The hackers gained the ability to modify equipment operational parameters, creating a direct risk to the public water supply.
The post Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants appeared first on SecurityWeek.
The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.
The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet.
The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.
The initiative — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.
Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”
Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.
Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.
He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.
“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.
One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.
Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.
The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.
In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.
Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.
The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.
Claroty researchers discovered two vulnerabilities that can be exploited for security bypass and remote code execution.
The post EnOcean SmartServer Flaws Expose Buildings to Remote Hacking appeared first on SecurityWeek.
Forescout has identified tens of thousands of exposed RDP and VNC servers that can be mapped to specific industries.
The post Hundreds of Internet-Facing VNC Servers Expose ICS/OT appeared first on SecurityWeek.
A Chinese national allegedly involved in a massive, pandemic-era attack spree that compromised nearly 13,000 U.S. organizations was extradited from Italy to the United States and formally charged in federal court, the Justice Department said Monday.
Xu Zewei and his co-conspirators are accused of exploiting a string of zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatment and testing during the initial wave and subsequent height of the pandemic.
His alleged crimes, directed by China’s intelligence services, were part of a broader espionage campaign known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors and policy think tanks, according to an indictment filed against Xu and Zhang Yu, who remains at large.
The China state-sponsored threat group behind those attacks against Microsoft customers, and many other vendors’ customers since, is now more widely known as Silk Typhoon.
“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.
“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” he added.
Xu allegedly committed the attacks while working for Shanghai Powerock Network, one of many companies that conducted attacks for China’s various intelligence services, according to court records.
Italian authorities arrested Xu at the United States’ request in Milan in July. His capture underscores a window of opportunity U.S. officials and allies can take when nation-state attackers travel to countries that cooperate with the United States.
Italy extradited Xu to the United States Saturday but didn’t release his extradition orders until Monday, Simona Candido, his attorney in Italy, told CyberScoop.
Officials said Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.
“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement.
Xu allegedly worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into U.S. organizations’ networks, steal data and implant webshells for persistent remote access. Officials also accuse Xu of stealing information regarding U.S. policymakers and government agencies from a global law firm with offices in Washington.
Microsoft first warned customers about the HAFNIUM campaign in March 2021. The FBI and Cybersecurity and Infrastructure Security Agency followed soon after with a joint advisory about the widespread compromise of Microsoft Exchange Server.
“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop.
“Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China’s notorious targeting of not just the American people and their businesses, but individuals globally as well,” Shraberg added.
Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft.
The 34-year-old faces up to 62 years in prison for his alleged crimes.
The post Chinese national extradited to US for pandemic-era Silk Typhoon attacks appeared first on CyberScoop.
One day AI may be capable of creating malware that threatens critical infrastructure.
But that day was not earlier this month, when reports surfaced of a new piece of malware seemingly configured to search for and sabotage Israeli water infrastructure, according to industrial cybersecurity firm Dragos.
The malware, called ZionSiphon, was first identified by AI cybersecurity firm Darktrace, which said it was designed to target operational technology and industrial control system environments. The code scans the internet for IP addresses tied to water treatment and desalination plants owned or operated in Israel, with the goal of compromising them to sabotage the levels of chlorine and poison water supplies.
Strings in the malware’s binary code included the names of different components of the Israeli water sector, as well as politically-themed messaging, such as “In support of our brothers in Iran, Palestine, and Yemen against Zionist aggression.”
But a technical lead malware analyst at Dragos, Jimmy Wyles, called the malware nothing more than “hype,” claiming it poses no threat to water plants in Israel or anywhere else.
For instance, whoever wrote the malware appears to have little knowledge of how operational technology works at Israeli water plants.
“The code is broken and shows little to no knowledge of dam desalination or ICS protocols,” wrote Wylie.
The developers also appeared to use AI to generate significant portions of the code, leading to hallucinations and errors. All the Windows-based process names and directory paths designed to confirm that a target was related to water desalination were filled with “fictional and likely LLM generated guesses.” The configuration files purportedly designed to manipulate chlorine levels were also fake and likely created using AI.
