as Salt Typhoon. The alert also named three Chinese companies that it says have assisted that hacking.

“These enabling companies, they failed,” Jason Bilnoski, deputy assistant director in the FBI’s cyber division, told CyberScoop. “This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure.”

The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.

“They have this unregulated system of using these enabling companies, and it does create a risk between CCP-sanctioned actions and the mistakes by these enabling private companies that they are utilizing,” he said.

The alert about the hacking campaign tracks activity from Salt Typhoon and other Chinese government-linked groups dating back to 2021, which it says Chinese entities have also assisted.

“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the alert states. “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”

One of the named companies, Sichuan Juxinhe Network Technology, is already the subject of U.S. sanctions. That firm has not responded publicly to the U..S. accusations to date, nor apparently have the other two. The Chinese government routinely denies backing hacking activities.

Under a series of laws that China passed dating back to 2014, the government has imposed obligations on companies that do business domestically on the handling of sensitive data, among other rules.

“Historically, the CCP has used shell companies like those listed here in the [advisory] to conduct this nefarious activity, and no doubt they will continue to do so,” Bilnoski said. “But we’re going to continue after them. We have a long memory, so if it’s today, tomorrow, we’re going to continue to identify, uncover and expose their activities.”

Defending networks can’t just be the role of the government, though, he said — thus the alert that went beyond warnings to the telecommunications companies that Salt Typhoon made headlines by hacking.

The timing of the alert was simple, he said: As the FBI and its partners conducted their investigations, responded to the attacks and assisted victims, they released it as soon as it was ready to go.

“It’s important that we understand that it doesn’t matter if you’re Fortune 500, small business — we should not and we cannot assume that our systems are secure,” Bilnoski said. “We need the American people, we need our partners around the world to take action here, not just with Salt Typhoon, but with all the indiscriminate actions that the CCP has been undertaking over the last few years.”

The post Top FBI official says Chinese reliance on domestic firms for hacking is a weakness appeared first on CyberScoop.

A notorious Chinese hacking campaign against telecommunications companies has now reached into a variety of additional sectors across the globe, including government, transportation, lodging and military targets, according to an alert U.S. and world cybersecurity agencies published Wednesday.

The alert is an effort to give technical details to potential victims of the campaign from the People’s Republic of China-backed group commonly known as Salt Typhoon, the alleged culprit behind what has been called the most serious telecom breach in U.S. history. Those intrusions may have begun years ago and that first came to light last fall, accompanied by revelations that the hackers targeted U.S. presidential candidates.

“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a news release.

In comments to The Wall Street Journal and Washington Post on Wednesday, the FBI said the scope of the Salt Typhoon campaign includes hitting more than 80 countries and 200 American organizations, beyond the previous nine identified telecom company victims.

The alert also names Chinese companies identified as being part of the campaign. Its recommendations include patching known vulnerabilities that have been actively exploited and securing “edge” devices that the hackers have used to get into networks, such as routers. 

Government agencies participating in the alert hailed from Australia, Canada, Czech Republic, Finland, Germany, Italy, the Netherlands, New Zealand, Poland, Spain and the United Kingdom. U.S. agencies besides the FBI and CISA that collaborated on it included the National Security Agency and the Department of Defense’s Cyber Crime Center.

“The advisory outlines how Chinese state-sponsored actors are exploiting vulnerabilities in routers used by telecommunications providers and other infrastructure operators,” according to the news release. “These actors often take steps to evade detection and maintain persistent access, particularly across telecommunications, transportation, lodging, and military networks.”

Telecommunications networks are a valuable target for hackers because they can serve as a hub into other communications. But targeting the other sectors mentioned in the alert can round out the intel profile for the attackers, said John Hultquist, chief analyst at Google Threat Intelligence Group​​.

“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” he said in a written statement. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”

The post Salt Typhoon hacking campaign goes beyond previously disclosed targets, world cyber agencies say appeared first on CyberScoop.

Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.

