A House Democrat who’s been at the forefront of congressional efforts to scrutinize the federal government’s use of commercial spyware wants the Commerce Department to brief Capitol Hill amid apprehension that the Trump administration might further embrace the technology.

Rep. Summer Lee, D-Pa., sent a letter to the department Thursday seeking a briefing on several developments stemming from Immigration and Customs Enforcement acknowledging its use of Paragon’s Graphite spyware, as well as an American company purchasing a controlling stake in Israel’s NSO Group. The Commerce Department sanctioned NSO Group under former President Joe Biden after widespread abuse allegations, including eavesdropping on government officials, activists and journalists.

“The Trump Administration appears to be broadly receptive to using commercial spyware to infiltrate cell phones and allowing U.S. investment in sanctioned spyware companies like NSO Group,” Lee wrote in her letter to Commerce Secretary Howard Lutnick, which CyberScoop is first reporting.

NSO Group’s new executive chairman, David Friedman, is a former Trump ambassador to Israel and was his bankruptcy attorney. He has said in November that he expects the administration will be “receptive” to using NSO Group tech.

“Given those close ties between NSO Group and the Trump Administration, and the serious concerns about how NSO’s technology could be used to spy on Americans, we write to request information regarding the purchase of NSO Group by an American company and the potential usage of NSO Group spyware by federal law enforcement,” wrote Lee, who sits on the Oversight and Government Reform panel and is the top Democrat on its Federal Law Enforcement Subcommittee.

Lee was one of the authors of a recent Democratic letter seeking confirmation of ICE’s use of Paragon’s Graphite, which ICE acknowledged. But they criticized the administration for not answering all their questions, in addition to being outraged.

In her latest letter, Lee asked the Commerce Department to brief Oversight and Government Reform Committee staff about internal department deliberations, Commerce communication with the White House and any outside conversations — including with Friedman — about government use of NSO Group technology or any other commercial spyware, and American investment in NSO.

NSO Group “appears to view the Trump administration as friendly to its interests in the United States, pitching itself as a vital tool for the U.S. government to safeguard national security,” Lee wrote, citing company court filings that it “is reasonably foreseeable that a law enforcement or intelligence agency of the United States will use Pegasus.”

The Biden administration sanctions, and court losses in a case against Meta, represented setbacks for NSO Group’s ambitions. And prior to the U.S. investment firm controlling stake purchase last fall, the Commerce Department under Trump rebuffed efforts to remove NSO Group from its sanctions list.

But the tens of millions of dollars worth of investment, following news that Israel had used Pegasus to track people kidnapped or murdered by Hamas, was a boon.

NSO Group maintains that its products are designed only to help law enforcement and intelligence fight terrorism and crime, and that it vets its customers in advance as well as investigates misuse. News accounts and other investigations have turned up a multitude of abuses.

There have been scattered reports of U.S. flirtation with using NSO Group technology. The FBI acknowledged it had bought a Pegasus license, but stopped short of deploying it. The Times of London reported that “it is believed” the Central Intelligence Agency used Pegasus spyware as part of a rescue mission last month for a U.S. airman downed in Iran.

You can read the full letter below.

The post One House Democrat is pressing Commerce on the government’s spyware use appeared first on CyberScoop.

Illinois Rep. Delia Ramirez is taking over as the top Democrat on the House Homeland Security panel’s cybersecurity subcommittee, replacing former Rep. Eric Swalwell after his resignation.

Committee Democrats approved the change Tuesday at a meeting prior to a “shadow hearing” without the GOP majority, focused on protecting elections from Trump administration interference.

Ramirez first won election to Congress in 2022 and was reelected in 2024. She has served as the vice ranking member of the committee since 2023. She is now the ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection.

She has leveled criticisms during committee hearings about the Trump administration’s personnel cutbacks at the Cybersecurity and Infrastructure Security Agency, and was critical of how data was secured under the administration’s Department of Government Efficiency initiative led by Elon Musk.

