A House Democrat who’s been at the forefront of congressional efforts to scrutinize the federal government’s use of commercial spyware wants the Commerce Department to brief Capitol Hill amid apprehension that the Trump administration might further embrace the technology.

Rep. Summer Lee, D-Pa., sent a letter to the department Thursday seeking a briefing on several developments stemming from Immigration and Customs Enforcement acknowledging its use of Paragon’s Graphite spyware, as well as an American company purchasing a controlling stake in Israel’s NSO Group. The Commerce Department sanctioned NSO Group under former President Joe Biden after widespread abuse allegations, including eavesdropping on government officials, activists and journalists.

“The Trump Administration appears to be broadly receptive to using commercial spyware to infiltrate cell phones and allowing U.S. investment in sanctioned spyware companies like NSO Group,” Lee wrote in her letter to Commerce Secretary Howard Lutnick, which CyberScoop is first reporting.

NSO Group’s new executive chairman, David Friedman, is a former Trump ambassador to Israel and was his bankruptcy attorney. He has said in November that he expects the administration will be “receptive” to using NSO Group tech.

“Given those close ties between NSO Group and the Trump Administration, and the serious concerns about how NSO’s technology could be used to spy on Americans, we write to request information regarding the purchase of NSO Group by an American company and the potential usage of NSO Group spyware by federal law enforcement,” wrote Lee, who sits on the Oversight and Government Reform panel and is the top Democrat on its Federal Law Enforcement Subcommittee.

Lee was one of the authors of a recent Democratic letter seeking confirmation of ICE’s use of Paragon’s Graphite, which ICE acknowledged. But they criticized the administration for not answering all their questions, in addition to being outraged.

In her latest letter, Lee asked the Commerce Department to brief Oversight and Government Reform Committee staff about internal department deliberations, Commerce communication with the White House and any outside conversations — including with Friedman — about government use of NSO Group technology or any other commercial spyware, and American investment in NSO.

NSO Group “appears to view the Trump administration as friendly to its interests in the United States, pitching itself as a vital tool for the U.S. government to safeguard national security,” Lee wrote, citing company court filings that it “is reasonably foreseeable that a law enforcement or intelligence agency of the United States will use Pegasus.”

The Biden administration sanctions, and court losses in a case against Meta, represented setbacks for NSO Group’s ambitions. And prior to the U.S. investment firm controlling stake purchase last fall, the Commerce Department under Trump rebuffed efforts to remove NSO Group from its sanctions list.

But the tens of millions of dollars worth of investment, following news that Israel had used Pegasus to track people kidnapped or murdered by Hamas, was a boon.

NSO Group maintains that its products are designed only to help law enforcement and intelligence fight terrorism and crime, and that it vets its customers in advance as well as investigates misuse. News accounts and other investigations have turned up a multitude of abuses.

There have been scattered reports of U.S. flirtation with using NSO Group technology. The FBI acknowledged it had bought a Pegasus license, but stopped short of deploying it. The Times of London reported that “it is believed” the Central Intelligence Agency used Pegasus spyware as part of a rescue mission last month for a U.S. airman downed in Iran.

You can read the full letter below.

The post One House Democrat is pressing Commerce on the government’s spyware use appeared first on CyberScoop.

Congress extended a controversial surveillance law for 45 days on Thursday, hours before its latest expiration following an earlier extension.

The Senate passed — then the House cleared — a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act, which authorizes warrantless surveillance of foreign targets. But those targets are sometimes communicating electronically with Americans, and intelligence officials can search the database using their identifying information, which has long given privacy groups and privacy-minded lawmakers heartburn.

The 45-day reprieve gives lawmakers more time to hammer out a lasting deal, and comes after the leaders of the Senate Intelligence Committee agreed to send a letter to the Director of National Intelligence and attorney general, seeking swift declassification of a letter on a classified ruling from the Foreign Intelligence Surveillance Court.

Sen. Ron Wyden, D-Ore., had sought release of that opinion, and had resisted giving unanimous consent for the latest short-term extension to move forward until Senate Intelligence Chairman Tom Cotton, R-Ark., and top panel Democrat Mark Warner of Virginia agreed to send the letter.

A declassification review was already underway, but the Cotton-Warner letter states that “We expect that this declassification review will be completed and the FISC opinion released publicly within 15 days,” according to Wyden, speaking on the Senate floor.

The March 17 opinion reportedly came with annual recertification of the warrantless surveillance program. The Justice Department is appealing that ruling because it blocked them from using certain tools to analyze communications.

“A few weeks ago, the Foreign Intelligence Surveillance Court found major compliance problems related to the surveillance law known as section 702,” Wyden said earlier this month. “These compliance problems are directly related to Americans’ Constitutional rights.”

Senate Majority Leader John Thune, R-S.D., said the extension will give lawmakers additional room to hold “discussion on reforms.”

The House this week had passed a 3-year reauthorization with some changes to the surveillance program, but key to doing so was leadership’s agreement to attach legislative language on a separate matter that would ban a central bank digital currency. Thune had said that language was going nowhere in the Senate.

On Thursday, the House voted 261-111 to extend the law for 45 days. President Donald Trump has sought a “clean” 18-month reauthorization of the surveillance powers.

The extension continues a perennial ritual for the Hill when it comes to Section 702: A deadline looms, and Congress kicks the can down the road repeatedly.

The post Congress kicks the can down the road on surveillance law (again) appeared first on CyberScoop.

U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, according to research and advisory firm Gartner.

The increase is driven in part by stronger, more established privacy laws in states like California, new interstate partnerships built around enforcing laws across state lines, and a renewed focus to how AI and automation affect privacy.

The data indicates that “regulators are shifting their efforts away from awareness to full scale enforcement,” marking a significant shift from even the last few years in how aggressively states are investigating and penalizing companies for privacy law violations.

“This is increasingly becoming the standard in 2026 and for the coming two years,” Gartner’s analysis concludes.

The California Consumer Privacy Act had consumer privacy provisions go live in 2023, but for years enforcement was largely dormant. According to Nader Heinen, a data protection and AI analyst at Gartner and co-author of the research, that enforcement lag mirrors the way other major privacy laws, like Europe’s Global Data Protection Regulation, have been carried out in order to “lead with a bit of guidance” for companies while using enforcement sparingly.

But that era appears to be over. In 2025, the California Privacy Protection Agency has used the law to pursue violators across a wide range of industries— not just large conglomerates, but smaller and mid-sized companies in tech, the auto industry, and consumer products, including off-the-shelf goods and apparel.

Heinen said some businesses “weren’t paying attention” and may have been lulled into a false sense of complacency as regulators spun up their enforcement teams, leading to a harsh 2025.

“Unfortunately what happens when so much time passes between the legislation and starting enforcement regularly, is a lot of organizations let their privacy program atrophy,” he said.