The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.

Two people — House Homeland Security Chairman Andrew Garbarino, R-N.Y., and Adam Meyers, senior vice president of counter adversary operations at CrowdStrike — specifically used the word “pivotal” to describe this moment for Cairncross and his office, while others said as much in other ways.

“It’s a new organization, and with any new organization, you’ve got to build up the muscle memory of how ONCD fits into the interagency process and what it means to set a unified national cybersecurity agenda, the language the director was using in his nomination hearing,” Nicholas Leiserson, a former assistant national cyber director under President Joe Biden who worked on the legislation to create the office as a Hill staffer, told CyberScoop. “We need to make sure that ONCD is the center of the policymaking apparatus. … That is going to be critical to his success.”

Brian Harrell, a former infrastructure protection official at the Deparment of Homeland Security and the Cybersecurity and Infrastructure Security Agency in Trump’s first term, said that with personnel reductions at CISA and change elsewhere, Cairncross has a big opportunity.

“ONCD must be seen as the air traffic controller on all things cyber moving forward,” he said via email. “Given the agency rebuild happening at CISA, and new leadership at FBI and NSA cyber, now is the time to build influence and patch struggling relationships. Add to this, a private sector that is unsure where to turn to during a crisis … Sean must be seen as a convener and facilitator to get the President the right information to make key decisions.”

On the policy front, Leiserson, now senior vice president for policy at the Institute for Security and Technology, said Cairncross has a great opportunity to work through the thicket of federal cybersecurity regulations and disentangle them in a harmonization effort that began under Biden and has bipartisan support. Some seasoned staffers who worked on the issue then remain in the federal government, Leiserson said.

Garbarino also brought up harmonization in a written statement as an issue he wants to see Cairncross address, along with leading the charge renewing the 2015 threat data sharing law known as the Cybersecurity Information Sharing Act, set to expire next month. Jason Oxman, president of the Information Technology Industry Council, said in a press release congratulating Cairncross that renewal of that law was “essential to help ONCD achieve its cybersecurity mission.”

USTelecom President and CEO Jonathan Spalter said enhancing the government’s relationship with the private sector, a subject Cairncross brought up in his confirmation hearing, was also vital. Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm, said of Cairncross in a statement to CyberScoop: “I know that under his leadership, public-private partnership will continue to strengthen and secure our future.”

Those policy challenges, as well as the challenges of strengthening the national cyber director’s standing within the federal government and fortifying the public-private partnership, go hand-in-hand with the threats Cairncross will have to confront.

“The mission of the Office of the National Cyber Director has never been more critical: advancing a unified, strategic, and forward-leaning approach to the cyber threats facing our increasingly digital society,” Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and a former member of the Cyberspace Solarium Commission that recommended that Congress create the office, said in a written statement.

Leiserson said threats like the Chinese hackers known as Salt Typhoon penetrating telecommunications networks surely would be at the forefront of Cairncross’s concerns — a threat Cairncross brought up at his confirmation hearing. Harrell mentioned the looming possibility of a Chinese attack on Taiwan.

Oxman raised the threats to U.S. critical infrastructure and the supply chain. CrowdStrike’s Meyers, in a statement to CyberScoop, said the pivotal moment of Cairncross’s confirmation comes as “threat actors weaponize AI and the threat landscape continues to evolve at machine speed.”

Cairncross comes into the job with far less cybersecurity experience than many who have held federal cyber leadership posts. And he comes in with other potential disadvantages, too. At his nomination hearing, Sen. Elissa Slotkin, D-Mich., pointed to deep budget cuts at CISA, telling Cairncross that “you will oversee the single biggest cut in federal cybersecurity dollars.”

But Leiserson said it was encouraging that Trump’s fiscal 2026 budget proposal would keep funding for the Office of the National Cyber Director pretty level.