“Under a Musk and Trump presidency, it’s clear that the security of Americans’ information is not a priority. I mean, a private civilian with no security clearance bullied his way into the Treasury, set up private servers, and stole sensitive information from an agency. If that isn’t a national security crisis, a cybersecurity  crisis –then I don’t know what is,” Ramirez said at an early 2025 hearing. “The true threat to our homeland security is ‘fElon’ Musk, Trump, and their blatant misuse of power to steal information and coerce employees to leave agencies.”

She cosponsored legislation last year meant to strengthen the cybersecurity workforce by promoting measures to help workers from underrepresented and disadvantaged communities to join the field.

But she also had criticisms of U.S. cybersecurity under the Biden administration, including of Microsoft’s role in the SolarWinds breach.

In a statement about her appointment Tuesday, Ramirez took aim at at Trump, Vice President JD Vance, Department of Homeland Security Secretary Markwayne Mullin and White House homeland security adviser Stephen Miller.

“It’s clear that the security of our communities’ information, federal networks, and critical infrastructure have not been priorities” under them, she said. “Between the security failures of DOGE, the abuses of immigrant families’ data, and the decimation of CISA’s workforce and resources, Republicans have demonstrated a lack of interest in safeguarding our nation’s cybersecurity and our residents’ civil rights and privacy. In neglecting necessary oversight, Republicans have deregulated emerging technologies, allowed bad actors to profit from violations of our civil rights, and consented to the weaponization of government systems. It is more critical than ever that we assert our Congressional authority and disrupt the blatant corruption making us all less safe.”

Swalwell left the position following his resignation from Congress as a representative from California amid allegations of sexual misconduct.

Her ascension completes a full leadership turnover for the subcommittee. Rep. Andy Ogles, R-Tenn., took over the gavel late last year after former chairman Andrew Garbarino, R-N.Y., took over as chairman of the full committee.

The subcommittee is set to hold a hearing Wednesday on CISA and its role as the sector risk management agency for a number of critical infrastructure sectors.

Updated 4/28/26: to include comment from Ramirez.

The post Rep. Delia Ramirez takes over as top House cybersecurity Dem appeared first on CyberScoop.

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

SAN FRANCISCO — Every RSA Conference has its buzzwords. Cloud. Ransomware. Zero trust. Plastered across the 87-acre Moscone Center complex on every booth, banner and bar. This year was AI, with vendors pitching AI-powered solutions to every security problem imaginable. But 2026 stood out for a different reason: Industry leaders spent the conference warning about disruption from the very technology everyone was selling.

In an exclusive discussion with CyberScoop at this year’s conference, Kevin Mandia, founder of AI security company Armadin, Morgan Adamski, former executive director of U.S. Cyber Command, and Alex Stamos, a researcher and former chief security officer at several major technology companies, said the industry is entering what they described as an unprecedented two- to three-year period of upheaval, driven by AI systems that are discovering vulnerabilities exponentially faster than defenders can respond and threatening to render decades of security practices obsolete.

“We are just at the inflection point that is going to be pretty insane, at least two to three years,” Stamos said, describing a near-term future in which AI systems flood the threat landscape with working exploits while organizations struggle to patch vulnerabilities faster than attackers can weaponize them.

Mandia put the timeline more bluntly. “It’s a perfect storm for offense over the next year or two,” he said.

The core problem, according to the executives, is speed. AI has made vulnerability discovery almost trivial, while remediation takes time and effort, creating a widening gap that favors attackers across every stage of the kill chain.

“Because of the asymmetry in the cyber domain, where one person on offense can create work for millions of defenders, speed leverages that asymmetry,” Mandia said. “In the near term, there’s an advantage to the attackers as they start to use models and agents to do a lot of the offense.”