States have also sought to combine their resources to target and penalize privacy violators across state lines. Last year, ten states came together to form the Consortium of Privacy Regulators, pledging to coordinate investigations and enforcement of common privacy laws around accessing, deleting and preventing the sale of personal information.

Beyond laws like the CCPA, states have been updating existing privacy and data-protection laws to more directly address harms from automated decision-making technologies, including AI. State privacy regulators are especially focused on how personal or private data is used to train AI systems and  help it make inferences.

Gartner expects privacy fines to further increase in the coming years and Heinen said states will likely again lead the way on building the legal infrastructure to enforce data privacy in the AI age as they become the main conduit for lingering anxiety about the potential negative impacts of the technology.

“You have to put yourself in the position of these state legislatures,” Heinen said. “Their constituencies – the voting public – is telling them we’re worried about AI. AI anxiety is a thing. Everybody’s worried about whether AI is going to take their job or impact their capacity to find a job, so they want to see legislation in place to protect them.”

This past month, House Republicans unveiled their latest attempt to pass comprehensive federal privacy legislation with a bill that would preempt tougher state laws like those in California. In particular, the CCPA gives residents a private right of action – the legal right to sue companies directly – for violation of privacy laws.

On Monday, Tom Kemp, executive director of the California Privacy Protection Agency, wrote to House Energy and Commerce Chair Brett Guthrie, R-Ky., to oppose the bill, arguing it would provide “a ceiling” for Americans’ data privacy protections rather than a “floor” to build on.

“Preemption would strip away important existing state privacy provisions that protect tens of millions of Americans now,” Kemp wrote. “That would be a significant step backward in privacy protection at a time when individuals are increasingly concerned about their privacy and security online, and when challenges from data-intensive new technologies such as AI are developing quickly.”

The post U.S. companies hit with record fines for privacy in 2025 appeared first on CyberScoop.

A bipartisan pair of senators want a company that operates a tip line for anonymously reporting school safety concerns to answer questions about hackers compromising sensitive student information.

Sens. Maggie Hassan, D-N.H., and Jim Banks, R-Ind., announced on Monday they’d sent a letter to the firm, Navigate360, about last month’s incident.

“We write to express significant concern about the risks to students, staff, and schools from a recent cyberattack on your company’s P3 Global Intel tip line,” they said in the April 24 letter. “We are particularly concerned by reports that the cyberattack exploited platform vulnerabilities in order to steal students’ highly sensitive personally identifiable information. We urge you to provide the public clarity regarding what data was stolen, how Navigate360 is responding, and what safeguards Navigate360 will put into place to prevent this from happening again.”

According to the company, more than 30,000 schools and 5,000 public safety agencies use Navigate360’s products. Hackers claimed to purloin 93 gigabytes of data from the firm.

“Your company markets its product as an anonymous tip line,” Hassan and Banks said. “However, the personally identifiable information recently released by the hackers suggests otherwise. This puts the safety of students at risk and undermines public trust in using such platforms to report suspicious activity. Education and school safety experts have expressed concerns that, without guaranteed anonymity, students will choose not to report safety concerns.”

At the time of the alleged breach, Navigate360 CEO JP Guilbault said the company was working to determine if there was an incident and if there was, its extent. He did not confirm that sensitive information was released. The company did not immediately respond to a request for comment on the senators’ letter Monday.

A whopping 82% of K-12 schools said they experienced a cyber incident between July 2023 and December 2024, according to a report from the Center for Internet Security. The scale of cyberattacks on schools expanded during COVID-19. Hackers seeking student information usually have a financial motive, such as holding the information for ransom.

The hackers in the Navigate360 case were apparently motivated by hacktivism.

“Remember folks, don’t do the dirty work for the pigs,” they wrote. “Investigating crime is their job, not yours. They don’t care about you, they want convictions and prisoners to fuel the for-profit prisons.”

Hassan and Banks’ specific questions for Navigate360 included inquiries about its cybersecurity practices, what data was compromised, whether the tip line is fully anonymous and what kind of help the company has provided to school districts.

The post Senators seek answers about hackers obtaining sensitive student data from ostensibly anonymous tip line appeared first on CyberScoop.

The latest attempt to re-up a controversial expiring surveillance law has failed to placate vocal critics on both the left and right of the political spectrum.

Two House votes failed last week to extend the spying powers under Section 702 of the Foreign Intelligence Surveillance Act (FISA) for 18 months without changes, leading to Congress instead passing a 10-day reauthorization. GOP leaders have been scrambling to find a bill they can pass since with the April 30 deadline approaching.

House Speaker Mike Johnson, R-La., introduced a bill Thursday to extend it for three years, with a section stating that government officials can’t use Section 702 to target Americans. Under Section 702, U.S. spies and law enforcement agencies can warrantlessly search electronic communications of foreign targets. But those targets are sometimes communicating with U.S. persons, and officials can search the communications database using their personal information.

But critics of the latest Johnson proposal say the language about targeting Americans is window dressing.

“On the whole, it is an empty-calories bill and nothing more that does not engage in reform,” Jake Laperruque, deputy director of the center’s security and surveillance project at the Center for Democracy and Technology, said in a call with reporters Friday.

Civil liberties groups have long called for a warrant requirement for U.S. person-based searches.

“It doesn’t require a warrant or any kind of court process for U.S. person searches,” said Kia Hamadanchy, senior policy counsel for the American Civil Liberties Union’s political advocacy division. “The main reform just restates existing law… . It’s also completely irrelevant to the issue at hand, because backdoor searches have never been the product of the government intentionally targeting U.S. persons under 702. The problem is that they are incidentally collecting U.S. person communications and searching the communications of Americans.”

Gene Schaerr, general counsel of the conservative Project for Privacy and Surveillance Accountability, called the proposal “smoke and mirrors.”

The legislation did win over at least one key lawmaker, however: Rep. Warren Davidson, who had earlier introduced an amendment to attach a ban on the government buying American’s information from third-party data brokers, and who was a chief co-sponsor of legislation requiring a warrant for U.S. person searches under Section 702.

“Collectively, this set of reforms provides robust privacy protections for American citizens. Congress should bank this win and reauthorize Section 702,” Davidson said on X. “Then, we should swiftly begin gutting the unmitigated surveillance state left growing unchecked during these 702 fights.”

But it doesn’t look like it has yet won over enough conservative House Freedom Caucus members, and few Democrats have been on board with Johnson’s plans.

Rep. Ted Lieu, D-Calif., indicated on X in harsh terms that he doesn’t trust FBI Director Kash Patel with current Section 702 powers.

The post Latest spy power reauthorization bill leaves critics unimpressed appeared first on CyberScoop.

Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.

“At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”

Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.

“The Nation and Department of Homeland Security Secretary MarkWayne Mullin requires a confirmed director of CISA without further delay,” Plankey wrote, adding thanks to Trump himself. “While I humbly request the removal of my nomination, I wholeheartedly support President Trump’s upcoming nomination for CISA and look forward to the continued success of the United States of America.”