There are other reasons to be optimistic about the view from federal leaders on the office, too, some pointed out. Cilluffo noted that the 59-35 vote for Cairncross in the Senate suggested some bipartisan support. Leiserson observed that Cairncross was one of the few nominees to escape the nominee backlog in the Senate before lawmakers went on recess.

As for his relative lack of cyber experience, Cairncross has talked about surrounding himself with the right people, Leiserson said.

“You want the unicorns who are incredibly politically astute and who have very deep cyber knowledge,” he said. “These people are hard to come by. We’ve had real cyber experts on the job. Now we’ve got someone who … is going to have an easy time navigating the West Wing. That is a skill set that is vital for running a White House organization, and shouldn’t be discounted.”

The post New National Cyber Director Cairncross faces challenges on policy, bureaucracy, threats appeared first on CyberScoop.

Federal analysts are still sizing up what the Chinese hackers known as Volt Typhoon, who penetrated U.S. critical infrastructure to maintain access within those networks, might have intended by setting up shop there, a Cybersecurity and Infrastructure Security Agency official said Thursday.

“We still don’t actually know what the result of that is going to be,” said Steve Casapulla, acting chief strategy officer at CISA. “They are in those systems. They are in those systems on the island of Guam, as has been talked about publicly. So what [are] the resulting impacts going to be from a threat perspective? That’s the stuff we’re looking really hard at.”

Casapulla made his remarks at a Washington, D.C. event hosted by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. 

Some believe that Chinese penetration of U.S. telecommunications networks by another Chinese hacking group, Salt Typhoon, have overshadowed the machinations of Volt Typhoon, which could eventually have a bigger impact. U.S. officials have warned that China could be prepositioning in critical infrastructure should conflict break out between the United States and Beijing.

Other federal officials have said Volt Typhoon might not have been as successful at maintaining their access as they hoped.

Casapulla said CISA is looking at how to mitigate the threat as well as determining the end goal of the hackers.

“Is it to merely disrupt a few cranes at a port? That could be one thing. But what about if it were all the ports?” he asked. “What about if it were all cargo management systems so they don’t have to do anything physical? They can just shut down a database and limit our ability to track cargo that moves on and off of ships, effectively shutting down the ports and the entire transportation system that way.

“Those are the kind of second-, third-order effects that I also worry about,” Caspulla said.

When he testified before Congress at a hearing last month on his nomination to become national cyber director, Sean Cairncross said Volt Typhoon hacking “has potentially life-and-death consequences.” Other Trump administration officials also have sounded the alarm about the hacking group.

It was also a point of concern in the prior administration under President Joe Biden.

The post Feds still trying to crack Volt Typhoon hackers’ intentions, goals appeared first on CyberScoop.

Sean Plankey’s path to leading the Cybersecurity and Infrastructure Security Agency might have one obstacle set to be cleared for removal.

With the Senate Homeland Security and Governmental Affairs Committee scheduled to hold a vote on his nomination for CISA director Wednesday, the next and final step for Plankey pending approval from the panel would be getting a full Senate vote — something Sen. Ron Wyden, D-Ore., has vowed to block until the agency publicly releases a report on telecommunications network vulnerabilities.

CISA said Tuesday that it would, in fact, release that report.

“CISA intends to release the U.S. Telecommunications Insecurity Report (2022) that was developed but never released under the Biden administration in 2022, with proper clearance,” Marci McCarthy, director of public affairs at the agency, said in an emailed statement. “CISA has worked with telecommunications providers before, during, and after Salt Typhoon — sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure.”

The agency didn’t say when it would release the report, or what “proper clearance” entailed.

CISA’s statement came shortly after Senate passage of legislation — without objections from any senator — that would require the release of the report within 30 days of enactment. The House would still have to pass the bill to send it to President Donald Trump for a signature.

In a floor speech Monday, Wyden said “Congress and the American people deserve to read this report. It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.

“CISA’s multi-year cover-up of the phone companies’ negligent cybersecurity enabled foreign hackers to perpetrate one of the most serious cases of espionage — ever — against our country,” he continued. “Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks.”