Darktrace’s analysis notes that the malware sample they tested appears to be dysfunctional, citing an incorrect configuration in the code’s country targeting functions.
But Wylie wrote that the malware still would have been harmless to water treatment plants even when correctly configured, because the rest of the code was so riddled with “logic errors and invalid assumptions” that it would have been inoperable.
Similar maturity and logic issues were found in the malware’s USB infection and self-destruction capabilities. Wylie said Dragos was withholding additional technical analysis of the flaws plaguing ZionSiphon because they’re “not in the business of fixing malware for adversaries.”
The episode highlights an ongoing dispute around how much attention defenders – particularly those who work with operational technology – should give to more novel threats like AI-enabled hacking, versus more established tactics, techniques and procedures that have been successfully wielded by foreign hacking groups.
Operational technology – the systems that control or manipulate the machinery used in water facilities, electrical power plants and other industrial sectors – differs substantially from information technology environments. That presents challenges for both cybersecurity defenders and malicious hackers who often lack the industry-specific knowledge or skillset to design effective exploits.
To wit, Dragos claims there are publicly less than 10 malware samples capable of threatening industrial control systems. ZionSiphon is not one of them.
Wylie was critical of the way threat intelligence companies and media outlets initially framed the danger posed by the malware, saying it was overblown and likely diverted water sector cybersecurity resources away from more tangible threats, like Volt Typhoon, the Chinese-backed hacking group that U.S. intelligence officials say has burrowed deep into American critical infrastructure.
“Those responsible for protecting water treatment facilities and other critical infrastructure have finite time and attention,” Wylie wrote. “Spending either on ZionSiphon means spending less on threat groups like [Volt Typhoon], which have a demonstrated history of intrusions into those environments and are a far more pressing concern.”
The post Dragos: Despite AI use, new malware targeting water plants is ‘hype’ appeared first on CyberScoop.
Forescout researchers discovered 20 new vulnerabilities in Lantronix and Silex products and described theoretical attack scenarios.
The post Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking appeared first on SecurityWeek.
The malware is configured to operate on systems associated with Israeli water treatment and desalination plants.
The post ZionSiphon Malware Targets ICS in Water Facilities appeared first on SecurityWeek.
The US government has warned that Iran-linked hackers are manipulating PLCs and SCADA systems to cause disruption.
The post Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday appeared first on SecurityWeek.
The Department of Commerce is putting together a catalog of AI tools that will be given special export status by the federal government to be sold abroad.
The department issued a call for proposals to participating companies in the Federal Register, looking to create a “menu of priority AI export packages that the U.S. Government will promote to allies and partners around the world.”
The companies and technologies included “will be presented by U.S. Government representatives as a standing, full-stack American AI export package and may receive priority government advocacy, export licensing review and processing, interagency coordination, and financing referrals, subject to applicable law,” the department said in a Federal Register notice Friday.
The export package was mandated through President Donald Trump’s AI executive order last year, which described the export packages as part of a larger effort to “ensure that American AI technologies, standards, and governance models are adopted worldwide” and “secure our continued technological dominance.”
“The American AI Exports Program delivers on President Trump’s directive to ensure that American AI systems – built on trusted hardware, secure data, and world-leading innovation – are deployed at scale around the world,” Secretary of Commerce Howard Lutnick said in a statement earlier this month. “By promoting full-stack American solutions, we are strengthening our economic and national security, deepening ties with allies and partners, and ensuring that the future of AI is led by the United States.”
The executive order called for certain technologies to be included in the package, including AI models and systems but also computer chips, data center storage, cloud services and networking services, along with unspecified “measures” to ensure security and cybersecurity of AI systems.
The Commerce notice envisions offering multiple packages of AI technology from “standing teams of AI companies organized to offer a complete American AI technology stack to foreign markets on an ongoing basis.” There is no limit on the number of companies that participate in a consortium, and Commerce said there isn’t “any particular legal structure” required.
While the proposal at several points refers to these packages as “American AI,” the notice does specify that foreign companies can participate.
In fact, for certain categories like hardware, the total level of U.S.-made content only needs to be 51% or greater. Member companies providing data, software, cybersecurity or application layer services can’t be incorporated or primarily based in countries like China or Russia, where national security laws may compel them to work with foreign governments or hand over sensitive data.