Plankey’s nomination was considered dead by most at the end of last year. His renomination this year caught many by surprise, with CBS reporting the paperwork filing was an accident. The White House denied that.

Numerous senators had placed holds on his nomination, including GOP senators who held him up over matters unrelated to cybersecurity. Most prominently, Sen. Rick Scott, R-Fla, had placed a hold on his nomination over a Coast Guard contract with a Florida company that DHS had partially canceled.

Plankey had been serving as an adviser to then-DHS Secretary Kristi Noem on Coast Guard matters. He retired from the Coast Guard last month.

While Plankey awaited confirmation, Bridget Bean, then Madhu Gottumukkala, served as acting director. Gottumukkala recently left the position for another at DHS amid widespread complaints about his leadership. Nick Andersen is currently serving as acting director.

Plankey told CyberScoop he had discussed withdrawing his nomination with Mullin. He said he has a “positive relationship” with Mullin and supported his leadership of DHS. And Plankey called Andersen “one of the most competent cybersecurity people in the country.”

Politico first reported Plankey’s withdrawal request. The White House and CISA did not respond to an official request for comment. When asked for a comment, a DHS spokesperson said the department doesn’t comment on personnel matters.

Plankey’s plans leave the agency with yet more upheaval. Trump has dramatically cut personnel and budget at CISA, with many top officials pushed out or otherwise departing. He has proposed deeper budget cuts still for fiscal year 2027.

Updated 4/22/26: to include DHS response.

The post CISA director pick Sean Plankey withdraws his nomination appeared first on CyberScoop.

House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.

The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.

It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” said Brett Guthrie, R-Ky., Chair of the House Energy and Commerce Committee and Rep. John Joyce, R-Pa., who led a working charged with developing the draft legislation, in a statement.

The draft bill also imposes new requirements on businesses and other organizations to limit their collection of personal consumer data to what is “adequate, relevant and reasonably necessary” and only for purposes that are disclosed to consumers in advance. They must also adopt new safeguards for customers’ personal data and disclose any third parties they share it or sell it to, including adversarial foreign governments like Russia and China.

The Federal Trade Commission would be given greater oversight of data brokers that buy, collect, repackage and sell personal data to the highest bidder. The draft bill requires data brokers to register with the FTC, comply with data minimization, disclosure and data security mandates, and creates a new national data broker registry.

Cobun Zwiefel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop that based on the released draft and conversations on the Hill, the bill most resembles privacy laws passed by Virginia or Kentucky (the home state of Guthrie) in recent years, with an emphasis on providing notice and opt-out rights to individual consumers and often tying business compliance to “reasonable” standards of evidence that they acted to protect consumer data.  

At the same time, Zwiefel-Keegan said it could potentially further empower the Federal Trade Commission and state Attorneys General to investigate and sanction bad actors.

The bill is the product of more than 16 months of internal discussion and consensus-building within the GOP majority. While drafting it, a working group led by Rep. John Joyce (R-Pa.) and other House Republicans solicited feedback from 170 organizations and received more than 250 responses from the public to a Request for Information released last year.

While they have worked to achieve consensus within their own caucus, House Republicans did not involve Democratic members in the working group or drafting process, something observers said could make it difficult to attract bipartisan support.

Zwiefel-Keegan said that while the Republican drafters of the bill “would challenge Democrats to explain why they can’t support the type of bill that has been passed in blue states.”

But he also noted that there are “plenty of ways that people will point to how it’s weaker than a lot of blue state privacy laws,” including federal preemption of more robust state privacy laws like those in California, the lack of a private right of action allowing individuals to sue companies directly and a mandatory 45-day “curing” period that allows companies in violation of the law to come into compliance and avoid formal sanctions.  

“I think the privacy working group and the leadership of the committee thinks there’s a pretty strong chance of passing it out of committee.” After that the bill’s chances are likely dependent on other factors, like getting some Democrats on board and working with “red state representatives who may not like their own laws being preempted.”

Shortly after the draft bill was released, Rep. Frank Pallone, D-N.J., ranking member on the House Energy and Commerce Committee, said he was opposed and accused House Republicans of having “lost the plot” on passing national privacy legislation.

“This Republican privacy bill protects corporations and their bottom line, not people’s privacy,” Pallone said in a statement. “We should be protecting the little guy with a bill that empowers consumers, not one that preempts consumer protections at the behest of Big Tech.”

Eric Null, director of the privacy and data project at the Center for Democracy and Technology, indicated that the Secure Data Act falls short, calling it full of “easily exploitable loopholes” that let companies “hide behind cookie banners and lengthy terms of service rather than establishing meaningful privacy protections.”

Null was also critical of the bill’s lack of substance around AI, saying that Large Language Models pose significant privacy challenges today that will only worsen over time.

“Any federal privacy law discussed in 2026 should be future-proofed by protecting against growing AI-related privacy harms, namely by limiting data collection for AI training and preventing use of the technology to discriminate against protected classes, but this bill does neither sufficiently,” he said.

The American Civil Liberties Union also came out against the bill, with senior staff attorney Cody Venzke saying the GOP-led bill “places the onus on regular people” to sift through complex privacy policies created by businesses to request opt out or deletion of their data.

“And it leaves us without real recourse – even blocking us from going to court – if our requests go unanswered,” said Venzke in a statement.

In their joint statement, Guthrie and Joyce said they “look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The post House Republicans roll out national privacy bill appeared first on CyberScoop.

Sen. Ron Wyden, D-Ore., warned Social Security Administration chief Frank Bisignano that any follow-through on President Donald Trump’s executive order creating a new database of U.S. voters using agency data would be viewed by Democrats as a conscious choice on the part of SSA officials to participate in “blatant voter suppression.”

“Facilitating Donald Trump’s directive to create a flawed voter database would be willing participation in blatant voter suppression ahead of consequential midterm elections,” Wyden, the top Democrat on the Senate Finance Committee, wrote in a letter to Bisignano sent Friday.

The executive order, issued March 31, directs the Homeland Security secretary, the director of U.S. Citizenship and Immigration Services and the commissioner of the Social Security Administration to compile lists of American voters for each state, including their supposed citizenship status.

To build the lists, the agencies would rely on the controversial Systematic Alien Verification for Entitlements database that DHS has been building under the Trump administration, as well as Social Security and federal citizenship and naturalization records.

Those lists would then be transmitted to states, most of which have already rejected previous Trump administration efforts to collect voter data or dictate voter registration lists. Another section of the order would direct the postmaster general to develop a similar state-by-state list of voters eligible to vote by mail.

“The clear intent of this executive order is to undermine vote-by-mail and disenfranchise eligible voters,” Wyden wrote. “SSA has a duty to ensure its data is not misused as part of this effort.”

Wyden echoed numerous state officials and election experts in calling the Trump administration’s executive order an unconstitutional encroachment by the executive branch on election authorities that the U.S. Constitution clearly delineates to Congress and the states.