Bug discovery goes exponential

The shift is already underway. Stamos, who is currently chief security officer at Corridor, said foundation model companies are sitting on thousands of bugs discovered through AI-assisted analysis that they lack the capacity to verify or patch. 

“The exploit discovery has gone exponential,” Stamos said. “What we haven’t seen go exponential yet is plugging that into working shellcode that bypasses protections on modern processors. But maybe six months or a year from now” AI will be generating sophisticated exploits on demand.

He pointed to examples of AI systems discovering vulnerabilities in decades-old code that had been reviewed by thousands of developers and professional security researchers. In one case, he said, an AI system identified a flaw in foundational Linux kernel code that humans had overlooked for years.

 “This superintelligent system was able to figure out a way to manipulate the machine into a place that, when you look at the bug, I’m not sure how a human could have found that,” Stamos said.

The pace of discovery is creating what Stamos called “a massive collective action problem.” Each successive generation of AI models could surface hundreds of new vulnerabilities in the same foundational software. “It’s quite possible that all this development we’ve done in memory-unsafe languages, without formal methods, that none of that is actually secure in the presence of superintelligent bug-finding machines,” he said. “In which case we need to be massively rebuilding the base infrastructure we all work on. And nobody is doing that.”

The timeline for when those capabilities become widely accessible is measured in months. When Chinese open-source models, like DeepSeek or Alibaba’s Qwen, reach current American foundation model capability levels, Stamos said, “you’re going to have every 19-year-old in St. Petersburg with the same capability” as elite vulnerability researchers.

Models trained on existing shellcode are already “reasonably good” at generating exploit code, he said, and may be capable of producing EternalBlue-level exploits within a year. That NSA-developed exploit, leaked in 2017, was used in the WannaCry and NotPetya attacks and remained effective for years because of how difficult such capabilities were to develop. 

“Imagine when that becomes available on demand,” Stamos said.

Agents already operating beyond human scale

Mandia’s company Armadin has built AI agents capable of autonomous network penetration that he said would be devastating if deployed maliciously. Unlike human attackers who must manually type commands and wait for results, AI agents operate across hundreds of threads simultaneously, interpolating command outputs before they arrive and launching follow-on actions in microseconds.

“The scale and scope and total recall of an AI agent compromising you and swarming you is not humanly comprehensible,” said Mandia, who founded Mandiant and served as CEO from 2016 to 2024. “If the old way was a red team that would get in, there’s a human on a keyboard typing commands. That’s a joke compared to” what AI agents can do.

Those agents can evade endpoint detection and response systems in under an hour, he said, and operate at human speed to avoid rate-limiting detection mechanisms. Once inside a network, an AI agent can analyze documentation, packet captures and technical manuals faster than humans can read them, designing attacks tailored to specific control systems on the fly.

“When you build the offense, it scares the heck out of you,” Mandia said. “If we let the animal out of the cage today, nobody’s ready for it.”

He said Armadin recently tested a Fortune 150 company with a strong security team and found either remote code execution vulnerabilities or data leakage paths in every application tested. “Both of us were shocked,” he said.

The shift changes the fundamental question boards ask after penetration tests. Historically, directors wanted to know the probability a demonstrated attack would occur in the real world. “In the age of humans, you could never really answer,” Mandia said. “But with AI, it’s 100 percent. It’s coming and it’s going to get cheaper and more effective at the same time.”

Defenders face impossible timelines

The compression of attack timelines is colliding with organizational realities that are moving in the opposite direction. Adamski, who is now the U.S. lead for PwC’s Cyber, Data & Technology Risk business, said chief information security officers face pressure from boards to adopt AI rapidly, often with explicit goals of reducing headcount, even as compliance requirements remain unchanged and the threat landscape accelerates.

“CISOs are getting squeezed in that they cannot stop adoption because of demand from the board, from the CEO,” Adamski said. “None of the SOC 2 requirements have changed. ISO 27000, anything that helps people get through from a compliance perspective, all those rules are exactly the same.”