The potential business would be broad, covering foreign public and private sector buyers in global, regional, and country-specific markets. It also includes the potential formation of separate, “on demand” packages of companies and products meant for “specific foreign opportunities.”
But the notice also states that final decisions will be made on the basis of “national interest” by principals at the Departments of Commerce, State, Defense and Energy, as well as the White House Office of Science, Technology and Policy.
Commerce does not intend to formally rank proposals or use fixed scoring formulas to approve packages of technology for the export program, and the language in the notice appears to give wide latitude to federal decisionmakers to determine whether a particular proposal meets the “national interest” threshold.
“A proposal that undertakes reasonable efforts to satisfy the 51 percent hardware U.S.-content presumption is not automatically entitled to designation, and a proposal that does not satisfy that presumption is not automatically disqualified,” the notice said.
The post Commerce setting up new AI export regime to push adoption of ‘American AI’ abroad appeared first on CyberScoop.
The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday.
Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States.
The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.
Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said.
The operational technology devices are deployed across the energy sector, water and wastewater systems, and U.S. government services and facilities.
Censys scans spotted 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the joint alert was issued by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and U.S. Cyber Command.
Researchers at Censys determined most of the exposed devices are connected via cellular systems, posing a significant risk to remote field deployments. Nearly half of the devices globally are connected to Verizon’s wireless network and 13% are connected to AT&T’s infrastructure.
“These devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path,” Censys researchers wrote in the report.
The potential attack surface is also amplified by additional services exposed in other ports on these devices, a discovery that Censys warned could allow attackers to gain direct paths to operations beyond PLC exploitation.
Researchers fingerprinted MicroLogix and CompactLogix models exposed to the latest threat campaign and published a list of the 15 most-exposed products. Many of the most prominent devices are running end-of-life software, a compounding risk that could allow attackers to prioritize unpatched devices upon scanning, according to Censys.
The attacks date back to at least March, following the U.S. and Israel’s war against Iran, and were underway as other Iranian government-backed attackers claimed other victims, including Stryker and local governments.
The post Iranian attacks on US critical infrastructure puts 3,900 devices in crosshairs appeared first on CyberScoop.
An apparent hack-for-hire campaign from a group with suspected Indian government connections targeted Middle Eastern and North African journalists and activists using spyware, three collaborating organizations said in reports published Wednesday.
The attacks shared infrastructure that pointed to the advanced persistent threat group known as Bitter, which most frequently targets government, military, diplomatic and critical infrastructure sectors across South Asia, according to conclusions from researchers at Access Now, Lookout and SMEX.
Each group took on a different piece of the puzzle:
One of the victims, independent Egyptian journalist Mostafa Al-A’sar, said he contacted Access Now after receiving a suspicious link from someone he’d been talking to about a job position. He was skeptical because his phone had been targeted before, when he was arrested in Egypt in 2018.
The lesson for journalists and civil society groups is that cybersecurity “is not a luxury,” he said.
“I feel like I’m threatened,” Al-A’sar said, and even though he was living in exile, he feels like “they are still following me. I also felt worried about my family, about my friends, about my sources.”
The combined research found a wider campaign than just the original victims.
“Our joint findings expose an espionage campaign that has been operational since at least 2022 until present day primarily targeting civil society members and potentially government officials in the Middle East,” Lookout wrote. “The operation features a combination of targeted spearphishing delivered through fake social media accounts and messaging applications leveraging persistent social engineering efforts, which may result in the delivery of Android spyware depending on the target’s device.”
The Committee to Protect Journalists condemned the campaign.
“Spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks,” said the group’s regional director, Sara Qudah. “These actions endanger not only journalists’ personal safety, but also their sources and their ability to do their work. Authorities in the region must stop weaponizing technology and financial resources to surveil journalists.”
Access Now said it didn’t have enough information to attribute who was behind the attacks it identified.
ESET first published research on the ProSpy malware last year, after finding it targeting residents of the United Arab Emirates.
The post Hack-for-hire spyware campaign targets journalists in Middle East, North Africa appeared first on CyberScoop.