The White House’s executive order has already been challenged in lawsuits from states officials and voting rights advocates, and a previous, less ambitious executive order issued last year that attempted to assert similar executive branch authorities was largely overturned by U.S. courts.

Wyden’s missive essentially asks Bisignano to consider whether following the Trump administration’s order would conflict with his responsibility to safeguard Social Security records under laws like the Privacy Act and the Social Security Act.

He asks how the agency will ensure it’s not disenfranchising voters, and whether it sought permission from citizens to use their Social Security data for a federal elections list, noting that the agency’s own regulations limit the sharing of Social Security data to “routine use for determining eligibility or amount of benefit in a health or income maintenance program.”

Expanding the agency’s role to elections — an area it has no background or experience in — would be in direct conflict with those rules.

“Simply put, sharing Americans’ personal data to DHS for creating a ‘state citizenship’ list does not meet this standard,” Wyden wrote.

The post Wyden warns Social Security chief: Trump’s voter database is ‘blatant voter suppression’ appeared first on CyberScoop.

The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.

In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.

Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.

Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.

That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”

In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.

“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”

Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.

Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.

Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.

The post Treasury asks whether terrorism risk insurance program should bolster cyber coverage appeared first on CyberScoop.

Executives at top U.S. robotics companies asked Congress for federal dollars, new legislation and a simpler regulatory field, arguing the support is necessary to adapt to the AI era and compete with their well-oiled, state-funded Chinese competitors.

The U.S. robotics sector, estimated at $50 billion in value, includes world famous companies like Boston Dynamics. The industry is projected to sell millions of robots across the country over the next four years.  

According to a 2025 report from the International Federation of Robotics, the market has sold and installed an average of 500,000 robots between 2020 and 2024. China alone accounted for 54% of those installations, compared to just 9% for America.

Matthew Malchano, vice president of software at Boston Dynamics, told lawmakers in  the House Homeland Security cyber subcommittee hearing Tuesday that robotics represent the necessary physical infrastructure to support the country’s efforts to dominate the global AI race, with robots, drones and other machines more fully integrating AI systems in the coming years.

He pointed to Chinese companies like Unitree, which are capturing market share with police departments and universities across the United States, despite contracting ties to the Chinese military and cybersecurity vulnerabilities like a wormable exploit found in 2025 that would allow an attacker to takeover fleets of Unitree robots.

Malchano said Unitree is one of “dozens” of Chinese companies propped up by China’s national AI and robotics plan, which “envisions transforming virtually every major industry in China by integrating AI powered robots” through funding and favorable policies.

He pressed U.S. lawmakers for a similar national strategy, and stumped for the passage of the National Commission on Robotics Act, sponsored by Rep. Jay Olbernolte, R-Calif., that would develop a bipartisan commission to drive it.

Max Fenkell, global head of policy and government relations at ScaleAI, said while the U.S. is winning the AI race on its chosen metrics – model quality and chips – it is “losing” on data and implementation.

Unlike large language models, which download training data straight from the internet, AI systems for robots will require unique training data gathered, categorized and labeled through thousands of hours of bespoke testing.

While China has pursued an “industrialized” training strategy in tandem with industry, funding mile-long stretches of warehouses dedicated to gathering training data for Chinese companies, the U.S. has no similar strategy.

“We’re seeing two different races play out and I fear right now the United States may be winning the wrong one,” he said.

Executives at the hearing were unanimous in suggesting Congress block U.S. federal agencies from purchasing Chinese-made robots and create a single federal regulatory standard for the industry, while Fenkell and Malchado asked for the Cybersecurity and Infrastructure Security Agency to conduct a security review of foreign-made robots.

At the hearing, Rep. James Walkinshaw, D-Va., noted a long history of bipartisan cooperation to help U.S. companies compete against state-subsidized Chinese firms. 

“With extensive state investment in technology companies and laws that enlist private companies to serve the interest of the government, the PRC’s military-civil fusion is a serious threat to our own national security,” said Walkinshaw.

AI-powered robots collide with the Trump administration’s thirst for data

As lawmakers weigh how best to position U.S. companies to compete with China, they must also grapple with the possibility that AI-powered robots could be hacked, manipulated or intentionally turned against the public.

Privacy and civil liberties experts have long expressed concerns about the use of robots in areas like policing, in certain military contexts and against American citizens.

The requests for more help from Washington comes at the same time the U.S. government, including the military and Department of Homeland Security, has become markedly more aggressive under the Trump administration about tracking data on Americans and using force against U.S. citizens involved in immigration operations.

Companies like Boston Dynamics sell their robots to manufacturing facilities, semiconductor fabricators, energy plants, first responders, and the U.S. Secret Service. But they also sell them to police departments and the U.S. military, and an early version of the company’s viral “BigDog” quadruped model was created through the Defense Advanced Research Projects Agency at the Department of Defense.

Last year, Immigrations and Customs Enforcement spent $78,000 for a Canadian robot that could perform similar tasks as Spot, another Boston Dynamics robot model, including deploying smoke bombs, according to Governing.

Last month, DHS finalized a $1 billion contract with Palantir to expand AI data analytics across the department to support immigration enforcement. The Coast Guard alone is investing $350 million in robotics and autonomous systems by 2028. 

Congressional Democrats are currently blocking funding for DHS over its immigration and data collection policies.

The post U.S. robotics companies want federal help to keep Chinese robots out of America’s networks appeared first on CyberScoop.

The House Energy and Commerce committee unanimously passed a package of bipartisan cybersecurity bills Thursday targeting the energy sector, including legislation that would reauthorize and fund a critical federal cybersecurity assistance program for rural electric utilities across the country.

The Rural and Municipal Utility Cybersecurity Act, introduced by Reps. Mariannette Miller-Meeks, R-Iowa, and Jennifer McClellan, D-Va., reauthorizes the Rural and Municipal Utility Advanced Cybersecurity program at the Department of Energy, which funnels hundreds of millions of dollars in federal grants and technical assistance every year to help rural utilities and cooperatives defend against cyberattacks and other threats.

The program was created through the 2022 Infrastructure Investment and Jobs Act and is widely viewed in the energy sector as a cybersecurity lifeline for badly underfunded electric utilities that would otherwise be a weak link in the nation’s energy cybersecurity or reliability.

Smaller utilities play a crucial role supporting the nation’s energy grids, but many lack sophisticated IT or cybersecurity operations. Industry officials say it’s not uncommon for some entities to have one or two IT or cybersecurity officials, if that. The bill approves $250 million in additional grant funding for the program over the next five years, part of which would go to implementing more modern cybersecurity technologies and enhancing information sharing.  

Speaking ahead of the vote, Miller-Meeks said her Iowa district’s electric cooperative must serve rate payers across 20 different counties and faces “the same threats as metropolitan systems but with fewer resources.”