Stamos said patch cycles illustrate the mismatch. Where previously only sophisticated adversaries could reverse-engineer Microsoft’s Patch Tuesday updates to develop exploits, AI will democratize that capability. “You’re going to be able to drop the patch into Ghidra, driven by an agent, and come up with [an exploit],” he said. “Patch Tuesday, exploit Wednesday.”

Many CISOs are trying to bolt AI capabilities onto existing security operations, an approach the executives said is insufficient. “They’re not stepping back and looking at the bigger picture, that we have a fundamental, much more holistic problem in terms of how to reimagine and redo an entire cyber defense ecosystem that is solely driven by AI machine to machine,” Adamski said.

Avoiding Pandora’s box

The national security implications compound the problem. While other former government leaders talked at the conference about what they saw as the United States’ slipping in offensive cybersecurity, the three industry leaders spoke to what they believe nation-states have developed with the use of AI.

“I think we’re seeing less than 50 percent of the AI capability from modern nation-states right now,” Mandia said. “They’re not pressing. Nobody wants to be the first one to open that door.”

Stamos said the operational tempo favors U.S. adversaries. Russian intelligence services can observe and record data from the hundreds of businesses hit by ransomware daily, using that operational experience to train offensive AI models. “We don’t have that kind of operational pace in the U.S.,” he said.

Adamski said any AI capability the United States develops for offensive cyber operations carries inherent risks. “Anything you introduce, you’re introducing it to an ecosystem that they can use back at us,” she said.

Stamos said AI’s impact on cybersecurity will likely produce harmful consequences before other domains because the threshold for cyber operations is already low. “We allow on a Tuesday to happen in the cyber world what we would consider an act of war if it was in any other context,” he said. “I think this is where AI will be used first to hurt people, will be in cyber.”

Two years, maybe

The executives offered limited optimism that AI could also accelerate defensive capabilities, primarily by making security testing affordable at scale and enabling autonomous response systems. But the timeline for when defensive capabilities might catch up depends on immediate action. 

“Two years if we’re good,” Stamos said. “Two years is the minimum if we actually start really fixing code and refactoring stuff into type-safe languages using formal methods.”

Mandia offered optimism “a few years out” if offensive AI built by defenders successfully trains autonomous defensive systems. But he acknowledged the current state is dire. Organizations will need autonomous systems capable of immediately quarantining anomalous behavior, he said, because traditional detection and response timelines will collapse.

“You’re not going to have time to call Mandiant on a Thursday afternoon, get people in, sign a contract,” Mandia said. “You’re going to have to be able to respond at machine speed.”

Stamos said defenders must assume they cannot patch their way out of the problem and focus instead on defense in depth, particularly around lateral movement and persistence, which remain more difficult for AI to automate than initial exploitation.

But even that assumes organizations have time to prepare. The executives suggested that window is closing rapidly, if it hasn’t already shut for good.

Adamski summed up the reckoning facing the industry: “AI is going to potentially make us pay for the sins of yesterday.”

The post Security leaders say the next two years are going to be ‘insane’ appeared first on CyberScoop.

Congressional leaders are pressing federal agencies to provide more information on their plans to compete with China on a range of tech and cybersecurity issues, including a strategy for promoting American 6G telecommunications infrastructure and limiting Chinese tech in US supply chains.

Representative Raja Krishnamoorthi, D-Ill., ranking member on the House Select Committee on the Chinese Communist Party, wrote to Secretary of State Marco Rubio last week asking for an update on the department’s work building international coalitions around 6G.

In the letter, dated Oct. 30 and shared exclusively with CyberScoop, he called for the department to share details on how its is fighting to shape international norms, global technical standards and supply chains in favor of U.S. and non-Chinese companies and technologies, saying “diplomacy can, and must, play a key role in this strategy.”

“While it remains essential that we continue to address the threats posed by the Chinese Communist Party’s efforts to dominate 5G, we must also look forward to how we can outcompete the CCP in the next frontier of wireless competition,” he wrote.