A spokesperson for Wyden said Tuesday that no one from the office has heard from CISA on its plans for the report “that I know of.”

The government’s response to Salt Typhoon, and the industry’s handling of its vulnerabilities, have drawn some outside criticism. Government agencies have rejected some of those complaints while acknowledging others.

The Senate Homeland Security and Governmental Affairs Committee held a hearing on the nomination of Plankey last week, where he talked about his priorities for the agency but also drew fire from a Democratic senator over his views on election manipulation in past and future races.

The post CISA says it will release telecom security report sought by Sen. Wyden to lift hold on Plankey nomination appeared first on CyberScoop.

President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.

“If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.

Should he be confirmed for the role, Plankey is set to arrive at an agency that has had its personnel and budget slashed significantly under Trump, a topic of concern for Democratic senators including the ranking member on the panel vetting him, Gary Peters of Michigan. Peters asked how he’d handle the smaller CISA he’s inherited while still having a range of legal obligations to fulfill.

“One of the ways I’ve found most effective when you come in to lead an organization is to allow the operators to operate,” Plankey said. “If that means we have to reorganize in some form or fashion, that’s what we’ll do, I’ll lead that charge. If that means we need a different level of funding than we currently have now, then I will approach [Department of Homeland Security Secretary Kristi Noem], ask for that funding, ask for that support.”

Under questioning from Sen. Richard Blumenthal, D-Conn., about whether he believed the 2020 election was rigged or stolen, Plankey, like other past Trump nominees, avoided answering “yes” or “no.” 

At first he said he hadn’t reviewed any cybersecurity around the 2020 election. He then said, “My opinion on the election as an American private citizen probably isn’t relevant, but the Electoral College did confirm President Joe Biden.” 

Blumenthal pressed him, saying his office was supposed to be above politics, and asked what Plankey would do if Trump came to him and falsely told him the 2026 or 2028 elections were rigged. 

“That’s like a doctor who’s diagnosing someone over the television because they saw them on the news,” Plankey answered.

Chairman Rand Paul, R-Ky., rebutted Blumenthal, saying “CISA has nothing to do with the elections.” But Sen. Josh Hawley, R-Mo., later asked Plankey about CISA’s “important” role in protecting election infrastructure, and asked how he would make the line “clear” between past CISA disinformation work that Republicans have called censorship and cybersecurity protections.

Plankey answered that Trump has issued guidance on the protection of election security infrastructure like electronic voting machines, and it’s DHS’s job “to ensure that it is assessed prior to an election to make sure there are no adversarial actions or vulnerabilities in it,” something he’d focus on if Noem tasked CISA with the job.

Plankey said he would not engage in censorship — something his predecessors staunchly denied doing — because “cybersecurity is a big enough problem.” His focus would be on defending federal networks and critical infrastructure, he said. To improve federal cybersecurity, he said he favored “wholesale” revamps of federal IT rather than smaller fixes.

The Center for Democracy and Technology said after Plankey’s hearing it was concerned about how CISA would approach election security.

“CISA has refused to say what its plans are for the next election, and election officials across the country are flying blind,” said Tim Harper, senior policy analyst on elections and democracy for the group. “If CISA is abandoning them, election officials deserve to know so they can make plans to protect their cyber and physical infrastructure from nation-state hackers. Keeping them in the dark only helps bad actors.”

Plankey indicated support for the expiring State and Local Cybersecurity Grant Program, as well as the expiring 2015 Cybersecurity and Information Sharing Act, both of which are due to sunset in September.

Paul told reporters after the hearing that he planned to have a markup of a renewal of the 2015 information sharing law before the September deadline, with language added to explicitly prohibit the Cybersecurity and Infrastructure Security Agency from any censorship.

Plankey’s nomination next moves to a committee vote, following an 11-1 vote last month to advance the nomination of Sean Cairncross to become national cyber director. Plankey’s nomination would have another hurdle to overcome before a Senate floor vote, as Sen. Ron Wyden, D-Ore., has placed a hold on the Plankey pick in a bid to force the administration to release an unclassified report on U.S. phone network security.