“At a time when cybersecurity attacks on our critical infrastructure are escalating and we have not yet authorized an appropriations bill for DHS, small and rural utilities need resources to defend against nation state actors and sophisticated threats,” she said.

Ranking member Frank Pallone, D-N.J., leveled his own criticism, claiming that the reauthorization was “held up for countless months due to senseless delays” by Energy officials.

Another bill, the Energy Emergency Leadership Act, would move responsibility for the cybersecurity functions of the Office of Cybersecurity, Energy Security and Emergency Response under a single, Senate-confirmed assistant secretary.

The bill’s chief sponsor, Rep. Laurel Lee, R-Fla., directly cited reports of ongoing threats to the nation’s energy sector from Chinese state-sponsored hackers as a driver of the legislation.

“At the same time our electric grid faces an increasingly complex threat landscape, state sponsored threats like Volt Typhoon have actively targeted U.S. critical infrastructure, including our electric grid,” said Lee. “These are real and ongoing threats from foreign adversaries seeking to undermine our national security and economic stability.”

The committee also passed bills that require states to include cybersecurity in their energy plans, clarify the Secretary of Energy’s role promoting and coordinating cybersecurity of the nation’s oil and natural gas pipelines, and codify a pilot Energy Threat Analysis Center.

The post Congress looks to revive critical cyber program for rural electric utilities appeared first on CyberScoop.

The FBI’s cyber chief is prioritizing preparation for stepped-up Chinese threats, enhanced confrontation of adversaries in cyberspace and quicker intelligence sharing with industry as the bureau enters the second and final month of a unique cybersecurity awareness campaign.

Brett Leatherman, who took over as assistant director of the FBI’s cyber division last summer, listed those topics as his three top priorities in a recent interview with CyberScoop. At least two of them overlap considerably with the bureau’s current awareness campaign, Operation Winter SHIELD.

It’s the kind of thing that might normally be more expected to come out of the Cybersecurity and Infrastructure Security Agency, which once had its own shield-themed campaign, rather than the FBI.

‘We’ve never done a media campaign like this before,” he said. “But while it’s atypical for a law enforcement agency to do this kind of technical media campaign, we thought it was incredibly important because it translates that law enforcement perspective [into] meaningful ways that industry can move the needle towards increased resilience across critical infrastructure, industry, government agencies and beyond.”

As part of the campaign, the FBI is highlighting 10 recommendations, like protecting security logs and implementing phishing-resistant authentication, that stem from the FBI’s incident response mission.

“The 10 recommendations that we’re making right now are not a surprise to many people out there who work or have cyber over the last few years, but it’s important that we also highlight that these 10 controls are the ways that we continue to see actors getting into fortune 100 businesses and small to medium businesses in virtually 99% or greater of the investigations we run,” Leatherman said.

The campaign has involved localized events for industry, podcasts, international appearances, coordinated messages with cyber-focused companies and more. They sometimes emphasize different threats based on where they’re held, or specific cases that demonstrate how not following the 10 recommendations has led to a past real-life breach. 

In the Honolulu field office, for instance, the FBI held a cyber executive summit with critical infrastructure owners and operators and other key partners. There, the emphasis was on how Hawaii is a potential target of Chinese hackers, especially with the possibility of a People’s Republic of China invasion of Taiwan in 2027.

Securing 2027 is the first priority for Leatherman as assistant director of the cyber division. The idea is to “defend the homeland against an increased PRC targeting of the homeland,” should a China-Taiwan conflict have U.S. spillover.

Leatherman’s second priority is better contesting U.S. adversaries in cyberspace, with joint, sequenced operations — “technical operations through our lawful authorities to remove capacity and capability from the adversary.” That includes looking for ways to enhance those operations with AI.

And his third priority circles back to information sharing with industry. Leatherman said the FBI has some unique cyber threat intelligence capabilities and wants to share it more quickly, so it can have an immediate impact.

Leatherman said Winter Shield is meant to serve as a complement to CISA’s work and vice-versa. The international component of the campaign still has an eye on the homeland, he said. “We’re helping partners understand the Internet is so interconnected now, companies are international, and if you just do this work here in the homeland, you’re at risk of actors targeting your international operations and pivoting into U.S.-based work,” he said.

The second Trump administration’s approach to the FBI has raised concerns from Congress, former agents and elsewhere about whether the bureau’s cyber focus is being curtailed. The bureau has lost veteran leadership, and FBI data that a top Senate Democrat released points to personnel being shifted to immigration-related tasks, including those drawn from cyber work. The administration has also proposed budget cuts for the bureau.

And the FBI’s parent agency, the Justice Department, has shut down a team that combats cryptocurrency crimes amid industry backlash toward U.S. government actions in cases like  Tornado Cash, which the Biden administration accused of abetting money laundering from ransomware outfits.

Leatherman said FBI Director Kash Patel and other bureau leaders have been strong backers of the FBI’s cyber mission.

“We have not moved resources from [the] cyber division,” he said. “We still have our virtual asset unit, we still have our Virtual Currency Response Team, all those teams responsible for tracking the stolen crypto from” North Korea.

“We’re doing regular tracing. We’re trying to seize that when we can,” he said. “We’ve increased our ability to target nation-state actors given the support of FBI leadership, so we have not moved resources off the threat and we continue to prioritize both threat actor pursuit and victim engagement.”

The post The FBI’s cyber chief is using Winter SHIELD to accelerate China prep, threat intelligence sharing appeared first on CyberScoop.

A key Senate Committee moved to advance legislation that would overhaul cybersecurity practices at the Department of Health and Human Services.

The bipartisan Health Care Cybersecurity and Resiliency Act sailed through the Senate Health, Education and Labor Committee Thursday on a 22-1 vote, with only Sen. Rand Paul, R-Ky., opposing it.

The legislation, sponsored by committee chair Bill Cassidy, R-La., and Sens. Mark Warner, D-Va., John Cornyn, R-Texas and Maggie Hassan, D-NH, would require the Secretary of Health and Human Services to develop a cybersecurity incident response plan for the department and provide it to Congress for review.

It would direct the department to partner with the Cybersecurity and Infrastructure Security Agency on oversight of cybersecurity in the health care and public health sectors, create specific cybersecurity guidance for rural healthcare providers and develop a plan to boost cybersecurity literacy within the healthcare workforce.

Cassidy and other members cited the 2024 Change Healthcare attack as a major driver for the legislation, arguing the incident was emblematic of a sector that is under constant siege from cybercriminals, ransomware actors and nation-states.

“Last year there were more than 730 cyber breaches affecting over 270 million Americans [connected to] Change Healthcare, exposing 190 million people’s data and delaying access to care.”  Cassidy said at the opening of the hearing.

Another provision would designate the Administration for Strategic Preparedness and Response at HHS as the Sector Risk Management Agency for the Healthcare and Public Health sectors.