Federal agencies warn attackers are manipulating PLC and SCADA systems across multiple sectors, triggering operational disruptions and raising concerns over broader OT targeting.
The post Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks appeared first on SecurityWeek.
Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.
The hackers are taking aim at devices and systems that control industrial processes, and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran, according to the joint alert from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and Cyber Command.
“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the alert states. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”
U.S. government agencies have warned before about Iranian hackers going after similar targets with those similar methods. The first such warning came after an Iranian government-linked group took credit for attacking a Pennsylvania water facility in late 2023.
Since March of this year, however, the agencies said they have seen new victims emerge from an advanced persistent threat group tied to Iran.
“The authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the alert reads. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”
The earlier campaign compromised at least 75 devices, the alert states.
The latest disruptions include “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to the agencies’ warning.
After the U.S.-Israel conflict with Iran began, Tehran-connected hackers claimed victims including major medtech company Stryker, local governments and more.
The FBI warned last month that Iranian hackers were deploying malware over the Telegram app, although that campaign also predated the current Iran conflict.
The post Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn appeared first on CyberScoop.
Medtech company Stryker says it’s back to being “fully operational,” three weeks after it became the most prominent victim to date of Iranian hackers, who said they attacked the Michigan-based company in retaliation over the conflict with the United States and Israel.
A March 11 wiper attack from the pro-Palestinian, Iranian government-connected group Handala damaged the company’s order processing, manufacturing and shipping. More recently, Handala claimed to compromise the data of FBI Director Kash Patel, although the FBI said no government information was taken.
“Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” the company wrote in an update on its website Wednesday. “Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”
Stryker said it continues to work with outside cyber experts, government agencies and industry partners on its investigation and recovery.
“Patient care remains our highest priority, with a continued focus on supporting healthcare providers and the patients they serve,” it said. “This remains a 24/7 effort and the first priority of our entire organization.”
Iranian hackers have been busy since the U.S.-Israel strikes began, but have claimed few successes in the United States. Handala boasted this week about an attack on St. Joseph County, Indiana, where officials said they were investigating a hack of its external fax service.
This week, Handala also claimed to have penetrated the systems of Israel’s air defense systems and leaked documents about it. But Handala also has been accused of overselling its deeds.
The FBI seized some websites associated with Handala last month, and the State Department has offered a reward for information on the hacking group.
The post Medtech giant Stryker says it’s back up after Iranian cyberattack appeared first on CyberScoop.
Read more of this story at Slashdot.
A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.
The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.
“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”
Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.
“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”
TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.
The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.
“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.
Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.
The post European-Chinese geopolitical issues drive renewed cyberespionage campaign appeared first on CyberScoop.
Iranian hackers claimed Friday to have compromised the personal data of FBI Director Kash Patel, and the bureau confirmed that it knew of the targeting of Patel’s personal email.
The government-connected hacking group, Handala, previously claimed credit for hacking medical device maker Stryker, a boast that threat researchers considered credible.
“All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download,” Handala — also known as Handala Hack — said.
The group said it did so in response to the FBI seizing its domains and the U.S. government offering a $10 million reward for information on members of the group.
The FBI noted that Handala frequently targets government officials, and challenged elements of Handala’s claims, such as that it had brought the FBI’s systems “to its knees,” rather than Patel’s own email.
“The FBI is aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity,” the FBI said in response to questions from CyberScoop. “The information in question is historical in nature and involves no government information.”
The activist group Distributed Denial of Secrets published what it said was Patel’s email cache.
The FBI pointed to the State Department’s reward program seeking information on members of Handala.
“Consistent with President Trump’s Cyber Strategy for America, the FBI will continue to pursue the actors responsible, support victims, and share actionable intelligence in defense of networks,” it said. “We encourage anyone who experiences a cyber breach, or has information related to malicious cyber activity, to contact their local FBI field office.”
The post Iranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data appeared first on CyberScoop.
SAN FRANCISCO — Four former National Security Agency directors shared varying concerns about a lack of earnest and widespread response to growing threats in cyberspace during a discussion at the RSAC 2026 Conference on Tuesday.