“The Trump administration might not have been paying attention, so I’ll say it again: I will not lift my hold on Mr. Plankey’s nomination until this report is public. It’s ridiculous that CISA seems more concerned with covering up phone companies’ negligent cybersecurity than it is with protecting Americans from Chinese hackers,” Wyden said in a statement to CyberScoop. “Trump’s administration won’t act to shore up our dangerously insecure telecom system, it hasn’t gotten to the bottom of the Salt Typhoon hack, and it won’t even let Americans see an unclassified report on why it’s so important to put mandatory security rules in place for phone companies.”

The post Plankey vows to boot China from U.S. supply chain, advocate for CISA budget appeared first on CyberScoop.

The U.S. is stepping into a new cyber era, and it comes not a moment too soon.

With the Trump administration’s sweeping $1 billion cyber initiative in the “Big Beautiful Bill” and growing congressional momentum under the 2026 National Defense Authorization Act (NDAA) to strengthen cyber deterrence, we’re seeing a shift in posture that many in the security community have long anticipated, although often debated: a decisive pivot toward more robust offensive cyber operations.

While many may disagree with the decision to “go on offense,” we need to recognize the changing threat landscape and the failure of our previous restrained approach. The U.S. has the most advanced cyber capabilities in the world. Yet for the past two decades, our posture has been dominated by defense, deterrence-by-denial, and diplomatic restraint. This strategy has not yielded peace or dissuaded our adversaries. On the contrary, it has only served to embolden them.

With geopolitical tensions now at a boiling point and adversaries escalating both the scale and ambition of their cyber campaigns, it is time to remove the handcuffs. This doesn’t mean acting recklessly, but it does mean meeting our adversaries on the same battlefield so that we can use our unmatched capabilities to hold them at risk.

The strategic landscape has changed

The cyber threat environment in 2025 is fundamentally different from what it was even five years ago. Operations like China’s Volt Typhoon and Russia’s relentless campaigns against Ukraine’s infrastructure illustrate a broader shift: our adversaries are no longer limiting themselves to espionage or IP theft. They are actively preparing for conflict.

Volt Typhoon, in particular, marks a strategic evolution as Chinese state actors are actively prepositioning in U.S. critical infrastructure not for surveillance, but for disruption. Salt Typhoon’s operations, targeting civilian infrastructure with apparent tolerance for detection, suggest a loosening of China’s risk calculus. Meanwhile, Russia’s destructive malware targeting industrial control system (ICS) environments, and Iran’s growing reliance on cyber proxies, show how aggressive and emboldened our rivals have become.

Offensive capabilities are a military imperative

The proposed $1 billion investment isn’t about launching retaliatory attacks. It’s about building the infrastructure, tools, and talent needed to make cyber a fully integrated and reliable component of U.S. military and intelligence operations.

While the U.S. possesses world-class cyber capabilities, current policies have kept these tools locked behind layers of classification, bureaucracy, and operational disconnect. As a result, offensive cyber operations have been limited to highly targeted missions. While they’re often executed with surgical precision, they usually lack the speed, adaptability, or scale demonstrated by our adversaries.

When a U.S. technique is exposed, it can take months to retool and mount another operation. In contrast, our adversaries rely on publicly known vulnerabilities, social engineering, and agile teams that can quickly weaponize newly disclosed exploits.

Zero-days are among our most valuable (and expensive) cyber assets. But having the exploit isn’t enough. Effective use requires real-time intelligence, targeting infrastructure, trained operators, and a legal framework that enables rapid deployment.

This new investment represents a serious effort to evolve our approach. It will enable the Department of Defense, U.S. Cyber Command, and the intelligence community to proactively shape the digital battlefield, both independently and in coordination with conventional military operations.