Earlier this month, an HHS official from that office speaking at CyberTalks, presented by CyberScoop, said the Change Healthcare attack took many private and public sector defenders by surprise, underscoring how the compromise of a little-known third-party service provider concentrated within a single sector can still take down wide swaths of industry.

“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Charlee Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”

The bill would update one of the sector’s main data protection laws, the Health Insurance Portability and Accountability Act, to ensure regulated entities use modern cybersecurity practices. It would also establish a new federal grant program to help hospitals, cancer centers, rural health clinics, the Indian Health Service, academic health centers and partnering nonprofit organizations adopt cybersecurity best practices  

“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a statement.

The post Senate moves one step closer to passing health care cyber reforms  appeared first on CyberScoop.

A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.

That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.

“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”

That realization arose from meetings between HHS and industry, she said. The focus on third-party service provider risk came next.

“We are going through and working through a methodology to identify that, and we’ve been working with industry on doing that, really finding where those places are,” Hess said.

The Change Healthcare breach, which exposed the data of 190 million people, has triggered other government responses, too, including on Capitol Hill.

It also prompted UnitedHealth Group, the parent company of Change Healthcare to “start over” on its use of computer systems. But industry has also bristled at the notion of mandatory cybersecurity requirements on hospitals — in part because, they note, the Change Healthcare attack wasn’t their fault.

The post HHS burrows into identifying risks to health sector from third-party vendors appeared first on CyberScoop.

Another Department of Homeland Security shutdown would hamper the Cybersecurity and Infrastructure Security Agency’s ability to respond to threats, offer services, develop new capabilities and finish writing a key regulation, its acting director told Congress Wednesday.

Some of those activities would continue on a limited basis, while others would halt entirely, acting CISA leader Madhu Gottumukkala testified before the House Appropriations Subcommittee on Homeland Security.

“A lapse in funding would impede CISA’s ability to perform … good work,” he told the panel. “When the government shuts down, our adversaries do not.”

As lawmakers held the hearing, DHS was hurtling toward another potential shutdown as Democrats and Republicans clashed over Trump administration immigration policies and enforcement, with a focus most recently on the massive influx of DHS officers in Minneapolis, where those officers have killed multiple U.S. citizens.

Republicans said at the hearing the testimony should persuade Democrats to fund DHS, since its border operations are largely funded by last year’s budget reconciliation law and a shutdown would mainly harm DHS’s other agencies. Democrats said the hearing was “for show,” as they have put forward proposals to fund the rest of DHS as the immigration debate continues — and as 90% of DHS would continue operating under a shutdown, as the panel’s top Democrat, Henry Cuellar of Texas, asserted.

Gottumukkala said CISA planned to designate 888 of its 2,341 employees as “excepted,” meaning they could continue to work during a shutdown, albeit without pay.

“We will do everything we can to meet our mission during the shutdown,” he said. “Uncertainty and those missed paychecks are a serious hardship.”

CISA has reduced its personnel by a third under the second presidency of Donald Trump.

A shutdown “would delay deploying cybersecurity services and capabilities to federal agencies, leaving significant gaps in security programs,” Gottumukkala said in his written testimony. “CISA’s capacity to provide timely and actionable guidance to help partners defend their networks would be degraded.”

There’s a divide between activities CISA could continue in some capacity versus those they would have to shutter entirely during a funding lapse, he said.

“Limited activities include responding to imminent threats, sharing timely vulnerability and incident information, maintaining our 24/7 operations center, and operating cybersecurity shared services,” Gottumukkala said. “However, CISA would not perform any strategic planning, development of cybersecurity advice and guidance, or development of new technical capabilities.”

There would likely be delays in activities like issuing binding operational directives to federal agencies or completing the already-delayed regulations stemming from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the latter of which would require critical infrastructure operators to report major cyber incidents to CISA and would be paused during a shutdown, he said.

Gottumukkala’s testimony is the latest before Congress to focus on personnel at CISA. The chairman of the Appropriations subcommittee, Rep. Mark Amodei, R-Nev., chided Gottumukkala for what he said were delays in CISA providing a reorganization plan to the panel.

“We’ve been professional. We’ve been respectful,” Amodei said. “We expect exactly the same thing in return.”

The post Acting CISA chief says DHS funding lapse would limit, halt some agency work appeared first on CyberScoop.

Republicans in Congress are moving ahead with two pieces of legislation this week that would dramatically reshape the nation’s election laws.

Together, the SAVE America Act and MEGA Act would shift key voter certification powers to the executive branch,  require stricter proof of citizenship for voter registration, and allow states to more easily access federal immigration databases to track and remove “potential” or “suspected” noncitizens from voter rolls.

The SAVE America Act passed through the Rules Committee late Tuesday on a 9-4 partisan split, teeing up a full house vote on the bill. The bill would require voters to use a passport, birth certificate or REAL ID to register to vote and requires voters to prove their identity and citizenship in person.

Changes to the committee bill include a new section requiring states to send lists of all eligible voters to the Department of Homeland Security’s Systemic Alien Verification for Entitlements database and placing the Commissioner of the Social Security Administration at the head of a federal voter citizenship certification process.

Rep. Bryan Steil, R-Wis., said a manager’s amendment filed overnight would also exempt overseas military voters and their families from in-person identification requirements and make the law effective immediately.

Additionally on Tuesday, the House Committee on Administration held a hearing on another bill, the MEGA Act, also sponsored by Steil. That bill would discount all mail-in ballots received after the close of polls on Election Day, require the Attorney General to certify election funding for states, and authorize the AG to sue states that don’t comply with federal election requirements.

It would also allow private individuals to sue any election official “who registers an applicant to vote in an election for Federal office who fails to present documentary proof of United States citizenship.”

The data tells a different story

Steil cast counting ballots past Election Day as untrustworthy, comparing it to playing a corrupt card game.

“Imagine if you went to a casino and played cards and you’re playing with the dealer, and at the very end…the dealer says ‘You know what, I’m not going to flip over my cards for three or four days,’ ” he said. “You could be playing with the pope and you wouldn’t have a lot of confidence in exactly what is taking place.”

But the delays in counting ballots in three states in the 2020 election – Pennsylvania, Wisconsin and Michigan – had a clear explanation: state laws prevented election officials from processing mail-in ballots until Election Day or the day before, forcing them to prioritize in-person votes first before moving to mail-in ballots – which ended up leaning heavily Democratic.

New research from the Center for Election Integrity and Research released this week found that many claims of suspected noncitizen voting are wildly inflated when investigated. Executive director David Becker said the data gives “a very good sense of the depth of the problem” around noncitizen voting, which he called “infinitesimally rare.”

“President Trump’s own Department of Homeland Security has checked more than 49 million voter records, and they themselves admit that 99.98% of those records represented confirmed citizens,” Becker said in a statement. “In several states that are politically aligned with President Trump, the number of alleged noncitizen voters has precipitously dropped when subjected to scrutiny.”