Accelerating threats posed by artificial intelligence, China and cybercriminals at large are testing the country’s resolve and determination to foster meaningful public-private collaboration, the former commanders of U.S. Cyber Command said.
While the four-star military officials remain confident in the country’s resources and people committed to defending the nation from cyberattacks, they voiced unease about challenges that could upend technological dominance and diminish a collective response to serious intrusions.
“I think we’ve become numb to it,” retired Gen. Paul Nakasone said. “We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me.”
The nation and industry aren’t keeping up with adversaries amid a brain drain across the U.S. government, the founding director of Vanderbilt University’s Institute of National Security said.
“We’ve lost ground with regards to our outreach to the private sector” within the Cybersecurity and Infrastructure Security Agency, the Joint Cyber Defense Collaborative and NSA’s Cybersecurity Collaboration Center, Nakasone said.
Retired U.S. Navy Admiral Mike Rogers also criticized the U.S. government for areas of inaction and decay. “I see a government that’s unwilling to expend political capital to really drive fundamental change in cyber, and it’s a reflection of the fact that politically we are so divided, and as a society we are so divided,” he said.
“We’re the largest economy in the world. We don’t have a single federal privacy framework. We don’t have a single major piece of cyber legislation,” Rogers added. “That frustrates the hell out of me.”
Retired Gen. Keith Alexander, the first chief of U.S. Cyber Command, said the key players remain committed and are working as hard as ever to combat cyber threats. Yet, he’s concerned about what the nation is doing to confront China and all the ways it could inflict harm, particularly in the realm of AI.
“We will be challenged in this area. We will fight in this area, and it will be both the government and you all helping to protect this country to ensure that we live through it,” Alexander said.
The U.S. government’s collaborative efforts with private companies provides an incredible intelligence advantage, said retired Gen. Tim Haugh. But, he warned, China has replicated similar capabilities and pre-positioned itself inside critical infrastructure networks.
Under his leadership, Haugh said he tried to encourage debate among policymakers to consider more offensive responses to China’s malicious cyber activities, particularly actions that might be equivalent to effects that would occur in armed conflict.
Frustration and mounting concern was palpable as the former NSA and U.S. Cyber Command bosses held court on stage together for the first time this week.
“We’re starting to accept this, in some ways, as the price of living in the digital age. And we have not yet had a level of trauma that has driven fundamental behavioral change,” Rogers said. “We haven’t had thousands die. I hope we never do, don’t get me wrong, but it seems like we just haven’t had a level of pain that’s fundamentally shifted the calculus.”
The post Former NSA chiefs worry American offensive edge in cybersecurity is slipping appeared first on CyberScoop.
The Federal Communications Commission’s move to ban foreign-made routers touches on a real threat, but critics say the agency rule is overly broad, practically unworkable and doesn’t meaningfully address weaknesses in router security that have led to major breaches on American governments and businesses.
Under the Secure Equipment Act and Secure Networks Act, the FCC may ban foreign technology manufacturers if they are deemed a national security risk. But the federal government has almost always opted to narrowly target specific foreign companies with known or problematic connections to foreign adversaries, like Chinese telecom Huawei or Russian antivirus firm Kaspersky Labs.
The restrictions announced Monday, however, simply ban all routers “produced in a foreign country” except those granted conditional approval by the departments of Defense or Homeland Security.
The order imposes a sweeping and immediate halt to the purchase of non-American routers and Wi-Fi services for government agencies and businesses, along with unanswered questions about where to buy next and what to do with the foreign devices already embedded in their networks.
In justifying the decision, FCC Chair Brendan Carr cited a March 20 White House-led interagency report that concluded foreign-made routers pose “unacceptable” risks to U.S. national security.
“Following President Trump’s leadership, the FCC will continue [to do] our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure,” Carr said.
U.S. policymakers have worried about the potential cybersecurity risks of relying on technology and equipment from countries like China or Russia, where local laws compel domestic companies to cooperate in national security investigations and hand over sensitive data.
In 2024, members of Congress called for the Department of Commerce to investigate Chinese Wi-Fi and router makers like TP-Link, alleging the company’s “unusual degree of vulnerabilities and required compliance with [Chinese] law” amounted to an unacceptable national security risk.