Adversaries respond to force, not diplomacy

Over the past 15 years, we’ve watched top adversaries China and Russia test, prod, and exploit our most sensitive networks, from government systems to critical infrastructure companies, often with minimal consequence. We’ve also sustained numerous damaging attacks, from the massive OPM and Equifax breaches to SolarWinds, NotPetya and Colonial Pipeline. The list goes on and on.

In all of these cases, we’ve responded, at best, with indictments, sanctions, or strongly worded statements. In the meantime, our adversaries have only grown bolder and more sophisticated. Their actions suggest one conclusion: they don’t believe we’ll strike back.

This lack of proportional response is viewed as weakness, not restraint. Deterrence only works when the adversary believes you will act. That belief is fading. But a more muscular cyber posture, backed by operational capacity and political will, can restore it.

Ransomware is now a national security threat

The line between criminal and nation-state activity is becoming blurred amid rising geopolitical tensions. Ransomware, once seen as a law enforcement issue, now poses one of the most serious threats to national infrastructure.

We’ve already seen its disruptive power in attacks on Colonial Pipeline, JBS Foods, Mondelez International, and United Natural Foods Inc. However, as damaging as those were, they pale in comparison to what a determined adversary — especially one that is backed by a state — could accomplish.

Essential services like electricity, water, health care, and transportation are increasingly vulnerable. Many ransomware groups operate in jurisdictions that ignore or even support their activities. U.S. adversaries are now integrating these actors into broader state-aligned campaigns, using them as asymmetric tools of disruption.

The weaponization of ransomware and other destructive malware like “wipers” is a clear and present danger. Countering it requires more than law enforcement.

While the Department of Homeland Security and the FBI play vital roles in tracking threats, they lack the global reach and strategic authority of the military. Offensive cyber capabilities are needed to disrupt operations, dismantle infrastructure, and impose real costs.

There are risks with doing nothing, too

Critics of these operations rightly point out there are plenty of risks: escalation, unintended consequences, and blowback. Yes, these risks are real. Any use of cyber capabilities, especially against state-linked infrastructure, must be carefully weighed, governed by rules of engagement, and aligned with broader geopolitical strategy. 

Historically, cyber has not had clear rules for what constitutes “crossing the line,” though the general assumption has been that loss of life or large-scale disruptions to critical infrastructure would qualify. 

But inaction has its own risks. If we continue playing defense while our adversaries go on offense, we are signaling that they can operate with impunity. This is not de-escalation; it’s appeasement. And it will only invite more aggression. 

On the other hand, offensive action may at times be the most effective path to de-escalation, by showing that the U.S. is both willing and able to impose real costs.

It’s time for real deterrence

Cyber deterrence has long been an elusive concept. Unlike nuclear deterrence, which relies on mutually assured destruction, cyber deterrence is far more ambiguous. The lack of clear red lines, uncertain attribution, and the diverse range of actors all complicate strategy.

But these are not reasons to avoid building deterrence. This is why it’s even more important to build smarter, more flexible capabilities that combine intelligence, cyber offense, and traditional diplomacy to manage escalation while signaling resolve.

The shift we’re seeing now, both from Congress and the administration, is a necessary first step. However, in order to be effective, it must be followed by clear doctrine, strong oversight, and close coordination between military, intelligence, and homeland security stakeholders. 

Offensive cyber operations are not a silver bullet, but they are an essential tool of statecraft in the modern world. 

Dave Kennedy is the founder of TrustedSec and Binary Defense.

The post Why it’s time for the US to go on offense in cyberspace appeared first on CyberScoop.

As cyber officials work to contain Salt Typhoon inside U.S. telecom networks, the House on Monday passed a bill that would officially designate one federal agency to lead efforts in protecting the nation’s digital infrastructure from such threats.

The National Telecommunications and Information Administration Organization Act cleared the House via voice vote and is now teed up for Senate consideration — the same position the bill found itself in last year before stalling out in the upper chamber. 