 Congressional Democrats unanimously opposed the bills, arguing they would disenfranchise legal voters in an effort to address a problem that post-election audits show  is exceedingly rare.

Rep.  Julie Johnson, D-Texas, said Congress must respect “the fundamental constitutional right of every citizen to cast a ballot.” That obligation would affect citizens without birth certificates or passports married women who have changed their names, and voters with limited access to election offices where they must provide citizenship in person.

“The problem with this bill is you’re putting all these administrative burdens in place to keep citizens from voting,” she said, adding later that “it is unamerican, unconstitutional, and just dead ass wrong.”

A decade of finger pointing 

It’s not clear what authorities or figures Steil was citing to justify the bill. For instance, approximately 98 percent of voters already cast their ballot on voting machines with a paper backup record.

Further, election experts don’t say winners must be declared on Election Day. Many argue the opposite: that calling races too early—or refusing to count ballots legally postmarked on Election Day but take days to arrive-—can disenfranchise legitimate voters.

The MEGA Act has support from GOP-controlled states. Wyoming Secretary of State Chuck Gray told lawmakers Tuesday it would impose “baseline common sense standards” for elections nationwide. Gray also said he stood “in complete support of” President Trump’s March 2025 executive order on elections—though major sections of that order have since been struck down by courts for being unconstitutional. 

 After the 2016 election, Republicans resisted national election administration laws, arguing states should control election administration. 

Now, they face similar arguments about their legislative package.

Rep.  Jim McGovern, D-Mass., said it was “preposterous that the same Republicans who spent their entire careers demanding that states – not the federal government, states – should run their elections are now suddenly begging for federal intervention.”

Karen Brinson Bell, who led North Carolina’s State Board of Elections until last year, warned that the bill’s rigid photo ID mandates would override current systems even in most states—even those that already have voter ID laws. She also said the requirements would impose   a one-size-fits-all approach on election systems that have diverse, locally driven needs.

 “The needs of communities in Wyoming differ from those in Michigan and North Carolina,” Brinson Bell said. “Decentralized election administration is a feature, not a bug, of our democratic system.”

The post GOP Congress moves to shape election law in Trump’s image appeared first on CyberScoop.

There’s a growing question on Capitol Hill as the expiration of sweeping U.S. government surveillance powers looms: Where is the Trump administration?

The Senate Judiciary Committee held a hearing Wednesday on the 2024 law that revised the surveillance authorities known as Section 702, a part of the Foreign Intelligence Surveillance Act. Advocates have said that information collected under Section 702 — under which national security officials controversially can use U.S. citizens’ personal information to query a database for collection of their electronic communications with foreign targets without a warrant — accounts for 60% of the intelligence included in the President’s Daily Briefing.

But no Trump administration witnesses testified at the hearing. Nor did any testify at a recent House hearing. Sen. Chris Coons, D-Del., said at Wednesday’s hearing that he wanted to scrutinize the changes to Section 702 under the 2024 law, which came in the wake of significant abuses of the authorities and is set to expire at the end of April.

“Today I had hoped to hear from witnesses about whether those reforms had been appropriately implemented and whether they’ve been effective, but I can’t ask those questions of officials from the government who are actually implementing those reforms because they’re not here,” he said. “We are three months from the expiration of Section 702, and the Trump administration, as best as I can discern, still has no official position on it. That is stunning.” 

“I think it’s unacceptable that with just 90 days [before expiration the administration doesn’t know how it thinks about the program and has nobody here to explain or defend it,” Coons continued.

The top Democrat on the panel, Illinois Sen. Dick Durbin, also said he was “disappointed” the administration wasn’t at the hearing. When Durbin led the panel, he had administration witnesses appear before the committee six months before Section 702 was then set to expire at the end of 2023, and administration officials began a public push for renewal almost a year in advance of its sunset.

Frustration toward the Trump administration over its communication about Section 702 wasn’t just limited to committee Democrats. Chairman Chuck Grassley, R-Iowa, complained about how he and Durbin had written to Attorney General Pam Bondi about President Joe Biden and now Donald Trump not allowing — “despite a statutory mandate to do so” — panel members and staff to attend hearings of the Foreign Intelligence Surveillance Court that makes important decisions about the use of Section 702 authorities.

“We’ve yet to receive a meaningful response,” Grassley said.

Commenting on the administration’s absence, Grassley said Congress had a duty to consider reauthorizing Section 702 regardless of the administration’s views.

“If the administration would like to brief us in an open or closed setting, I will work to set it up,” he said. “In the meantime, the Senate Judiciary Committee needs to move ahead.”

Experts and other lawmakers have also observed the Trump administration’s relative quiet about Section 702. Trump himself has repeatedly thrown the stipulation’s future into turmoil during past renewal debates.

The National Security Agency referred a question about the administration’s views and discussions with Congress to the Defense Department. Spokespeople for the DOD, Office of the Director of National Intelligence, FBI, Justice Department  and Central Intelligence Agency did not immediately respond to requests for comment.

During his nomination hearing to lead the FBI, Kash Patel testified on the importance of Section 702 authorities and not impeding them with a warrant requirement. As a member of Congress, Director of National Intelligence Tulsi Gabbard opposed renewal of Section 702, but has offered mixed signals since, including during her own nomination hearing.

The post Lawmakers wonder when Trump administration will weigh on soon-expired surveillance powers appeared first on CyberScoop.

A nonprofit is suing the federal government for records surrounding a data sharing agreement between the Transportation Security Administration and Immigrations and Customs Enforcement that saw domestic travel data used for immigration enforcement.

Government watchdog group American Oversight filed suit against the agencies Thursday in the U.S. District Court for the District of Columbia, a day after acting TSA Administrator Ha Nguyen McNeill told Congress that it was “absolutely within our authorities” to hand over passenger data to other agencies for immigration enforcement operations.

A New York Times report in December revealed that the data sharing partnership included the names and birth dates of passengers. According to the report, TSA sends ICE a list several times a week containing passenger data for upcoming flights, which ICE then checks against its own immigration records.

Under the Trump administration, the Department of Homeland Security and ICE have dramatically expanded immigration enforcement efforts to areas – like airports and schools – that have not been traditionally targeted by past administrations. The data sharing program between TSA and ICE was reportedly used in the high-profile detention and deportation of 19-year-old college student Any Lucía López Belloza from Boston’s Logan Airport over Thanksgiving 2025. A court later found that Belloza was illegally deported to Honduras.

American Oversight filed Freedom of Information Act requests seeking to learn what other information was passed along as part of the agreement, claiming “the full scope of the collaboration—including what other pieces of data are being shared, and whether U.S. citizens have been swept up in any enforcement actions—has not been disclosed.”

The group claimed that after their initial requests were denied, TSA and ICE stopped responding after the nonprofit filed an appeal under FOIA law.

“As of the date of this Complaint, Defendant TSA has failed to notify…regarding American Oversight’s FOIA request, including the scope of responsive records Defendants intend to produce or withhold and the reasons for any withholdings,” the lawsuit states.