In an interview with CyberScoop, Krishnamoorthi called on Rubio to build on the work that prior administrations have done marshalling international consensus around 5G security and technical standards, while also learning from past mistakes, which allowed Chinese telecom companies like Huawei and ZTE to gain significant global influence. 

“We have underestimated the impact of 5G and didn’t invest enough in our own innovative capacity, or push for domestic and trusted partners to produce that technology and be able to purchase from them,” he said.

Further, he said the U.S. failed to match Chinese efforts to shape international technical standards around 5G implementation, which allowed China to increase  its global influence and set technology standards that benefit its own industries.

The country is already laying a similar groundwork to influence the 6G space: Krishnamoorthi noted that a group promoting Chinese technical standards has already signed an agreement with European industry associations to research 6G networks and services, while this past May an annual 6G global summit was, for the first time, hosted in China and sponsored by major Chinese entities like China Mobile, ZTE and the Hong Kong Communications Authority.

With 5G, “we didn’t recognize the power of…taking leadership in organizations that set standards with regard to our technology,” he said, something the U.S. can’t afford to repeat with 6G.

Further, Krishamoorthi said Congress was able to come to a consensus on banning Chinese the use of tech from Huawei, ZTE and other Chinese telecoms in U.S. networks, but criticized the body for failing to properly set aside fund the replacement of that equipment, which Chinese companies often sold at far cheaper prices than domestic alternatives.

The U.S. government created a regulatory environment where they “allowed everyone to buy whatever the heck they wanted to buy,” which often led US networks to opt for much cheaper Chinese equipment.

“We came back and said you have to rip it all out, and we, the federal government, will try to provide resources to replace it,” he said. “We never came up with the resources to replace it, they ended up having to rip it out and now there are patches to the country without access to the type of broadband coverage that they deserve.”

Last year, Congress did approve $3 billion to fund rip-and-replacement of Chinese technologies, but industry groups have long complained that the government’s initial tranche of funding for the initiative was insufficient.

Under the Biden administration, the U.S. reached international agreements with nine other countries – The United Kingdom, Australia, Canada, Czechia, France, Japan, South Korea, Sweden and Finland – on a set of principles for “Secure, Open and Resilient by Design” technologies and infrastructure around 6G.

The National Telecommunications and Information Administration also invited experts from the public to help map out a long-term strategy to support U.S. advancements in 6G telecommunications infrastructure.

The responses from industry, academia and tech experts emphasized the importance of fostering US growth in Open Radio Access Network technologies, a critical gap in U.S. and western supply chains, robust security and privacy frameworks and AI-integration.

 Congressional Republicans are also scrutinizing how federal agencies are accounting for Chinese technology lobbying efforts on the world stage. A joint letter Wednesday from House Republican leaders on the House Homeland Security, CCP, Foreign Affairs and Intelligence Committees requested a briefing with Secretary of Commerce Howard Lutnick and pressed the department to “investigate and restrict adversary products in other critical and emerging industries to protect the U.S. market from technology threats,” particularly from China.

The members wrote that connected critical infrastructure has “whittled away geographic borders” and created new threats of foreign sabotage or control that US policy must account for, including Chinese made technologies in artificial intelligence, automated machinery and robotics, IOT devices, semiconductor cores and industrial SCADA software.

“We have already seen through a variety of cyber-attacks against the United States that China views information technology as a battlefield,” wrote Reps. Andrew Garbarino, R-N.Y., John Moolenaar, R-Mich., Bill Huzienga, R-Mich., Rick Crawford, R-La., and Brian Mast, R-Fl. “A compromised power grid, an infiltrated telecommunications network, or a manipulated industrial control system can pose as great a threat as a kinetic military strike.”

The post Congressional leaders want an executive branch strategy on China 6G, tech supply chain appeared first on CyberScoop.