Last year, five House Republican committee chairs urged Commerce Secretary Howard Lutnick to use the department’s authority “to eliminate products and services created by China and other foreign adversaries from domestic supply chains that are shown to have the potential to introduce security vulnerabilities.” An attached list of industries “needing immediate action” included routers and Wi-Fi, while mentioning TP-Link and Huawei as “Chinese or Chinese-controlled” entities.
While router insecurity is a major problem, it’s worth noting that American-made products are far from immune to foreign hacking. Major Chinese hacking campaigns, such as Salt Typhoon, succeeded not because of backdoors in Chinese-made tech but through the exploitation of known, previously reported vulnerabilities in U.S. and Western products.
One former U.S. intelligence leader told CyberScoop that country of origin matters more when you’re dealing with an adversary like China, which has national security and vulnerability disclosure laws that require Chinese router companies to disclose cybersecurity vulnerabilities to the government first.
But it’s not just Chinese routers, or those made by America’s direct rivals, that concern intelligence officials.
Even in a global, digitally connected world, proximity still matters. Foreign countries can more easily disrupt or infect the supply chain of neighboring or bordering countries that may rely on similar parts, components or internet infrastructure.
“Attackers have so many options with what can be done with router access. [It’s] even easier if you have the country that runs and accesses them in your backyard,” said the official, who requested anonymity to speak candidly.
Investors may be drawing similar conclusions. Notably, stocks for Asian router companies fell following the FCC announcement, while U.S. company NetGear, which does not rely on Chinese supply chains, saw its shares jump 12%.
The broad nature of the order — along with the ability to dole out exemptions to specific companies at will — effectively resets the regulatory relationship between foreign router companies and the U.S. government. Under it, each company with manufacturing operations in China or overseas would have to petition the FCC for an exemption to the rule.
The ambiguity behind what, specifically, a company would need to do to obtain an exemption could open the process up to potential abuse or political patronage, experts said.
A former FCC official told CyberScoop they were puzzled by the move, and questioned whether it was related to national security or if it would even pass legal muster in the courts.
Instead of adding targeted companies with foreign ties or a history of cybersecurity vulnerabilities to the list of banned providers — as the government has done and successfully defended in court in the past — the FCC instead sought to ban all foreign-made routers around the globe. That represents a potentially significant disruptive action to take in an environment where many businesses and governments today use TP-Link and other foreign companies for their internet needs.
The net effect is “actually creating a new federal program of conditional approvals” for foreign router companies, the FCC alum said, one that is so broad it would take a massive combined federal effort to effectively remove bad actors from the foreign supply chain.
“I have a hard time believing that this administration — given what we’ve seen at CISA and other agencies and the mass departures — will actually roll out a sophisticated and tailored program to adequately address this kind of huge swing of an entire base of consumer products,” said the official, who was granted anonymity to speak candidly.
The official pointed to an attempt earlier this year by the FCC to ban imports of foreign drone components, saying there were similar “big swing” parallels to the legal rationale here. The drone ban is currently being challenged in court, and the official said they expect the FCC’s router order to be subject to similar lawsuits from companies.
Earlier this month, Carr also proposed new regulations that would place English language requirements on offshore call centers and asked the public for insight on potential policies to “encourage” companies to set up U.S.-based call centers, “including limits on call volume from overseas call centers.”
Carr said the FCC was also “opening up a new front in our efforts to block illegal robocalls from abroad by examining the targeted use of tariffs or bonds.”
The former FCC official said Carr’s prioritization on novel application of tariff authorities while discussing the implementation of two laws — the TRACED Act and the Truth In Caller ID Act — that are unrelated to trade makes it impossible to disentangle the agency’s genuine national security concerns from the Trump administration’s broader attempts to gain leverage over foreign companies in their trade fights.
“Those are weird kind of random hops that seem to be in response to this broader picture of the big tariff decision that came out,” the official said.
The post Critics call FCC router rule a ‘big swing’ that could create more supply chain uncertainty appeared first on CyberScoop.
Login