On Wednesday, Acting TSA Administrator Ha Nguyen McNeill defended the data sharing agreement to Congress as both legal and appropriate under the national security mandate of DHS.

While the Privacy Act prevents or constrains agencies from sharing information across different departments, that law doesn’t apply to what TSA and ICE are doing. Both are part of the Department of Homeland Security, and in many instances can legally share data with other component agencies, according to the National Immigration Law Center.

McNeill made a similar argument when pressed by Rep. LaMonica McIver, D-NJ, to explain what legal authorities TSA was relying on to share the data. She later promised to produce “the exact statute” that DHS was citing.

“We are acting within our absolute authorities,” said McNeill. “We are part of the DHS, it was a department set up by Congress to ensure these agencies aren’t operating in silos, and that’s what we’re doing today to advance the national security mission of the department.”

McIver disputed that characterization, noting “there is no law that forbids undocumented [people] from flying domestically within the U.S.”

“TSA’s mission is to secure transportation, not to assist ICE with immigration enforcement,” she said.

The post Watchdog group sues for TSA data sharing agreement with ICE  appeared first on CyberScoop.

The acting head of the Cybersecurity and Infrastructure Security Agency faced pointed questions from lawmakers Wednesday over CISA personnel decisions and staffing levels.

Members of the House Homeland Security Committee asked Madhu Gottumukkala about a reported attempt to fire the agency’s chief information officer, efforts to push out a large number of staff and whether CISA had enough people to do the job.

Gottumukkala at times sidestepped the questions, with the probing coming from both sides of the aisle. However,  Democrats exhibited deeper worries about the agency’s workforce and its ability to do its job.

Cutbacks at CISA after employees were “bullied into quitting” — among other methods of reducing CISA’s size — have “weakened our defenses and left our critical systems and infrastructure more exposed, and the American people more vulnerable,” said Rep. James Walkinshaw, D-Va.

Said Chairman Andrew Garbarino, R-N.Y.: “This committee supports the administration’s goal of aligning department [of Homeland Security] resources towards urgent homeland security priorities. At the same time, workforce continuity, clear leadership and mission readiness are essential to effective cyber defenses.”

The extent of those CISA personnel reductions was something lawmakers wanted Gottumukkala to be exact about in his answers.

The top Democrat on the panel, Mississippi’s Bennie Thompson, entered a chart into the hearing record that showed the number of personnel had fallen from 3,387 before President Donald Trump’s inauguration to 2,389 by the middle of December, or a loss of 998 people. Those figures aligned closely with the numbers Gottumukkala gave in testimony.

Under questioning from Thompson, Gottumukkala said CISA’s attrition rate was 7.5% last year, a figure he said was lower than most agencies. Gottumukkala said the agency has “the required staff” to do its work, but Thompson said he was still awaiting an expected letter from Gottumukkala on workforce needs and wanted a more precise number on current vacancies.

Gottumukkala also wouldn’t say whether the agency had carried out a study to determine whether its staffing was sufficient. In response to questions from Garbarino, Gottumukkala said there were no further planned organizational changes at CISA.

“We recognize that a disciplined mission requires the right workforce — not a larger one, but a more capable and skilled one,” Gottumukkala said in his opening remarks.

Democrats pressed Gottumukkala repeatedly on whether any CISA personnel had been reassigned to working on immigration enforcement, something he said hadn’t happened during his time at the agency, contradicting published reports to the country and a claim from Gottumukkala that Democrats said was false. The chart Thompson referenced showed 65 employees being reassigned out of CISA.

At times, GOP lawmakers gave Gottumukkala backing on CISA personnel numbers. Rep. Andy Ogles, who chairs the panel’s cybersecurity subcommittee, said, “You’re doing more with less, and you’re doing it more efficiently.” Republican appropriators recently released a homeland security funding bill that would cut CISA’s budget from nearly $3 billion to $2.6 billion.

Responding to a report that Gottumukkala had tried to force out Robert Costello, the agency’s CIO, Gottumukkala said individual agency personnel “decisions are not made in vacuum. It is a leadership-level [decision] at the highest levels, and we work according to how we see the roles fit.” 

Garbarino told reporters after the hearing that “ I don’t know whose decision it is making that personnel [move], but it was stopped, which is probably a good thing.”

Asked about a news story that he failed a counterintelligence polygraph test, Gottumukkala said that “I do not accept the premise of that characterization,” and any answer would have to be discussed in a closed hearing. Garbarino said he hoped an investigation into the polygraph incident would be settled soon.

Democrats repeatedly expressed frustration about Gottumukkala’s testimony. “You’ve managed to answer none of my questions,” Walkinshaw said.

Gottumukkala wouldn’t take questions from reporters after the hearing.

The post Lawmakers probe CISA leader over staffing decisions appeared first on CyberScoop.

President Donald Trump re-nominated Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency on Tuesday, after Plankey’s bid for the position ended last year stuck in the Senate.

It’s not clear whether or how Plankey’s resubmitted nomination will overcome the hurdles that left many observers convinced his chance of becoming CISA director had likely ended, but it does definitively signal that the Trump administration still wants Plankey to have the job.

Plankey’s nomination was included in a batch sent to the Senate announced on Tuesday.

CISA spent all of 2025 under Trump without a permanent director. Trump nominated Plankey, who held a couple cybersecurity roles in the first Trump administration, to lead CISA in March. He got a Senate Homeland Security and Governmental Affairs Committee hearing in July, then won approval from that panel that same month.

But Sen. Rick Scott, R-Fla., had placed a hold on Plankey’s nomination over a Coast Guard contract that the Homeland Security Department had canceled in part. While he awaited confirmation, Plankey had been serving as a senior adviser to the secretary for the Coast Guard.

A spokesperson for Scott did not immediately respond to a request for comment.

North Carolina’s GOP Senate delegation also had placed holds on DHS nominees related to disaster aid to their state. Sen. Thom Tillis, R-N.C., said last week that the holds would remain until Secretary Kristi Noem appeared before the Senate Judiciary Committee.

A White House official had denied reports that Plankey’s nomination was all but over last year.

“President Trump has been clear that he wants all of his nominees confirmed as quickly as possible, including Sean Plankey, who will play a key role in ensuring a strong cyber defense infrastructure,” the official told CyberScoop.

Asked Wednesday at the Surface Navy Association national symposium about what he was doing to convince senators to lift their holds, Plankey answered, “The administration, the White House has to say that this is a priority of us.

“The support, the priority that the White House puts on it is the priority that I’ll get in there,” Plankey said. “I’m doing the best I can to perform, to deliver for the country and I look forward to the Senate confirming me.”

Drew F. Lawrence contributed reporting to this story.

Updated 1/14/26: To include comment from Plankey.

The post Sean Plankey re-nominated to lead CISA appeared first on CyberScoop.