The legislation from Reps. Jay Obernolte, R-Calif., and Jennifer McClellan, D-Va., would rebrand the Office of Policy Analysis and Development as the Office of Policy Development and Cybersecurity, and codify the NTIA’s responsibilities to lead policy initiatives and coordinate with other agencies on cyber practices for the country’s communications networks.

“NTIA is already central to advancing market-driven strategies that foster innovation, expand broadband deployment and promote a competitive digital economy,” McClellan said. “But this legislation ensures that NTIA is equally empowered to help safeguard that digital future, particularly as the cybersecurity threats we face grow more complex and more dangerous by the day.”

The Salt Typhoon attack spree last year on major American telecommunications companies, she added, was a “sobering reminder” of the vulnerabilities that live in U.S. infrastructure and “how deeply” the fallout of cyberattacks can be felt in multiple sectors, ranging from health care to national security. 

The top Democrat on the Senate Intelligence Committee last year called the far-reaching breach by the Chinese hacking group “the worst telecom hack in our nation’s history.” In interviews with CyberScoop, a half-dozen sources pointed fingers at a lack of coordination and miscommunication between federal agencies and the telecom industry.

The bill calls on NTIA to take the lead on coordinating “transparent, consensus-based, multistakeholder processes” for the development and implementation of cybersecurity and privacy policies in communications networks. Public-private partnerships would be fostered to encourage “collaboration between government agencies and stakeholders,” said Rep. Bob Latta, R-Ohio, chairman of the House Energy & Commerce Committee’s energy subcommittee.

There is also a callout in the legislation for increased collaboration between security researchers, software developers and telecoms. Collaboration will be paramount as telecoms attempt to purge the vestiges of Salt Typhoon from their networks, a feat that experts told CyberScoop will be exceedingly difficult if not impossible. 

Additionally, the legislation seeks NTIA-led policies on security resilience and the pursuit of accelerated “innovation and commercialization with respect to advances in technological understanding of communications technologies,” per the bill text.

“As more and more of Americans’ lives move into a digital format, it’s leaving the information of Americans more and more vulnerable to cyberattacks,” Obernolte said. “That’s why it is critical that we establish cybersecurity protocols and capabilities to counter the threats, not just to foreign actors, but of cybercriminals and transnational criminal organizations who attempt to breach our data security and access the data of Americans.”

A separate bill that passed the House later Monday has additional cyber-related responsibilities for the NTIA and its leader, the assistant secretary for communications and information. The Understanding Cybersecurity of Mobile Networks Act would require the Commerce Department official to lead a report that examines mobile service networks’ cybersecurity and vulnerabilities that those networks and devices face from adversaries.

The legislation, co-sponsored by Reps. Greg Landsman, D-Ohio, and Kat Cammack, R-Fla., charges the NTIA chief with coordinating an interagency group to inform the report that includes experts from the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security’s Science and Technology Directorate.

That group, Landsman said, would “build out all of the information we need to ensure that we understand where all of our vulnerabilities are, that we are dealing with those vulnerabilities, where are the gaps, how our foreign adversaries are accessing data, how could they be accessing our data, and how to further our ability to stop our enemies from attacking our individual devices.” 

In compiling the report, NTIA should also consult with the Federal Communications Commission, the intelligence community, privacy and encryption researchers and academics, international stakeholders, standards and technical organizations, and industry, per the bill text. The legislation also calls for an analysis of the commercially available tools that can help consumers assess networks’ cybersecurity.

“It’s a good step towards ensuring we can protect our global networks from evolving threats,” said Rep. Frank Pallone, ranking member of the House Energy & Commerce Committee. “And I know we will continue to work towards securing our country’s data, devices and networks, whether from a foreign adversary or domestic threat.”

This story was updated July 15 with details on the passing of the Understanding Cybersecurity of Mobile Networks Act.

The post House passes bill to formalize NTIA’s cyber role following Salt Typhoon attacks appeared first on CyberScoop.